Pages

Thursday, 25 June 2015

在windows server,配置ssh tunnel以翻墙



Before we start installing and configuring software, you need to find out the following things;

* Your home IP Address
* Your work/school external IP Address

The easiest way to get your IP Addresses is to go to www.whatismyip.com at home and at work. Write down the numbers.

Software
We’re going to be using 2 fairly simple pieces of software; an SSH Server and an SSH Client.

There are a few flavors of SSH Server’s out there, but we’re going to be using OpenSSH because it’s free. The website for OpenSSH is http://www.openssh.com . But wait! OpenSSH doesn’t run on Windows unfortunately… But there is a site that converted OpenSSH to run on Windows, which is what we want! http://sshwindows.sourceforge.net/ .

Download OpenSSH for Windows from http://sshwindows.sourceforge.net . The version I wrote this document using was 3.7.1p1-1. The latest version should work for you, plus it will have less security holes.

For the SSH Client I recommend using Putty. Putty is a small single executable SSH client with the ability to setup a tunnel. The newer version also support Dynamic Forwarding, which is essential. It’s possible to use OpenSSH as your client as well as your server, but Putty is much easier to setup and use. Download putty.exe from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html .

Install the SSH Server
The OpenSSH installer comes in a zip file. Unzip the file, then run setupssh.exe. Choose to install both the Client and the Server. It will ask you to install into C:\Program Files\OpenSSH. If you choose to install into a different location, that fine, but be aware I will use the above path in this document.

Configure Windows
OpenSSH for Windows uses Windows’ user database for login authentication. That mean you must have a User name and Password setup to login to your home computer. If you don’t, you have 2 choices. 1, set a password on your Windows account, or 2, create a new local account that you will use to login from SSH. I know a lot of people out there don’t use logins or passwords on their home computer, but if you’re using NT, 2000, or XP, the functionality is there, even if you don’t use it.

There are many different flavors of Windows, with different methods of creating a local user. There’s no way I can cover all of them, but here are a few examples;

To create a new account on your home machine (Windows XP):

* Start Menu, open Control Panel, then User Accounts.
* Click Advanced tab, then the Advanced button.
* Highlight Users, then click Actions, then New User.
* Enter a User name, and a Password twice. I recommend you use a User name and Password that is different than anything you have ever used at work. Obviously, your employer probably knows your password, so there’s no security if you use the same password at home.
* Deselect User must change password at next logon.
* Check Password never expires.
* Click Create.
* Close the Windows, close Control Panel.

You should now have a new local Windows user on your home machine. Remember the Login name and password for later.

Configure the SSH Server
We want to configure your SSH server to allow access using User name and Passwords, and to listen on port 443 instead of port 22.

Why port 443 instead of port 22? In most cases your employer will block almost all outgoing network ports except for port 80 and port 443, which are the 2 ports that webservers run on. I used to tell people to run SSH on port 80 because that’s the standard webserver port, but now I recommend you run it on 443. Port 443 is used for encrypted websites, which is what your shunnel traffic will look like as it passes through the firewall. If you have trouble on port 443, try it on port 80 instead. If neither work, you’re probably out of luck.

Open Windows Explorer, navigate to C:\Program Files\OpenSSH\etc. Open the file sshd_config using Wordpad. (That’s sshd_config not ssh_config!)

Change the line

#Port 22

to

Port 443

Save the file.

Now open a command prompt. Change to C:\Program Files\OpenSSH\bin. We are going to create a user and group database from your Windows user database. Type the following;

mkgroup -l > ..\etc\group

Then

mkpasswd -l > ..\etc\passwd

These 2 commands will create group and password files at C:\Program File\OpenSSH\etc

Start/Stoping the SSH Server
On your home computer, open a command prompt. To start your SSH server, type the following:

net start opensshd

To stop your SSH server, type the following:

net stop opensshd

To make it easy, you can create a .bat file that will this command. If you make a shortcut to the .bat file in your Windows Startup program group, then when you turn on your home computer in the morning, the servers will startup automatically, and be ready for you when you get to work.

If you have a wired or wireless router at home (Linksys, D-Link, Netgear, etc)
Some routers call it port forwarding and others call it virtual servers, but the setup is very similar no matter what brand you use. You will need to configure your router to route port 443 to the computer where you’re running the SSH server. I not going to go into details, but there is usually a browser based interface directly to the router, which will have a page to setup virtual servers. Configure it to forward port 443 to your SSH server computer, port 443.

Setup Putty at Work/School
Copy putty.exe to somewhere on your hard drive at work. c:\ will do fine, or anywhere else you want. Your desktop is convenient but kind of obvious. If you don’t have permissions to write files to your hard drive, just copy putty.exe and shunnel.bat to a floppy disk or burn them onto a CD. Take the disk to work and run Putty from the appropriate drive.

Open Notepad and copy the following into it, change the bold part where necessary;

putty -D 8080 -P 443 -ssh homeIP

* homeIP should be the IP address of your home machine that you wrote down in the Addresses section above.

Save the file as shunnel.bat in the same directory that you saved putty.exe.

Note for advanced users: If your computer at work is already configured to use a proxy server, you need to configure Putty a little differently, but this may still work.

Open Putty in graphical mode, input your connection setting, and also copy the proxy settings from Internet Explorer to Putty’s proxy configuration screen. Putty should now create a secure tunnel through the proxy at work to your computer at home… pretty neat trick.

Create your tunnel
At work, simply double click shunnel.bat to initiate the shunnel. A Putty window will popup asking for a login name and password. Type the user name and password you created above on the Windows account. If it works, you will be presented with a DOS prompt waiting for a command. This is actually a command prompt to your HOME machine. You can use it if you want, but as long as this command prompt is open, your tunnel is alive. To close the tunnel, type exit or close the window.
from http://www.buzzsurf.com/surfatwork/
-------------------------------------------------
Setting up an SSH Proxy and Spoon proxy tool on ur windows server

We have examined the setup and configuration of Hamachi + Privoxy Proxy Servers. In this article we will examine the setup and configuration of an SSH Proxy Server using Putty and Spoon Proxy.

The following pre-requisites will make things a lot easier:

    Know your home machine’s external IP address. For this, you’ll need either a static IP address from your ISP *or* have a dynamic DNS client installed. For testing purposes, you can view it via http://www.whatismyip.com.
    Give your home workstation a static IP address on your home network. Open up a command prompt and type ‘ipconfig /all’ and note the current IP address, gateway, and DNS servers. Assign your computer a static IP address that is 50 more than its current dynamic IP (that’s a safe bet since most home networks would never have >50 devices connected to it, even if the broadband router has a DHCP scope larger than that). Use the existing gateway & DNS servers.

Doing this involves four steps:

    Installing an SSH server on your home machine. SSH is an encrypted version of telnet which also allows a function called port forwarding. It’s this port forwarding that allows you to redirect your network traffic through this proxy. SSH will also function as your authentication mechanism, keeping random people from being able to use your machine as a proxy.
    Installing a HTTP/Socks-5 proxy server on your home machine.
    Opening up the SSH port on your home firewall AND in WindowsXP’s firewall (if it exists).
    Installing an SSH client with the appropriate port forwarding settings on your client machine (work machine, laptop, etc).
    Configuring each application to talk through the proxy



Step 1: Installing an SSH server on your home machine(或你的境外windows server)



    Download and install the SSHWindows installer from Sourceforge: http://sourceforge.net/project/showfiles.php?group_id=103886&package_id=111688, accepting all defaults.
    Open up a command prompt (start > run > cmd) and type the following:
    cd\program files\openssh mkgroup -l >> etc\group mkpasswd -l -u %username% >> etc\passwd net start opensshd That will create a local ssh user group and give the current logged in user the ability to log in (the password will be the same as your windows login password – if it’s blank, change it to something harder!). It will then start the ssh server service.



Step 2: Installing SpoonProxy, a Windows proxy tool on your home machine(或你的境外windows server)

    Download spoonproxy: http://www.pi-soft.com/spoonproxy/index.shtml.
    Launch spoonproxy: Start > All Programs > Spoonproxy > spoonproxy. Spoonproxy’s default configuration works just fine, so just minimize it.



Step 3: Opening up ports in Windows firewall & your broadband router on your home machine(或你的境外windows server)

    If windows XP firewall is enabled, you need to open up the incoming SSH port. To do this, right-click on My Network Places and choose Properties. Now right-click on your primary network card and choose properties. Go to the Advanced tab and click on Settings under windows firewall. Click on the Exceptions tab and then ‘Add Port’. Name: ssh Port number: 22 (TCP). Click OK
    Now you must open up the port on your broadband router. To do this, most broadband routers have a web interface. I can’t walk you through this because it’s slightly different on every system. You want to tunnel external port 22 to the (internal) IP address of your home computer port 22.



Step 4: Installing puTTy, a Windows SSH client on your work computer or laptop(即你的client computer)

    Download puTTy: http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe.
    puTTy is a free SSH client that is a single executable; there is nothing to install. Save puTTy.exe to your desktop.
    Double-click on puTTy. First, scroll down the left column under Connections > SSH > Tunnels. From here, you need to add three ports to be forwarded. For Source Port, enter 80. For destination, type localhost:8080 then click on add
    Do the same for what you see below: 443, localhost:8081 & 1080, localhost:1080. This forwards http, https, and socks-5.



    Now, go up to the top and click on Session. Under “host name or IP address”, enter your home computer’s external IP address or dynamic DNS name. Under ‘saved sessions’, type in “SSH home” and click on Save. This will save these connection settings for everytime you want to connect to your home machine.



To connect, click on Open. You should be asked to accept the SSH certificate (choose ‘Accept & Save’). Login using your home windows computer’s login and password. You should then see a command prompt. You are now connected and set up to tunnel traffic – you can now minimize (don’t close) puTTy. This session must remain open to proxy your web traffic.



Step 5: Configuring applications to go through the tunnel on your work computer or laptop(即你的client computer)

    Firefox: I recommend configuring one browser (such as firefox) to always go through the proxy, leaving your other browser to browse your corporate intranet (or access sites that you do not wish to proxy). Alternatively, you can simply tell firefox for which URLs to not use the proxy. In Firefox, go to Tools > Options > General > Connection Settings. Set up the HTTP and SSL connections as seen here:

You should now be browsing through your home machine. Remember, the speed will be limited to your home machine’s upstream connection (since your home machine is essentially downloading the web page then re-uploading it to you). If you wish to test that it’s working, go to www.whatismyipaddress.com the IP address and location should match your home router’s.

AIM and Yahoo both support SOCKS5 proxying. Simply go into the connection settings and enable socks5 proxying… server = localhost port = 1080 (default)?

FROM http://pccured.com/headquarters/14/