MJ Blog

Just a little blog about my Raspberry Pi experiences

Making SSH Available in Environments With Http(s)-proxies

If you are in networks with internet access only through proxies, you should try tunneling SSH through SSL. Stunnel is made for this purpose.

So let us install Stunnel4:

sudo apt-get install stunnel
mkdir -p /var/run/stunnel4
sudo chown stunnel4:stunnel4 /var/run/stunnel4
vi /etc/stunnel/stunnel.conf

Configuring the server

Change its config to:

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

client=no
cert=/etc/stunnel/stunnel.pem
debug=3
sslVersion = all
output=/var/log/stunnel4/stunnel.log
[sslssh]
accept=192.168.2.42:10443
connect=localhost:22

Do not forget to change the IP address in the “accept=” line

This allows connecting to port 10443 with SSL and redirects traffic from and to port 22 (SSH). You could also enter any other host and port as target which is reachable from the stunnel host. I assume you are able to configure the port forwarding in your router yourself

Create the certificate and convert it for use with stunnel:

openssl req -new -x509 -keyout st-key.pem -out st-csr.pem -days 1000 -nodes
sudo "echo | cat st-csr.pem - st-key.pem > /etc/stunnel/stunnel.pem"

Configuring the client

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

client=yes
cert=/etc/stunnel/stunnel.pem
debug=3
sslVersion = all
output=/var/log/stunnel4/stunnel.log
[ssh]
accept = localhost:10443
connect = PROXY_IP:80
protocol = connect
protocolHost = REMOTE_IP:443

You have to enter the correct IP addresses again. I suggest using no-ip.com or any other DynDNS provider if REMOTE_IP ist dynamic.

Starting the services

If everything is configured, use

sudo /etc/init.d/stunnel4 start

After successful configuration you are able to connect to the remote SSH machine with

ssh localhost:10443

Having trouble?

If the connection fails it is possible, that your firewall or proxy blocks SSL-requests without User-Agent Header set. I am using proxytunnel on the client side to circumvent this “feature”:

sudo apt-get install proxytunnel

Change your ~/.ssh/config

Host REMOTE_NAME 
        ProxyCommand proxytunnel -q -e -p PROXY_IP:80 -d REMOTE_IP:10443 -H "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:10.0.1) Gecko/20100101 Firefox/10.0.1\n"
        ProtocolKeepAlives 30
        User pi

To connect the remote system:

ssh REMOTE_NAME

Simple? :)