Bookmark and Share

Secure tunnelling

This took some doing. There is a lot of information around on the web that proves the concept, but I never found a howto explaining exactly this situation:

CNTLM Proxy -> Kerberos Auth SSL Proxy -> mod_proxy -> SSH


Corporates love blocking websites and non-standard port communication. This becomes a pain if you're managing servers on the outside on port 22 or any other non 443,80 based service. This allows you the freedom to go whereever you want without the knowledge of big brother.  


The CNTLM proxy is required to authenticate against the Kerberos Auth proxy if the machine you're tunnelling out through is not part of the enterprise domain you're trying to tunnel out of. You still require an authorised account to be able to do this kind of tunnel, getting an account is outside of the scope of this howto.


CNTLM Proxy runs on both Windows and Linux and it works great, I've been using it for years in corporates. You can find it at . Configure CNTLM with the domain id required to get internet access and the upstream proxy inside the LAN you're tunnelling through.


 At this point you should be able to get to (HTTP/HTTPS) sites that wasn't blocked by the corporate. 


Now you need a Linux server outside of the LAN, I run a few at home and a couple of VPSs around the world. They're cheap and work great. You will be running SSH and Apache with mod_proxy enabled on this server. 


A simple apache configuration for this setup:

I am not including a howto on how to generate and configure your certificates in Apache, there are miriads of tutorials on the web for this.

                ServerAdmin webmaster@localhost
                DocumentRoot /var/www/html
                SSLEngine on
                SSLCertificateFile /etc/apache2/ssl/apache.crt
                SSLCertificateKeyFile /etc/apache2/ssl/apache.key
                ProxyBadHeader Ignore
                SSLProxyEngine on
                ProxyRequests On
                AllowConnect 22
                    Order deny,allow
                    Allow from all
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined


The configuration above will allow you to connect to Port 22 on the same machine via mod_proxy. This is the default port of SSH and if you installed SSH with defaults this will work just fine.


The last bit is simply configuring your SSH client to use ProxyTunnel to bounce through the hoops above and get you a nice dynamic socks port that you can tunnel through to exit vie your remote server and go anywhere you want.


For this you need ProxyTunnel which also works on Windows and Linux. You can find it here

(Hillariously as I saved this post the content blocking proxy started blocking this site, so I had to switch to tunnel) 


The setup on Linux is as follows:

1. Create a config file for your ssh client if you haven't already.
     touch ~/.ssh/config
2. Inside the file put the following:
     Host whateveryouwantyourtunnelhosttobecalled
         ProxyCommand proxytunnel -q -X -r ipofyourapacheserver -p hostnameofcntlmproxy:3128 -d localhost:22
         #Setup a socks proxy you can connect to from your local machine to forward data via the tunnel 
         DynamicForward 9999
         ServerAliveInterval 60

The setup on windows is via Putty.exe, also works for WinSCP etc.

1. Create a new Putty connection (The way I set this up is that you don't really need a hostname configuration since putty will not connect directly      to that, but to your proxy configuration.

2. Click on Connection->Proxy in the configuration section on the left

3. Select Local proxy

4. Enter the following in the 'local proxy command' box:

   Drive:\pathtoproxytunnel\proxytunnel.exe -q -X -r REMOTEAPACHESERVERIP:443 -p localhost:3128 -d localhost:22

5. If you want the SOCKS proxy as per the Linux configuration, click on Connection->SSH->Tunnels

   5.1 Click on 'Dynamic'

   5.2 Add port 9999

   5.3 Click on Add


Right, you can test this setup with telnet before you start using SSH clients, google for that if you don't know how. If you've done this right you will now be able to connect to your external SSH server on port 22 or whatever port really via your Apache server. From here on out what's left is anything you can imagine ;) Setup your browser to use a SOCKS proxy, point it to 9999 and browse any site you want. Update your servers inside the LAN without having to convince the powers that be that you need to be able to for work. etc etc.


Good luck.