In one of past articles I’ve described how to use HTTP CONNECT method to tunnel other protocols through a proxy. It worked for me for various protocols ( mainly email access IMAP, SMTP), but recently it stopped working for SSH protocol. After some investigation I’ve found that proxy is checking what protocol it is tunnelling through and expects it to be SSL/TLS. If it is anything else, proxy closes connection with an error. It still worked for mail protocols, because they were already wrapped in SSL. But to be still able to use SSH through proxy some more sophisticated setup was needed – tunnelling SSH through SSL protocol, which is then tunnelled via HTTPS proxy ( HTTP CONNECT method). Below I describe a setup, which works for me.
All tools could be installed from Ubuntu/Debian repositories via apt-get.
stunnel4 – is a program that can wrap/unwrap any connection into/from SSL protocol
openssl – SSL utilities and SSL client
proxytunnel – utility to tunnel connection through HTTPS proxy
On SSH server we have to install stunnel4 and openssl and configure it to accept SSL on some port and forward then unencrypted connection to local SSH server:
sudo apt-get install stunnel4 #generate key - we are not interested very much in security so can use rather minimal settings openssl req -newkey rsa:1024 -sha1 -days 3650 -keyout stunnel.key -nodes -x509 -out stunnel.crt cat stunnel.crt stunnel.key > stunnel.pem sudo cp stunnel.pem /etc/stunnel/ #enable stunnel - set ENABLED=1 sudo nano /etc/default/stunnel4 #edit configuration - see below sudo nano /etc/stunnel/stunnel.conf #and start stunnel server sudo service stunnel4 start
Here is configuration file stunnel.conf:
pid = /var/run/stunnel.pid cert = /etc/stunnel/stunnel.pem [ssh] accept = 192.168.1.110:2222 connect = 127.0.0.1:22
On Client Behind Proxy
We need to install
proxytunnel here. Then following command will connect us to remote SSH server via HTTPS proxy:
ssh -o "ProxyCommand /usr/bin/proxytunnel -v -p proxy_host:port -d ssh_server_host:2222 -e" user@ssh_server_host
And we can add proxy configuration to ~/.ssh/config:
Host ssh_server_host ProxyCommand /usr/bin/proxytunnel -v -p proxy_host:port -d ssh_server_host:2222 -e
And then connect easily just with short ssh command: