How I bypassed firewall protocol filters.

Some public networks are blocking well-known ports for security reasons. Some of them go even further and use “Deep Packet Inspection” a.k.a. “DPI” to limit network access. These are generally SMTP (mail), SSH and IRC.

Easiest way to workaround this problem to using VPNs would be most trivial way. Another way is using Tor since it exposes SOCKS proxy out of the box and most of the clients (even operating systems themselves) support it natively.

The problem with Tor is that many connections are made to mask your identity which adds latency on it’s own. Given that some exit nodes are also known by service providers, they ban those addresses to prevent spam.

onion ssh proxy ssh configuration

You can configure your SSH client in a way that it will access all *.onion hosts through SOCKS gateway of Tor. You also need to configure a Hidden Service, term for the services that are exposed to the Tor network itself.

Since I had my own VPS (DigitalOcean VM) I wanted to utilize this for 2 reasons.

• Reliable connection
• Low latency
• Static IP address, that is not banned from IRC networks

But I realized that even though my connection works with 3G mobile connection, it gets “time out” when I try to connect via University Wi-Fi.

To test it, I used following command: (1.2.3.4 is being my server’s public ip)

$ nc -v 1.2.3.4 22

This did not return anything and just kept waiting forever. Then I thought that must be a “blocked port” issue. Where packets are being dropped by the gateway/firewall.

So I added port 443 to the sshd_config of the server. Then tried to connect with netcat again. But same thing happened again. No results.

I knew at that point, 443 is not being blocked since we all have access to regular services with a HTTPS connection.

Then to inspect, I fired Wireshark and inspected what’s going on in a successful handshake. Firstly, server prints:

SSH-2.0-OpenSSH_6.7p1 Debian-5

Then client responds with:

SSH-2.0-OpenSSH_6.2

If I open a connection with netcat to server, I see the first line on mobile data. But I don’t see it on Wi-Fi.

Then I realized firewall must be inspecting the content of the packet to allow/deny further transmission. This is called DPI (Deep packet inspection) and many firewalls provide crafted set of regular expressions to handle multitude of protocols.

So I converted SSH to an inetd compatible daemon using this script:

#!/bin/bash
echo "who are you?"
read x; #wait for client to comply
/usr/sbin/sshd -i
exit
#inetd line (remove # from beginning when adding to inetd.conf):
#8000 stream tcp nowait root /bin/bash bash /path/to/script

And this is for your ssh_config .

Host yourhostname
CheckHostIP no
Compression yes
Protocol 2
ProxyCommand bash -c 'echo "ssh"; cat -;' | nc %h %p | { read x; cat -; }

This way, before SSH handshake, server sends who are you? and waits for a reply. Client sends ssh (even though what’s sent does not matter) rest is passed to SSH daemon and client respectively.

By making first 2 packets something out of the firewall’s blocked patterns, I was able to make direct SSH connection to my VPS on DigitalOcean.