Using SSH to bypass The Great Firewall/GFW

This looks like a long process, how does it work after I’m done?

  • You’re ssh tunnel to your server outside the GFW will be active *whenever* your online
  • When you need to bypass the GFW, simply select “SSH” from your locations menu
  • When you don’t need to use your proxy, simply switch your location back to Automatic

What you need:

Configuring SSH key based authentication can be very difficult if you haven’t configured it previously. The idea is:

  • Generate a key set on your local computer (with ssh-keygen on the local system)
  • The Key Set will make two files on your hard drive, a “Private Key” and a “Public Key” (~/.ssh/id_rsa.pub on the local system)
  • Note that the “Private Key” is many “lines” long, but the “Public Key” is a single line (no newlines/returns)
  • The server that you’re logging into keeps a list of keys that are authorized to access the system (in ~/.ssh/authorized_keys on the server)
  • Copy the single line of your “public key” file onto any line of your “authorized keys” file.
  • Make sure the permissions of both your public keys and private keys are “correct”. “Insecure” file permissions are the most common cause of SSH key’s failing to authenticate.
  • Always keep your .ssh dir and all your keys chmodded to 700 and 600 respectively.
  • Use “ssh -vvv” if you have trouble logging in, this will give you diagnostic output.

Verify that you’re able to connect to the system you’ll be using to proxy via SSH.

If you’ve got the Apple Developer Tools installed, then go directly to the AutoSSH website, download the source, compile and install. In case you don’t, I’ve complied a copy that you can download here.

Just extract with: [shell]tar zxvf autossh.tgz -C /[/shell]

Use foreground mode to verify that you’re able to connect to the system of your choice via AutoSSH.

[shell]autossh -M 19999 -D 9999 -N example.com[/shell]

Use cURL to verify that your proxy is working

[shell]curl —socks4a localhost:9999 -v www.facebook.com[/shell]

Now that your proxy is online, the next step is to define a new location in your Mac OS X “Network” Profiles.

In System Preferences / Network:

  • From the Locations dropdown choose “Edit Locations” then add a new location called “SSH”
    Screen shot 2009-12-01 at 上午01.07.36.png
  • Return to the main Network window and choose “Advanced” then “Proxies”
    Screen shot 2009-12-01 at 上午01.07.28.png
  • Enable “SOCKS Proxy” setting the proxy server to “localhost” and port “9999”
    Screen shot 2009-12-01 at 上午01.08.09.png
  • Under bypass proxy setting for these hosts and domains, you can enter any sites that will be slowed down by proxing via your SSH connection:
    [plain]*.local, 169.254/16, *.cn, *.163.com, *.baidu.com, *.youku.com, *.toudou.com, *.sina.com, *.chinesepod.com[/plain]

Last, we just need to configure autossh to start when our Mac boots up. We’ll use a Login Hook so that the script will run regardless of which user logs in.

http://support.apple.com/kb/HT2420

You’ll need to create the shell script to use as the Login Hook, save it as /usr/local/bin/loginhook, and make it executable (chmod 755).

[shell] #! /bin/bash

if [ "$(ps ax | grep autossh | grep -vc grep)" -lt 1 ]; then
  sudo -u {USER} /usr/local/bin/autossh -f -M 19999 -D 9999 -N -o ServerAliveInterval=3 {SERVER}
fi

[/shell]

If you have trouble connecting and need to debug the autossh line, first try disabling the “-f” so that the program runs in the foreground and returns output. If you need to send the output to a log file, you can edit the loginhook script to something like:

[shell]sudo -u {USER} autossh -M 19999 -D 9999 -N {SERVER} 2&>1 >> /tmp/loginhook.log[/shell]

(Note that you’ll need to replace {USER} with the short name of the user account that is providing the SSH public key and {SERVER} with the host your connecting to)

[shell]sudo defaults write com.apple.loginwindow LoginHook /usr/local/bin/loginhook[/shell]

If your ever in doubt as to weather or not your new Proxy is running correctly, save the following script as /usr/local/bin/gfw. Run this script to instantly check on the status of your proxy.

[shell]curl –socks4a localhost:9999 -v www.facebook.com[/shell]

Reboot, Test and Enjoy!

9 thoughts on “Using SSH to bypass The Great Firewall/GFW”

  1. I needed to thank you for this good read!! I absolutely loved every little bit of it. I’ve got you book marked to look at new things you post…

  2. Hello there! I know this is kind of off topic but I was wondering if you knew where I could find a captcha plugin for my comment form? I’m using the same blog platform as yours and I’m having trouble finding one? Thanks a lot!

  3. A pro ɦormone is a precursor of hߋrmoneѕ but it doеsn’t Һave muсh of ɦormonal effects on its own. By changing how you lift tҺe weights you have a different routine that gives you the result you want. Еҳcellent solutions lіke maқing a choiсe on low calorie nutrition and plannіng tҺis meals well remain more realistic.

  4. In a written report by David Spiegel inside Harvard Mental Health Letter, your research was cited that Hypnosis methods have been used successfully for anxiety connected with medical procedures. grado de conciencia tiene el paciente en ese momento. an su ministerio o el lugar en el que guardaban sus objetos personales cotidianos”, explica Amalia Est.

  5. Nice article, If you would like set the access authorities for those files or programs, such as, to hide or lock them, to deny copy or delete etc, and likewise want to monitor their utilization, the File Encryption will probably be your best choice.

  6. Oh it’s right, File Encryption is the best encryption software to encrypt, lock and hide files, folders, drives in a convenient method. This encryption software is compatible with all popular versions of Windows OS

Leave a Reply

Your email address will not be published. Required fields are marked *