How to access an Application (such as SSH server or Mail or Remote Desktop) on remote computer which is behind restrictive NAT/firewall over which you have no control to setup port forwarding?
How to access:
a) Server using Remote Desktop Protocol or
b) SSH server
if these are located behind NAT/firewall (named PCWithLocalIP) from any other computer (named as AnyPC) including the mobile phone (named as Android)?
You must have access to a remote server with public IP (named as RemoteServer).
Step 1
a) RDP access
On PCwithLocalIP run:
ssh -R 12345:localhost:3389 username_at_RemoteServer@IP_of_RemoteServer -p port_for_ssh_on_RemoteServer
b) SSH access
On PCwithLocalIP run:
ssh -R 12345:localhost:22 username_at_RemoteServer@IP_of_RemoteServer -p port_for_ssh_on_RemoteServer
Step 2
a) RDP access
In AnyPC's terminal:
- ssh -L 54321:localhost:12345 username_at_RemoteServer@IP_of_RemoteServer -p port_for_ssh_on_RemoteServer
- Run RDP on AnyPC, on port:54321. Done.
b) SSH access
Option 1
In AnyPC's terminal:
- ssh username_at_RemoteServer@IP_of_RemoteServer -p port_for_ssh_on_RemoteServer
Once connected, in the same terminal of the same AnyPC, continue:
- ssh -p 12345 username_at_PCwithLocalIP@localhost
Option 2
In AnyPC's terminal:
- ssh -L 11223:localhost:12345 username_at_RemoteServer@IP_of_RemoteServer -p port_for_ssh_on_RemoteServer
In another terminal of the same AnyPC:
- ssh -p 11223 username_at_PCwithLocalIP@localhost
Step 2 on Android
- Setup ConnectBot: username_at_RemoteServer@IP_of_RemoteServer:port. Edit port forwardings => Type: Local; Source port: 54321; Destination: localhost:12345
- Run RDP on Android, on port:54321. Done.
--------------
How to access any blocked website using SSH Dynamic Port Forwarding and browser SOCKS.
or
How to browse internet with an IP of a Remote Server
On Win:
1. From your PC ssh (or use plink) into Remote Sever:
ssh -D 12345 username_at_RemoteServer@RemoteServer_IP
2. Configure the browser to use SOCKS proxy, port 12345, localhost.
For Firefox: ”Options” -> "Advanced" -> ”Network” -> ”Connection Settings” -> ”Manual proxy configuration” -> in ”SOCKS Host” enter 127.0.0.1 and port 12345. Select SOCKS_v5.
plink.exe (command-line interface of PuTTY, is an equivalent of SSH client on Unix).
Use it for SSH Tunneling into your Remote Server.
On Android:
Concept
- Browser (or app to be proxied) tries to connect to the internet, SocksDroid intercepts the connection and forwards it to localhost on port 8080 (or any other above 1024).
- ConnectBot intercepts connection to locahost:8080 and forwards it to remote server by SSH using Dynamic port forwarding (-D, port 8080).
- Remote Server then connects to the internet on port 80 and the Browser has an IP of the Remote server.
Setup:
- Setup SocksDroid to listen to an APP (eg. browser). Connection->Server IP: 127.0.0.1; Server Port: 8080; checked: Per-app Proxy; App List: com.android.chrome (for other Apps, find the descriptions using "AnExplorer Pro" -> select Menu: APPS -> User Apps or System Apps -> find your App).
- Activate SocksDroid, which listens to Localhost:8080 (or other custom setup port).
- Setup ConnectBot to SSH into RPi using Socks port forwarding (-D, dynamic), source port 8080. Edit Host -> protocol: ssh -> userNameOfRemoteServer@Ip_ofRemoteServer:port -> Edit port forwards: Type: Dunamic (Socks) -> Source port: 8080 -> Destination: localhost:80 must be already set for you.
Setup for Firefox APP ONLY:
ConnectBot, ssh into RPi with -D localhost:8080
In Firefox, about:config
network.proxy.socks = 127.0.0.1
network.proxy.socks_port = 5000
network.proxy.socks_remote_dns = true
network.proxy.socks_version = 5
network.proxy.type = 1
Setup for ALL OTHER APPS:
- on WIFI: Settings -> Network and Internet -> WiFi -> Network connected right now -> Edit (visual pen) -> Proxy, Manual, set Proxy Hostname and Proxy port -> Save.
- on GSM: Settings -> MObile network -> Advanced -> Access point names -> Select connected network -> set Proxy and Port -> Save.
For Firefox: ”Options” -> "Advanced" -> ”Network” -> ”Connection Settings” -> ”Manual proxy configuration” -> in ”SOCKS Host” enter 127.0.0.1 and port 12345. Select SOCKS_v5.
plink.exe (command-line interface of PuTTY, is an equivalent of SSH client on Unix).
Use it for SSH Tunneling into your Remote Server.
On Android:
Concept
- Browser (or app to be proxied) tries to connect to the internet, SocksDroid intercepts the connection and forwards it to localhost on port 8080 (or any other above 1024).
- ConnectBot intercepts connection to locahost:8080 and forwards it to remote server by SSH using Dynamic port forwarding (-D, port 8080).
- Remote Server then connects to the internet on port 80 and the Browser has an IP of the Remote server.
Setup:
- Setup SocksDroid to listen to an APP (eg. browser). Connection->Server IP: 127.0.0.1; Server Port: 8080; checked: Per-app Proxy; App List: com.android.chrome (for other Apps, find the descriptions using "AnExplorer Pro" -> select Menu: APPS -> User Apps or System Apps -> find your App).
- Activate SocksDroid, which listens to Localhost:8080 (or other custom setup port).
- Setup ConnectBot to SSH into RPi using Socks port forwarding (-D, dynamic), source port 8080. Edit Host -> protocol: ssh -> userNameOfRemoteServer@Ip_ofRemoteServer:port -> Edit port forwards: Type: Dunamic (Socks) -> Source port: 8080 -> Destination: localhost:80 must be already set for you.
Setup for Firefox APP ONLY:
ConnectBot, ssh into RPi with -D localhost:8080
In Firefox, about:config
network.proxy.socks = 127.0.0.1
network.proxy.socks_port = 5000
network.proxy.socks_remote_dns = true
network.proxy.socks_version = 5
network.proxy.type = 1
Setup for ALL OTHER APPS:
- on WIFI: Settings -> Network and Internet -> WiFi -> Network connected right now -> Edit (visual pen) -> Proxy, Manual, set Proxy Hostname and Proxy port -> Save.
- on GSM: Settings -> MObile network -> Advanced -> Access point names -> Select connected network -> set Proxy and Port -> Save.
-------------------------------------------------
ADVANCED USE
Browse on A through B, exposing an IP of C.
Only B has a public IP address, A and C are behind NAT/Firewall.
Method 1 - running two SSH sessions on A
1. From C:# ssh -R 11111:localhost:22 usernameAtB@IP_B
2. From A:# ssh -L 22222:localhost:11111 usernameAtB@IP_B
3. From A:# ssh -D 33333 -P 22222 usernameAtC@localhost
4. Browser on A: SOCKS proxy, localhost:33333
Explanation
1. ssh -R, connect from C to B, forward port B:11111 => C:22
2. ssh -L, connect from A to B, forward port A:22222 => B:1111
3. ssh -D, A connects to its own ssh server on port 22222, and does Dynamic port forwarding of port 33333.
Overall, SOCKS 33333 => A:22222 => B:11111 => C:22
Method 2 - running two SSH sessions on B
1. From C:# ssh -R 11111:localhost:22 usernameAtB@IP_B
2. From A:# ssh -L 33333:localhost:22222 usernameAtB@IP_B
3. From B:# ssh -D 22222 -p 11111 usernameAtC@localhost
// The above command can be run on B continuing the SSH connection from A to B on step 2 OR it can be initiated as a new and independent from step 2 SSH connection from A to B.
4. Browser on A: SOCKS proxy, localhost:33333
Explanation
1. ssh -R. Connect from C to B and forward requests on B:11111 => C:22
2. ssh -L. Connect from A to B and forward requests on A:33333 => B:22222
3. ssh -D. On B, connect to itself on port 11111, with Dynamic forwarding of port 22222.
Overall, SOCKS 33333 => A:33333 => B:22222 => D:22222 => B:11111 => C:22
----------
Browse internet on A through B, exposing an IP of C.
B and C are not behind NAT/Firewall (have public IP addresses)
A is a device with a Browser accessing internet.
B = username@remoteServer1, has public IP
C = username@remoteServer2, has public IP.
Method 1 - quickest to setup, but uses same #PORT for all tunnels
1. A# ssh -D #PORT -oProxyCommand="ssh -W %h:%p machine-B" machine-C
2. Browser on A, proxy set to localhost:#PORT.
Method 2 - less quick to setup, but allows port control
1. A# ssh -L #22222:machine-C:22 machine-B
2. A# ssh -D #11111 localhost -p #22222
3. Browser on A, proxy set to localhost:11111
Machine A, SOCKS:11111 => A11111 => A:22222 => B:22222 => C:22
Method 3
1. A# ssh -L #11111:localhost:#22222 machine-B
2. B# ssh -D #22 machine-C
3. Browser on A, proxy set to SOCKS, localhost:11111.
Machine A, SOCKS:11111 => B:22222 => C:22
This can be shortened to:
ssh -L #PORT:localhost:#PORT machine-B "ssh -D #PORT machine-C".
#PORT can, but does not have to be the same number.
------------------------------------------
Other setup details
SSH servers eg. FreeSSHd, Bitvise, OpenSSH.
In sshd_config configuration file, change:
AllowTcpForwarding yes
GatewayPorts yes
ServerAliveInterval 30
//or ssh -R port_to_listen_on_remoteHost:localhost:port_on_ssh_session_initiaitng_host_which_is_localhost_on_the_left_side_of_the_semicolong username_at_remoteHost@IP_of_remoteHost -o ServerAliveInterval=30
// this keeps ssh session alive.
If the server has GatewayPorts no, you can achieve the same result by executing ssh -g -L 8001:localhost:8000 user@remoteServer on the remoteServer after ssh -R command has been executed on the client. This will make loopback port 8000 on the server accessible on all interfaces on port 8001.
------------------------------
From SSH man page
https://man.openbsd.org/ssh
Bind_address explanation
host may have multiple IP addresses (e.g., 127.0.0.1, 192.168.1.2). Address binding allows you to run a service on some or all of these addresses.
Using localhost as bind_address would allow only SSH clients running on the local machine to connect to the SSH service.
Suppose, the host is configured with two network interfaces, one connected to a trusted network (e.g., 192.168.1.0/24), the other connected to an untrusted network (e.g., 192.168.2.0/24). Say you want your host to accept SSH connections from the trusted network only. In this case, you would bind the SSH service to the host's address on the trusted network only (e.g., 192.168.1.2).
local_socket and remote_socket explanation
Typically a server connects to an IP address and the port the service is running on. This combination of IP:port is called a socket and represents a network endpoint of some type (local or remote).
SSh tunnel: ssh sets up an encrypted path between two systems - a connection to the remote server that takes in data on one end and ssh encrypts it as it travels over an unprotected medium to the other side.
The mechanism ssh uses to provide access is by creating new sockets at each end of the tunnel which an application can use to access the TCP service.
EXTRA useful comamnds
--------------------------------------------------
Copy files to/from remote server
SCP, client of Putty
Copy file from localhost (Win) to remoteServer (Debian):
root@remoteServer:~# scp -P 12345 username@localhost:myFile.txt /root
Copy file from remoteServer (Debian) to localhost (Win):
root@remoteServer:~# scp -P 12345 myFile.txt username@localhost:
SFTP, client of Putty
root@remoteServer:~# sftp -oPort=12345 username@localhost
Copy file from localhost (Win) to remoteServer (Debian):
get myFile.txt
Copy file from remoteServer (Debian) to localhost (Win):
put myFile.txt
_______________________________
How to activate OpenSSH on Win 10
https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH
https://github.com/PowerShell/Win32-OpenSSH/wiki
ADVANCED USE
Browse on A through B, exposing an IP of C.
Only B has a public IP address, A and C are behind NAT/Firewall.
Method 1 - running two SSH sessions on A
1. From C:# ssh -R 11111:localhost:22 usernameAtB@IP_B
2. From A:# ssh -L 22222:localhost:11111 usernameAtB@IP_B
3. From A:# ssh -D 33333 -P 22222 usernameAtC@localhost
4. Browser on A: SOCKS proxy, localhost:33333
Explanation
1. ssh -R, connect from C to B, forward port B:11111 => C:22
2. ssh -L, connect from A to B, forward port A:22222 => B:1111
3. ssh -D, A connects to its own ssh server on port 22222, and does Dynamic port forwarding of port 33333.
Overall, SOCKS 33333 => A:22222 => B:11111 => C:22
Method 2 - running two SSH sessions on B
1. From C:# ssh -R 11111:localhost:22 usernameAtB@IP_B
2. From A:# ssh -L 33333:localhost:22222 usernameAtB@IP_B
3. From B:# ssh -D 22222 -p 11111 usernameAtC@localhost
// The above command can be run on B continuing the SSH connection from A to B on step 2 OR it can be initiated as a new and independent from step 2 SSH connection from A to B.
4. Browser on A: SOCKS proxy, localhost:33333
Explanation
1. ssh -R. Connect from C to B and forward requests on B:11111 => C:22
2. ssh -L. Connect from A to B and forward requests on A:33333 => B:22222
3. ssh -D. On B, connect to itself on port 11111, with Dynamic forwarding of port 22222.
Overall, SOCKS 33333 => A:33333 => B:22222 => D:22222 => B:11111 => C:22
----------
Browse internet on A through B, exposing an IP of C.
B and C are not behind NAT/Firewall (have public IP addresses)
A is a device with a Browser accessing internet.
B = username@remoteServer1, has public IP
C = username@remoteServer2, has public IP.
Method 1 - quickest to setup, but uses same #PORT for all tunnels
1. A# ssh -D #PORT -oProxyCommand="ssh -W %h:%p machine-B" machine-C
2. Browser on A, proxy set to localhost:#PORT.
Method 2 - less quick to setup, but allows port control
1. A# ssh -L #22222:machine-C:22 machine-B
2. A# ssh -D #11111 localhost -p #22222
3. Browser on A, proxy set to localhost:11111
Machine A, SOCKS:11111 => A11111 => A:22222 => B:22222 => C:22
Method 3
1. A# ssh -L #11111:localhost:#22222 machine-B
2. B# ssh -D #22 machine-C
3. Browser on A, proxy set to SOCKS, localhost:11111.
Machine A, SOCKS:11111 => B:22222 => C:22
This can be shortened to:
ssh -L #PORT:localhost:#PORT machine-B "ssh -D #PORT machine-C".
#PORT can, but does not have to be the same number.
------------------------------------------
Other setup details
SSH servers eg. FreeSSHd, Bitvise, OpenSSH.
In sshd_config configuration file, change:
AllowTcpForwarding yes
GatewayPorts yes
ServerAliveInterval 30
//or ssh -R port_to_listen_on_remoteHost:localhost:port_on_ssh_session_initiaitng_host_which_is_localhost_on_the_left_side_of_the_semicolong username_at_remoteHost@IP_of_remoteHost -o ServerAliveInterval=30
// this keeps ssh session alive.
If the server has GatewayPorts no, you can achieve the same result by executing ssh -g -L 8001:localhost:8000 user@remoteServer on the remoteServer after ssh -R command has been executed on the client. This will make loopback port 8000 on the server accessible on all interfaces on port 8001.
------------------------------
From SSH man page
https://man.openbsd.org/ssh
-R[bind_address:]port:host:hostport-R[bind_address:]port:local_socket-Rremote_socket:host:hostport-Rremote_socket:local_socket-R[bind_address:]port- Specifies that connections to the given TCP port or Unix socket on the
remote (server) host are to be forwarded to the local side.
This works by allocating a socket to listen to either a TCP port or to a Unix socket on the remote side. Whenever a connection is made to this port or Unix socket, the connection is forwarded over the secure channel, and a connection is made from the local machine to either an explicit destination specified by host port hostport, or local_socket, or, if no explicit destination was specified,sshwill act as a SOCKS 4/5 proxy and forward connections to the destinations requested by the remote SOCKS client.Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. IPv6 addresses can be specified by enclosing the address in square brackets.By default, TCP listening sockets on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server'sGatewayPortsoption is enabled (see sshd_config(5)).
-L[bind_address:]port:host:hostport-L[bind_address:]port:remote_socket-Llocal_socket:host:hostport-Llocal_socket:remote_socket- Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be forwarded to the given host and port, or Unix socket, on the remote side. This works by allocating a socket to listen to either a TCP port on the local side, optionally bound to the specified bind_address, or to a Unix socket. Whenever a connection is made to the local port or socket, the connection is forwarded over the secure channel, and a connection is made to either host port hostport, or the Unix socket remote_socket, from the remote machine.
Bind_address explanation
host may have multiple IP addresses (e.g., 127.0.0.1, 192.168.1.2). Address binding allows you to run a service on some or all of these addresses.
Using localhost as bind_address would allow only SSH clients running on the local machine to connect to the SSH service.
Suppose, the host is configured with two network interfaces, one connected to a trusted network (e.g., 192.168.1.0/24), the other connected to an untrusted network (e.g., 192.168.2.0/24). Say you want your host to accept SSH connections from the trusted network only. In this case, you would bind the SSH service to the host's address on the trusted network only (e.g., 192.168.1.2).
local_socket and remote_socket explanation
Typically a server connects to an IP address and the port the service is running on. This combination of IP:port is called a socket and represents a network endpoint of some type (local or remote).
SSh tunnel: ssh sets up an encrypted path between two systems - a connection to the remote server that takes in data on one end and ssh encrypts it as it travels over an unprotected medium to the other side.
The mechanism ssh uses to provide access is by creating new sockets at each end of the tunnel which an application can use to access the TCP service.
EXTRA useful comamnds
--------------------------------------------------
Copy files to/from remote server
SCP, client of Putty
Copy file from localhost (Win) to remoteServer (Debian):
root@remoteServer:~# scp -P 12345 username@localhost:myFile.txt /root
Copy file from remoteServer (Debian) to localhost (Win):
root@remoteServer:~# scp -P 12345 myFile.txt username@localhost:
SFTP, client of Putty
root@remoteServer:~# sftp -oPort=12345 username@localhost
Copy file from localhost (Win) to remoteServer (Debian):
get myFile.txt
Copy file from remoteServer (Debian) to localhost (Win):
put myFile.txt
_______________________________
How to activate OpenSSH on Win 10
https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH
https://github.com/PowerShell/Win32-OpenSSH/wiki
No comments:
Post a Comment