If you cannot use a SSH client to bypass the firewall (403 error, connect command not allowed) you can use GNU httptunnel to bypass the firewall. I personally use httptunnel to bypass TRANSPARENT FIREWALLS.

As an example we forward again the Windows Remote Desktop (port 3389).

We use the same scenario as in the SSH 3 article:
There is a RemoteServer in a large company behind a Firewall. You own the MiddleServer, a public available SSH server. Last but not least there is your Workstation - you want to control the RemoteServer from this machine.

MiddleServer:
Start HTTPtunnel on MiddleServer, forward port 80 (incoming) to local SSH Port:

1
# hts —forward-port localhost:22 80

RemoteServer:
Start HTTPtunnel client, forward local port 900 to MiddleServer port 80 (make sure your Web Server is NOT running!):

1
# htc —forward-port 900 —proxy HTTPProxy:8080 MiddleServer:80

News, 18.10.2006:
———————————-
New w32 package available, change log:
-compiled with latest cygwin1.dll (v1.5.21)
-including latest cvs version
-included debug builds (for stable and cvs build)

Get the updated version: Download GNU httptunnel Windows binaries (v3.3)r2.
Get the old version: Download GNU httptunnel Windows binaries (v3.3).

As GNU httptunnel traffic is not encrypted we create a SSH tunnel in our httptunnel tunnel…:Again we use the same settings for our Putty sessin as in the SSH 3 article:

On the RemoteServer, start a SSH session to the MiddleServer. Change to the “Tunnels Tab” and enter the REMOTE forwarded port:

BUT the SSH server is of course localhost:900 (through the httptunnel).

Now start a session from your Workstation to the MiddleServer:

And now fire-up the Terminal Server Client (mstsc.exe):

Now you control the RemoteServer without change any firewall rules…

Its important that you can use only 1 httptunnel per port! Another Hint: the logging goes to the Windows application log!

IMPORTANT: httptunnel does NOT support NTLM proxy authentification!

Another example:
Server (Linux):

1
# ./hts —no-daemon -D4 —forward-port localhost:22 80

Client (Windows):

1
> htc —no-daemon -D4 -PPROXYSERVER:8080 -F 8888 YOUR-PUBLIC-SERVER:80

When you use debuglevel you migth see those keep-alive messages:

1
2
3
4
5
6
7
8
9
tunnel_write_request: TUNNEL_PAD1
tunnel_read_request:  TUNNEL_PAD1
poll() timed out
tunnel_write_request: TUNNEL_PAD1
tunnel_read_request:  TUNNEL_PAD1
poll() timed out
tunnel_write_request: TUNNEL_PAD1
tunnel_read_request:  TUNNEL_PAD1
poll() timed out

After x seconds, the connection will close and re-establish itself:

1
2
3
4
5
6
7
8
9
10
11
12
13
tunnel_write_request: connection > 300 seconds old
tunnel_write_request: closing old connection
tunnel_out_disconnect: warning: bytes=4278 != content_length=102400
tunnel_out_disconnect: output disconnected
tunnel_out_setsockopts: non-fatal SO_SNDLOWAT error: Protocol not available
tunnel_out_setsockopts: non-fatal SO_SNDLOWAT: 0
tunnel_out_setsockopts: SO_LINGER: onoff=1 linger=2000
tunnel_out_setsockopts: non-fatal TCP_NODELAY: 1
tunnel_out_setsockopts: SO_KEEPALIVE: 1
http_write_request: POST
http://1.2.3.4:80/index.html?crap=1161192374 HTTP/1.1
tunnel_out_connect: output connected
tunnel_write_request: TUNNEL_PAD1

From the httport faq:
Q: When I use SSH (or VNC, or ) over GNU httptunnel, the program locks up after a few minutes (or hours). When I close the program and attempt to reconnect, SSH times out. What’s wrong?
A: Your httptunnel connection has failed on the client end (possibly due to network congestion), but the server end has not recognized that the connection has been lost and won’t allow another connection until the first connection times out. To establish a more stable tunnel, try experimenting with the various options for the htc and hts programs. The following settings seem to work pretty well for me, but your mileage may vary:

1
2
3
hts -S —max-connection-age 20000 -F localhost:22 8890

htc -F 8890 —strict-content-length -B 5k —max-connection-age 2000 -P proxy.mycompany.com:8080 10.1.1.1:8890

Links:
http://www.nocrew.org/software/httptunnel/faq.html (GNU httptunnel faq)
http://www.nocrew.org/software/httptunnel.html (GNU httptunnel home)
http://sebsauvage.net/punching/ (GNU httptunnel how-to)

Share

GNU HTTPtunnel v3.3 Windows Binaries

20 Comments

  • 1 locusok wrote:

    haha thanks

    July 3, 2006 at 08:04 Permalink

  • 2 Thejipster wrote:

    You need to set the HTTP keepalive option in Putty to keep an HTTP session going, otherwise you would loose the connection after a pre-defined timeout interval set by the proxy.

    September 12, 2006 at 20:27 Permalink

  • 3 Lorenzo wrote:

    Don’t know why, but it seems the version of cygwin that comes with the latest openssh does not work along with the one who comes with httptunnel.
    At beginning, i used httptunnel alone and it seemed to work. After that, I tried installing OpenSSH, and then httptunnel began complaining about it having an older version of cygwin1.dll.
    Following the on-screen suggestions, I’ve updated to the latest cygwin from cygwin.com and updated all the .dll to the latest rev..
    Now .. there’s no way to make httptunnel to work: when I launch HTS, it just hangs.
    removing-Reinstalling cygwin does not solve the issue.
    Please, give me some advice, thanks!

    October 11, 2006 at 04:21 Permalink

  • 4 michu wrote:

    you could use openssh and httptunnel in different directories, windows allways looks in the current directory for the dll.

    October 14, 2006 at 13:55 Permalink

  • 5 Lorenzo wrote:

    I fixed the issue (installed on fresh machine) but…
    whenever I use SSH or openvpn (in tcp of course) HTC process dies.. any hint?
    (using the same cygwin1.dll that came with it)

    October 16, 2006 at 02:45 Permalink

  • 6 Michu wrote:

    You could use filemon from sysinternals to check if you miss some files…

    October 16, 2006 at 09:14 Permalink

  • 7 Lorenzo wrote:

    Hi
    I’m sure I’m not missing any file because the HTTPTunnel does actually work, as long as I don’t use it for ‘complex’ traffic like SSH or OpenVPN.
    The process remains alive until I open Putty and connect to the localhost:forwardedport or openvpn (same), at wich point HTC simply disappears from the process list (and the tunnel closes of course..)
    Thanks!

    October 18, 2006 at 03:41 Permalink

  • 8 michu wrote:

    I will release a debug build of htc, this should help to trace some issues

    October 18, 2006 at 09:11 Permalink

  • 9 Lorenzo wrote:

    Thanks for the new build! I’ll try it immediately and I’ll let you know as soon as possibile.
    Again: thanks!

    October 22, 2006 at 23:06 Permalink

  • 10 Lorenzo wrote:

    It seems I had just overlooked the fact that HTTPTunnel does not support NTLM authentication.. and this caused all of the problems.
    A shame, since most firewalls are ISA and they do require NTLM auth.. any chance of having it implemented?
    Thanks again!
    Lo.

    November 19, 2006 at 17:48 Permalink

  • 11 michu wrote:

    You could try to use a NTLM proxy: http://apserver.sourceforge.net/ (old website: http://www.geocities.com/rozmanov/ntlm/). Good luck!

    November 20, 2006 at 10:34 Permalink

  • 12 raleks wrote:

    http://slashstar.com/blogs/dave/archive/2006/11/27/SSH-Tunneling-_2800_on-Windows_2900_-with-OpenSSH-and-Putty-through-an-HTTP-proxy-.aspx

    Just find how to tunneling without HTTP proxy :) Have fun! Thanks to Dave!!

    March 27, 2009 at 13:25 Permalink

  • 13 StarTroll wrote:

    I’m trying to get through my company firewall. Until recently I could just use PuTTY to set-up a connection to my home sshd and everything was fine. But now the proxy’s configuration has been changed. It seems that the proxy blocks the http_connect command. And it also uses NTLM authentication.

    So, I’ve installed CygWin on my WinXP work PC. In CygWin I’ve installed NTLMAPS, which creates a ‘normal’ HTTP proxy. NTLMAPS connects to the company proxy. This sort of transforms the NTLM proxy into a regular one. My plan was to use HTTPTunnel to connect to my home server (running hts) through the NTLMAPS proxy. This way, I can still use HTTPTunnel (which doesn’t understand NTLM) to bypass the http_connect restriction.

    The NTLMAPS proxy works, I can have my Firefox connect through it and receive pages (although it’s slower of course than directly through the company proxy).

    But, like Lorenzo, when I try to have ssh use the hts-htc tunnel, the htc client dies with any error message. Seeing the htc is connected to NTLMAPS, it shouldn’t see the NTLM authentication at all, so I doubt Lorenzo’s conclusion is correct, I fear that there is a different problem.

    Does anyone have an idea?

    May 14, 2009 at 11:31 Permalink

  • 14 Adam wrote:

    Having similar problems trying to connect through an ISA proxy… any chance you could post a link to your Visual Studio project files & Windows source to allow us to debug more fully?

    July 30, 2009 at 15:49 Permalink

  • 15 michu wrote:

    hey adam, there is no vs project file as this is a cygwin port. I guess you have some ntlm issues, you need to authenticate yourself on the isa proxy…

    July 31, 2009 at 18:01 Permalink

  • 16 h3liburton wrote:

    How can I lunch my home server behind restricted firewall and router to Internet use by your HTTP tunnel without touch router and firewall.

    September 6, 2009 at 14:43 Permalink

  • 17 michu wrote:

    … lunch your homeserver?

    October 6, 2009 at 23:00 Permalink

  • 18 miser wrote:

    I personal use super network tunnel, can find it at http://www.networktunnel.net, it’s more easy.

    November 13, 2009 at 03:08 Permalink

  • 19 Martik Panosian wrote:

    Can I use this to bypass the filtering? im in iran

    March 31, 2010 at 05:06 Permalink

  • 20 michu wrote:

    HTTPtunnel itself does NOT encrypt your network traffic - so the answer is NO. But if you use HTTPtunnel with SSH the answer is YES.

    March 31, 2010 at 08:49 Permalink

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*