laptop ssh -> laptop stunnel -> evil network -> internet -> your server -> your server ssh
Sets up a stunnel process listening externally on port 2443/tcp, forwards to localhost 22/tcp
- Install stunnel, e.g.
yum install stunnel - Install server config snippet to
/etc/stunnel/stunnel.conf - Create a TLS cert+key pair, save to
/etc/stunnel/stunnel.pem
Quick and dirty self signed cert, if you don't care about repudiation:
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
- Create the chroot directory:
mkdir /var/run/stunnel ; chown nobody.nobody /var/run/stunnel - Run the server:
stunnel /etc/stunnel/stunnel.confif there isn't an init script - Remember to open iptables to accept connections on 2443/tcp if you use it!
Sets up a stunnel process listening on the laptop on port 2443
- Install stunnel
- Install client config to your homedir as stunnel-client.conf
- Edit
connect=line to change to the name/address of your server, e.g.connect=myserver.example.com:2443 - Run the client:
stunnel stunnel-client.conf
From laptop, telnet to localhost port 2443. You should see the OpenSSH banner of your remote server
lapdance:~ bwann$ telnet localhost 2443
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.6.1
Testing ssh:
lapdance:~ bwann$ ssh -p 2443 localhost uname -n
my-server.wann.net
On your laptop, ssh to localhost port 443. This will connect you to the sshd running on your server. Done!
ssh -p 4443 localhost
Some captive networks may block all access to anything but port 80 and 443, and even then do packet inspection to ensure only TLS is done over 443. VPNs may not work in these situations either. This is just one way to try to get SSH connections through in such an environment.