This looks like a long process, how does it work after I’m done?

• You’re ssh tunnel to your server outside the GFW will be active *whenever* your online
• When you need to bypass the GFW, simply select “SSH” from your locations menu
• When you don’t need to use your proxy, simply switch your location back to Automatic

What you need:

• SSH access to a server outside the GFW (See: ServerAge in Hong Kong)
• SSH Key Authentication configured (See: ssh-keygen, id_pub.rsa and ~/.ssh/authorized_keys)
• AutoSSH to auto-restart SSH sessions and keep SSH on forever (See: OS X Binary or Source)
• Instructions assume your on Mac OS X, but can be applied to any version of Linux

Configuring SSH key based authentication can be very difficult if you haven’t configured it previously. The idea is:

• Generate a key set on your local computer (with ssh-keygen on the local system)
• The Key Set will make two files on your hard drive, a “Private Key” and a “Public Key” (~/.ssh/id_rsa.pub on the local system)
• Note that the “Private Key” is many “lines” long, but the “Public Key” is a single line (no newlines/returns)
• The server that you’re logging into keeps a list of keys that are authorized to access the system (in ~/.ssh/authorized_keys on the server)
• Copy the single line of your “public key” file onto any line of your “authorized keys” file.
• Make sure the permissions of both your public keys and private keys are “correct”. “Insecure” file permissions are the most common cause of SSH key’s failing to authenticate.
• Always keep your .ssh dir and all your keys chmodded to 700 and 600 respectively.
• Use “ssh -vvv” if you have trouble logging in, this will give you diagnostic output.

Verify that you’re able to connect to the system you’ll be using to proxy via SSH.

If you’ve got the Apple Developer Tools installed, then go directly to the AutoSSH website, download the source, compile and install. In case you don’t, I’ve complied a copy that you can download here.

Just extract with: [shell]tar zxvf autossh.tgz -C /[/shell]

Use foreground mode to verify that you’re able to connect to the system of your choice via AutoSSH.

[shell]autossh -M 19999 -D 9999 -N example.com[/shell]

Use cURL to verify that your proxy is working

[shell]curl —socks4a localhost:9999 -v www.facebook.com[/shell]

Now that your proxy is online, the next step is to define a new location in your Mac OS X “Network” Profiles.

In System Preferences / Network:

• From the Locations dropdown choose “Edit Locations” then add a new location called “SSH”
  
• Return to the main Network window and choose “Advanced” then “Proxies”
  
• Enable “SOCKS Proxy” setting the proxy server to “localhost” and port “9999”
  
• Under bypass proxy setting for these hosts and domains, you can enter any sites that will be slowed down by proxing via your SSH connection:
  [plain]*.local, 169.254/16, *.cn, *.163.com, *.baidu.com, *.youku.com, *.toudou.com, *.sina.com, *.chinesepod.com[/plain]

Last, we just need to configure autossh to start when our Mac boots up. We’ll use a Login Hook so that the script will run regardless of which user logs in.

http://support.apple.com/kb/HT2420

You’ll need to create the shell script to use as the Login Hook, save it as /usr/local/bin/loginhook, and make it executable (chmod 755).

[shell] #! /bin/bash

if [ "$(ps ax | grep autossh | grep -vc grep)" -lt 1 ]; then
  sudo -u {USER} /usr/local/bin/autossh -f -M 19999 -D 9999 -N -o ServerAliveInterval=3 {SERVER}
fi

[/shell]

If you have trouble connecting and need to debug the autossh line, first try disabling the “-f” so that the program runs in the foreground and returns output. If you need to send the output to a log file, you can edit the loginhook script to something like:

[shell]sudo -u {USER} autossh -M 19999 -D 9999 -N {SERVER} 2&>1 >> /tmp/loginhook.log[/shell]

(Note that you’ll need to replace {USER} with the short name of the user account that is providing the SSH public key and {SERVER} with the host your connecting to)

[shell]sudo defaults write com.apple.loginwindow LoginHook /usr/local/bin/loginhook[/shell]

If your ever in doubt as to weather or not your new Proxy is running correctly, save the following script as /usr/local/bin/gfw. Run this script to instantly check on the status of your proxy.

[shell]curl –socks4a localhost:9999 -v www.facebook.com[/shell]

Reboot, Test and Enjoy!