I don't believe in blocking anything on the Internet. It only creates problems. Anyone with a technical know-how can easily get past any filtration system. Most would be surprised how easy some filters are to bypass. I'm not writing this blog post to condone nor endorse filtering, nor getting around a filter that is in place wherever you have access to the Internet. I am only interested in making the necessary knowledge available to those inclined to seek it out.
When getting around an Internet filter, you need to know the type of filter that is in place. Some firewalls block all traffic to a specified computer or network on the Internet. Some only block web traffic. Some block only IRC traffic. Know what you are trying to get access to, and know how it is being blocked.
The block that prompted this blog post is BYU's block to Youtube. BYU runs a filtering system to keep inappropriate content off campus. They use a transparent proxy server. Basically, when you go to a website, the filter sees that you are requesting web traffic and routes it through their filter. If it meets certain criteria, the filter displays the "blocked" page, usually with a short blurb about what the problem was.
When the block was first put into place, anything that started with: "http://www.youtube.com/" was blocked. For those who are familiar with DNS, we know that it isn't actually ".com" but ".com.". To your web browser, and to youtube, "www.youtube.com" and "www.youtube.com." were essentially the same thing. BYU's filter wasn't set up to take this difference into account. Anyone could still get to youtube by adding this extra dot. BYU caught on because they saw web traffic going out to youtube's servers. You can't do this anymore. Your traffic was still going through BYU's web filter, which is what we are trying to ditch in the first place.
The solution, of course, is to slip your traffic past the filter and on to youtube. The easiest way to do this is to find an open proxy on the Internet. Simply google for "open proxy" and you should find a list of them. Fill in the appropriate settings in Firefox, or whatever browser you use, and visit youtube all day long. Instead of your traffic leaving your computer headed straight for youtube, it goes to this other place first. Your computer asks that computer to go to youtube, and send the site back. By using this intermediary, you have successfully gotten to Youtube without sending out a requests that trips off the filter. Your request goes off to some open proxy instead.
Great, that sounds wonderful. Right?
Not always. If you are connecting to an open proxy, it is very likely that BYU could still watch outgoing proxy traffic. It may work today, but it might break tomorrow. BYU could very easily start routing any outgoing proxy traffic through a filter if they wanted to. It is entirely possible that BYU already does this type of filtering, but I don't believe that they do. I do think that BYU's filter blocks the websites that list these public proxy servers.
What solution is there then? If my traffic has to leave BYU at some point, BYU will be able to filter it, right? Wrong.
Enter Secure Shell, or SSH.
SSH was designed to replace telnet and rlogin. These were methods of accessing a computer remotely, logging in, and running commands. Passwords and any sensitive information were transmitted in clear text. SSH first sets up a secure conversation between two computers, after which both computers can exchange all the sensitive information they want without transmitting it in plain text. BYU allows SSH. It will probably always allow SSH. There are plenty of places you can SSH into from off campus, and plenty of places you can SSH to from on campus.
SSH is more than just running commands. SSH can transmit just about anything over the secure connection it sets up. It can transmit graphics, programs, and files. It can be used to secure other protocols like x11, rsync, svn, and git. It can be used to tunnel VPN traffic. It can be used to forward ports. It can also be used to securely browse the Internet.
Remember the open proxy solution? It worked great, but BYU could see and filter proxy connections. SSH has the ability to create a proxy that looks like it is running on your computer, pass the requests over the secure line, and return the results of the requests back over the secure line and to your web browser. The Internet filter can't do anything at all about encrypted traffic because they can't read it. It is just as likely a set of files being transferred securely. It could be a git-clone. It could be an x11 app running. The filter can't read it, so it can't decide to block it. SSH is used for so many things that BYU will likely never decide to block SSH traffic.
How to set it up.
First, you need a place to SSH to. I have ssh turned on at home, so I can use my home computer while I'm on campus. For most BYU students, there are two choices other than SSHing to your home computer. The first solution is to SSH to the Computer Science department. The CS department has been doing filtering longer than BYU has, so it uses its own system. It never blocked Youtube. If you have a CS account, you can use your CS account that way. This won't always work though, because your account is turned off if you aren't taking a class. The second option is to find a shell account on the Internet. I recommend http://sdf.lonestar.org/. Their free account won't let you run the secure proxy server, but their MetaARPA account ($36/year) does.
Once you have a place to SSH to, you can set up the secure proxy. On a mac, or in linux, bring up a Terminal. Type this command:
ssh -D1080 username@example.com
Be sure to replace username with your username, and example.com with the place you are SSHing to (home, CS department, or sdf.)
If you are in windows, the steps are a little different. If you don't have it already, get putty. putty is a program that allows you to ssh from windows. Just google for it, and download it. It's free. Once you have putty.exe, put it somewhere accessible. Run the program, and on the first screen, there is a box that says "host name". Put the appropriate hostname in this box. This will be the hostname for your home machine if you are running ssh, or the hostname for connecting to the CS network, or the hostname for sdf. Now, look in the list on the left. Under Connection->SSH->Tunnels, you'll get a new screen. In the "source port" box, type "1080". Click on the radio button below that is labeled "Dynamic". Click the "Add" button. You will see "D1080" appear in the white box lobeled "Forwarded ports." If you do not click the add button and see "D1080" it will not work. Click on the "Open" button, and you will get a black box asking your username. Type in your username and press enter.
At this point on linux, mac, and windows, you will be prompted for your password. Type it in, hit enter, and you will get a command prompt. You don't need to type in any commands. You can minimize the terminal, and ignore it while you do everything else. When you are done using it, you can close it.
After the ssh command is run and you're at the command prompt, switch to your web browser. You need to set up your proxy settings now. In firefox, this is located in Preferences in the "Advanced" tab. In the "Advanced" tab, there is a sub-tab labeled "Network." Click on the "Settings..." button for "Configure how Firefox connects to the Internet." Select "Manual proxy configuration" and leave everything blank except for SOCKS Host and Port. The host is "localhost" and the port is 1080. Press OK, and try to browse to youtube. If it works, then you have a secure channel for browsing the Internet.
It will remain secure until it reaches the ssh host (home, cs department, or sdf). At the CS department, it will still be subject to the CS filtering system, which is generally much less aggressive than BYU's. If you have a filter at home, then it will be subject to the filtering there. This won't be very useful if "home" is on-campus housing.
I intend for this guide to be a reference to those who are frustrated by these restrictions. There are plenty of educational resources available on Youtube, and I hope that this guide will get one of those resources in a classroom on campus.
Edit:
BYU has lifted their block on youtube. http://universe.byu.edu/node/727
I forgot to add one thing. I've also used this same method to access resources that are only available inside BYU's network.
I'm having a problem. I got the paid account at http://sdf.lonestar.org/ and set everything up as listed here. When I try to go anywhere I get this message:
Connection Interrupted
The connection to the server was reset while the page was loading.
The network link was interrupted while negotiating a connection. Please try again.
What am I doing wrong?
-Jason
Jason-
I'll e-mail you out of the comment system so I can get more information. I'll post the result of your problem in the comments after you get it working.
Yeah I'm having the very same issue:
"Connection Interrupted
The connection to the server was reset while the page was loading.
The network link was interrupted while negotiating a connection. Please try again."
I actually came here from a Google search as I was looking for others who had that problem after reading a similar tutorial. I read through yours too though and used the command you gave, but still got the same results.
Did you manage to find out what was wrong? I have one question, what do I need to have running on the server side in order to process these requests or is just invoking the command to set up a connection enough?
Brilliant write up btw. It is very relevant to me at the moment as I live in Australia, where they are trying to implement a nation wide filter. I'm thinking if this goes through it might be time to jump ship and leave the idiots to drown in their own stupidity. But for now I'll just stick to proving to people that the plan is broken by design. As you've more or less pointed out in your article, there are many ways around a filter, but it's important to demonstrate a foolproof method so there is nobody left wondering if it is just the filter that's at fault.
No, I never received a response from Jason.
I don't have a MetaARPA membership myself, and I recommended it based on what I read about the account type. I had also read reports of others using the -D option to run a local proxy server using the MetaARPA membership.
I'll reply to your e-mail address, and hopefully I can assist in getting this working for you.
Yep, sent a reply. I'm not using MetaAPPA either. I hope we can get this solved so that you have a solution up here for everybody else who's searching Google for an answer.
K, I'm not sure what exactly I did to fix the issue, but it's working now when I use the regular socks option in Firefox.
I switched to using a pac file and the issue came back. I found some info on the issue and I was able to stop it occurring by going into about:config and setting the network.dns.disableIPv6 option to true. However I didn't really want to disable IPv6 support so I took another stab in the dark and changed the line in my pac file from:
if (shExpMatch(host, "example.com")) return "SOCKS 127.0.0.1:1080";
to:
if (shExpMatch(host, "example.com")) return "SOCKS localhost:1080";
and amazingly this fixed the issue for pac files.
There is some info here relating to various IPv6 bugs: http://kb.mozillazine.org/Network.dns.disableIPv6#Background
I'm also running my own version of Bind, so I'm not sure if this could have been causing the issue or if this is in fact what has solved the issue in the pac file. Anyway it's all working for me now, so I'm happy. :)
OK, I just realised that same error will come up if you specify the wrong port number in your Firefox socks config. I think this may have been what I had wrong initially.