In my last post I covered a ssh tunnel, and hopefully it made sense. In this post I'm going to expand on that method by adding an SSL tunnel. We'll use the SSL tunnel to get through web proxies, like WebSense.
What you'll need:
Linux server running something like OpenSSH Server.
Stunnel installed on the server and the client.
A client machine
A quick note about stunnel. I know that it's broken in Ubuntu 12.04 LTS, as of today. So you'll either have to compile it yourself or download a good version.
We'll start with the server configuration. Make sure you have openssl installed, 'which openssl' should show you if you have it.
Create a certificate for your stunnel server:
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
Create a config file for stunnel, here is what mine looks like:
cert=stunnel.pem
sslVersion = SSLv3
pid=/tmp/stunnel.pid
[stunnel443]
accept = 10.1.1.5:443
connect = 10.1.1.5:22
The IP address in connect and accept is the IP of eth0 on the server, which is inside a NAT'd network. Next we'll run stunnel using this new config (which was named server443). This needs to be run with root privileges:
stunnel server443
If there are no errors it will just return you to a new line, and won't display any info. You can test the connection with openssl:
openssl s_client -connect localhost:443
It should spit out a bunch of stuff, and then the SSH banner at the end. Just hit enter and it'll say protocol mismatch, and spit you back out to the CLI.
Next we'll configure the client.
Create another config file:
sslVersion = SSLv3
pid=/tmp/stunnelclient.pid
#foreground=yes
client=yes
[21222]
accept=21222
connect=<remote ip>:443
Edit the <remote ip> to be your ip or hostname. You can change the accept port, if you want, you just have to remember what it is. Save the file as client443
Next run this command with root privileges:
stunnel client443
Now try to ssh:
ssh -p 21222 localhost
If all goes well, you should now be connecting to your remote server. Please review my previous post on configuring a proxy with ssh, and how to set up firefox to use it.
No comments:
Post a Comment