Networking Question

I work out of coffee shops. It just depresses me to sit at home and not see a living soul all day besides the occasional house-mate.

There is one shop that really allows me to get into my zone. It might have something to do with the liquor license, the ping pong table and loud music. The problem is, they somehow blocked all non-web traffic on their wifi hotspot. Since my day primarily revolves around IRC, XMPP, SMTP and SSH, I really can’t sit there for too long before I need to find somewhere that will allow me to push my git changes.

So I thought I was being all clever when I set up OpenVPN on my private server and configured it to listen on TCP port 443. Does anyone have tips for tunneling arbitrary protocols through port 80/443? I thought the OpenVPN setup was especially nifty because it only required one NetworkManager click.

Networking Question

20 thoughts on “Networking Question

  1. M Welinder says:

    If you run an ssh server there, you can proxy whatever you want.
    ssh is very good at that.

    1. Admittedly, I didn’t try putting ssh on port 80.

      It just seems a bit clunky in my mind, i’ll need to change all the settings in every app to localhost for tunneling, and assign a different port for each outside host. At least that is what I remember from last time I tried to SSH tunnel, a long time ago.

  2. Pete Johanson says:

    Eitan:

    You should be able to configure OpenVPN to make that tunnel be your default route, and then route all your traffic through your server then out to wherever it is bound for on the internet.

    Alternately, at least with CiscoVPNs, you can configure it to route specific IPs through the tunnel, so you could make well known IPs to services you use route through there. That’s more fragile and requires more upkeep to maintain, however.

  3. Sean says:

    Out of raw curiosity, have you bothered to ask the cafe staff if they’d open up the ports?

    Zingerman’s in Ann Arbor (best cafe in the world) started blocking ports last year, and I politely asked one of the owners if they’d open up at least SSH and XMPP, and he had his IT guy take care of it the next day.

    Most shops just block ports because their preconfigured software does it by default or because the IT staff is being paranoid, but these places are there to make money — if a restrictive firewall is driving away legitimate customers, they’ll generally be more than happy to oblige your needs.

  4. nona says:

    route everything through your openvpn (dns included), or maybe use your home as a socks proxy through ssh -D ?

  5. I use SSH on port 443 (generally not filtered). Then, I use LocalForward / ssh -L for pre-defined TCP tunnels, or DynamicForward / ssh -D for a socks proxy. You can configure that proxy in gnome preferences, and most gnome apps will use it.

  6. Cosimo Cecchi says:

    In those cases I usually setup an SSH server listening on port 80 on my home server; then I do `ssh -D 12345 my.server.addr` and launch `tsocks appname` for every application I need to use (you have to configure tsocks first to use localhost:12345 as SOCKS proxy). I also made a `gitssh` scriptthat enables SOCKS proxying in git as well, so after I run it, every next git push is tunneled (I remember I found information on how to do this by googling for git socks proxy or something alike)

    1. Cosimo,

      Why are you still up?! I have a Good Idea(TM) for the spec. I’ll send you a WIP in progress now, and tomorrow I will work on it more.

  7. If you want to run a https server on the same port, newer version of openvpn have a nice option to share the port :

    port 443
    port-share 127.0.0.1 8443

    and set a https server on port 8443, and so people inspecting your webserver will that’s a simple https server.Maybe not useful in your case, but this can be handy imho.

  8. Danielle says:

    If there is a proxy in the way, you can’t connect directly, but you can try Corkscrew.

  9. I’ve used ssh SOCK5 proxy + tsocks for this kind of thing. Tsocks is nice in that it uses LD_PRELOAD, and so you don’t have to reconfigure all your apps to use a proxy.

  10. Benjamin Podszun says:

    If you don’t need it for much (a git push every now and then, when you’re happy with your progress): iodine (TCP over DNS).

    Pro:
    – damn easy to set up
    – gives you just another interface, no fiddling with applications
    – works in a lot of hotspot areas as well…

    Contra:
    – Slow, low bandwidth
    – Legal grey area, depending on service and country, I guess

    I wouldn’t want to live without it anymore.

  11. I figured it out! I was not doing anything wrong, it’s simply a routing issue with the host you are vpning through. A small tweak to the /etc/hosts file, and I am fine.

    So now I am using OpenVPN and the NetworkManager plugin. One mouse click and I am tunneled!

Comments are closed.