Tunneling HTTPS and SSH traffic via port 53

Small guide how to tunnel traffic via ssh using port 53 with linux. 

 

I got a new ADLS line, which came with some problems. The line will drops all other outbound connections, except traffic to ports 80 (HTTP) and 53 (DNS). This basically means that SSH, ping, traceroute, IMAP and HTTPS does not work.

SSH and HTTPS and IMAP connections are the most important to me so that I can access remote servers, get emails and use for example Google search or Facebook. 

The really funny part of this is that all incoming connections work well. I can ssh to my home server from the internet, but not the other way around.

Link speed is moderate, but a great speedup after using mobile connection for years.

 

 

 


 

Ttroubleshooting

Curl timeouts when trying to access Google with https.

root@saturn:~# curl -v https://www.google.com  
* About to connect() to www.google.com port 443 (#0)
*   Trying 180.180.250.183... Timeout
*   Trying 180.180.250.187... Timeout
*   Trying 180.180.250.167... Timeout

While trying to debug I found an handy tool hping3 to check the status

root@saturn:~# hping3 -S -p 80 www.google.com
HPING www.google.com (eth1 180.180.250.182): S set, 40 headers + 0 data bytes
len=46 ip=180.180.250.182 ttl=61 DF id=0 sport=80 flags=SA seq=0 win=14600 rtt=43.9 ms
len=46 ip=180.180.250.182 ttl=61 DF id=0 sport=80 flags=SA seq=1 win=14600 rtt=40.1 ms
len=46 ip=180.180.250.182 ttl=61 DF id=0 sport=80 flags=SA seq=2 win=14600 rtt=36.1 ms

hping3 to SSL port works for an moment to www.google.com

root@saturn:~# hping3 -S -p 443 www.google.com
HPING www.google.com (eth1 180.180.250.118): S set, 40 headers + 0 data bytes
len=46 ip=180.180.250.118 ttl=61 DF id=0 sport=443 flags=SA seq=0 win=14600 rtt=41.8 ms
len=46 ip=180.180.250.118 ttl=61 DF id=0 sport=443 flags=SA seq=1 win=14600 rtt=44.2 ms
len=46 ip=180.180.250.118 ttl=61 DF id=0 sport=443 flags=SA seq=2 win=14600 rtt=43.4 ms

And the next minute it fails

root@saturn:~# hping3 -S -p 443 www.google.com
HPING www.google.com (eth1 180.180.250.118): S set, 40 headers + 0 data bytes

 

Solution using sshuttle (temporary)

There was two options to overcome the problems. Use an VPN and using SSH tunnel.  Sshutle seemed to be quick and easy solution for now. As I had only two ports available and did port 80 was already in usage, the only option was to user port 53, which is used by DNS. 

 

Setting up SSH tunnel, using open port 53

 

Setup sshd on EC2 to asnwer to port 53 by adding "Port 53" line to /etc/ssh/sshd_config file. Restart the ssh service afterwards

echo 'Port 53' >> /etc/ssh/sshd_config

/etc/init.d/ssh restart

 

Allow incoming traffic to  port 53 by adding a custom rule to EC2 security group

 

Install and Use sshuttle to tunnel all traffic, excluding local network to EC2 server using port 53

apt-get install sshuttle

sshuttle -r username@EC2servername.com:53 0/0 -x 192.168.1.0/24

 
Testing with curl
* About to connect() to www.google.com port 443 (#0)
*   Trying 180.180.250.163... connected
 
Further checking the network traffic on EC2 server with jnettop
ip-10-130-55-55.ap-southeast-1.compute.internal <-> node-ejl.pool-118-55.dynamic.totbb.net      629b/s   88b/s   717b/s
 10.130.55.55                            53    TCP  118.173.73.55                        14855     283K   39.7K     322K
 
ip-10-130-55-55.ap-southeast-1.compute.internal <-> mx-ll-180.183.213-55.dynamic.3bb.co.th      263b/s  288b/s   551b/s
 10.130.55.55                            80    TCP  180.183.213.109                      64984    1.03K   1.13K    2.16K
  GET /sites/all/themes/acquia_marina/images/drop-bottom.png
 
==> The connection works!! Well, ping and traceroute does not, but at least I can now use Google, Picasa and Facebook and send and receive emails.
 

 

Limiting the traffic to EC2 by not routing normal HTTP traffic there 

At this point all my outgoing traffic from my laptop was routed to the Amazon EC2 server in Singapore. However I have to pay for the server traffic and also it's not wise to route evertything there, so next step was to setup an transparent proxy to my home server. I selected squid3 to do the job.
 

 

Installing and setup squid3 transparent proxy to home server

 apt-get install squid

Edit /etc/squid3/squid.conf to allow local traffic 

acl localhost src 127.0.0.1/32 ::1 192.168.1.0/24

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 192.168.1.0/24

  

Change Chromium browser to use home server squid3 as an HTTP proxy

chrome://settings/ -> Advanced -> Change Proxy settings

 

 

voilà, https traffic goes via EC2 server and normal http traffic goes directly 

 


 

Caching ubuntu / debian packages

One more step to limit the traffic to the EC2 server as minimal as possible. I had actually done this earlier as for years I had only mobile (CDMA and currently HSPA) connection to the internet. I'm using apt-cacher-ng to cache ubuntu packages. This way when one computer fetches an package, the others can get it from the local cache. Great software to limit the need of bandwidth usage as well as speed up upgrade and installation processes. 

In my setup the home server is not tunneled, so all the outgoing traffic from this server is not going via EC2 server.

 

Setting up apt-cacher-ng 

Using apt-cacher-ng to cache ubuntu packages on the home server 

Install apt-cacher-ng to the home server (192.168.1.17)

apt-get install apt-cacher-ng

On the client side (the apt-cacher-ng server should also act as an client)

Create file /etc/apt/apt.conf.d/02proxy and add line

Acquire::http { Proxy "http://192.168.1.17:3142"; };

Then try it out 

apt-get update ; apt-get upgrade

 

 

Links: 

Sshuttle examples

http://teohm.github.io/blog/2012/04/01/using-sshuttle-in-daily-work/

 

Squid3 Transparent proxy

http://www.ubuntugeek.com/how-to-setup-transparent-squid-proxy-server-in-ubuntu.html

http://paulwright.id.au/?p=1126