Friday, January 28, 2011

Tunelling over HTTP

Hello,

I have a network at work that is locked behind a firewall and Internet connection is available only by using a proxy server. At work, I can connect to databases that are distributed across the network.

However, at home, I cannot connect to the proxy server or the databases.

How can this be done? I can access my workstation via LogMeIn, so I can install anything on it.

I thought of installing some kind of tunneling mechanism in my workstation. Then, at home, I could connect to this mechanism, which would in turn do the required connections.

So essentially, what I'd like to do can be represented by the following diagram: Home => Workstation => Database. For example, whenever I connect to, say, 10.140.0.1:1234 at home, this would be redirected to 10.140.0.1:1234 of my Workstation, because 10.140.0.1:1234 is only available through the corporate network.

Note: I'm using Windows XP.

  • If you can get OpenSSH onto your workstation computer (say, with Cygwin's openssh package), you can use a proxy helper named corkscrew to enable the OpenSSH client to tunnel out through the proxy. Cygwin has a corkscrew package, so it's convenient to use if you already have Cygwin installed. Read the corkscrew man page for instructions on its configuration (I believe it's a simple one-line addition to /etc/ssh_config).

    Next, you'll need to make your home PC a viable endpoint for ssh client connections from the workstation, and for that, you need to be running an sshd daemon. Again, Cygwin is one place to get it: Install the openssh package, and then run the ssh-host-config script to create the sshd service. Accept the default answers to each of the config script's questions.

    Since your home PC is behind a NAT router (right?), forward TCP port 22 to your PC, and add that port as an exception to your PC's firewall. This is a security risk, so take appropriate precautions (left as an exercise).

    Finally, to create a tunnel to transport connections to your corporate database from your home PC: Login to your workstation (via LogMeIn), and open a tunnel back to your home PC, as follows (in a Cygwin bash shell):

    ssh -N -R 1234:10.140.0.1:1234 username@xxx.xxx.xxx.xxx
    

    where username is the name of the user to connect to your sshd server, and xxx.xxx.xxx.xxx is the real, routable IP address of your home router. Any connections you make to localhost:1234 on your home PC will be forwarded over the tunnel to 10.140.0.1:1234, and thus it will appear as though the corporate database is listening on your home PC's TCP port 1234. When you're done, you can close the tunnel by killing the ssh command on your workstation with a Ctrl-C.

    Morgan : Thank you very much for the detailed answer. I did the following: 1) Installed Cygwin with `openssh` at my *Home PC*; 2) Installed an SSH client (`putty`) at my *Workstation*, and configured it to do the equivalent of your `ssh` command and `corkscrew`, i.e., configured the proxy, and remote tunnel (R1234 => 10.140.0.1:1234). I can connect from `Workstation` to my `Home PC's` SSH server. However, when I attempt to login to the database from my Home PC (using localhost:1234), I get an I/O exception. If I try to use `ssh -v -p 1234 localhost` I get `Connection Established` and an error.
    Morgan : The error is `ssh_exchange_identification: Connection closed by remote host`. I searched for this error, and everyone suggests problems with /etc/hosts.allow|denny, but I don't even have these files at Cygwin. Do you know how to fix this problem? Thanks.
    Steven Monai : Unless the server at 10.140.0.1:1234 is an sshd daemon, using the ssh client on your home PC is not a useful way to test the tunnel. Try something simpler, like `telnet localhost 1234` or `nc localhost 1234`.

0 comments:

Post a Comment