Tunneling Through the Great Firewall of China Again

Nearly two years ago now, I wrote about tunneling through the Great Firewall of China (GFW). I recently revisited this topic and wanted to give a more detailed walkthrough of the process I took to make everything work.

Before I dive into the “how,” I first wanted to mention why I recommend SSH tunnels over standard VPN connections. There is really only one reason — China likes to mess with VPN connections (e.g.: here and here). By using SSH tunnels, we avoid this known issue with VPN solutions for circumventing the GFW. Additionally, even if China chose to try and prevent SSH tunneling, this would be nearly impossible due to one simple fact: VPN providers are publically known and a limited number of IP ranges, your personal SSH server is not publically known and could be any IP anywhere.

If you are convinced that this is the right approach for your tunneling needs, I highly recommend that you have multiple servers available. You never know when a server will go offline or when the Middle Kingdom will opt to block an IP and you do not want to find yourself stranded with no tunnel available. Redundancy is a must.

PuTTY Configuration

The first step is configuring the various PuTTY connections you plan to use. When setting up accounts on your server(s), I recommend making these accounts highly restricted as they only need to be able to port forward. This can be easily achieved using rbash, as described in Creating a Restricted SSH User for SSH Tunneling Only. Once your servers are setup with appropriate tunnel user accounts, you’ll want to configure your PuTTY settings as follows:

  1. Session: Set the host IP address (not hostname) and port number.
  2. Window -> Behavior: Uncheck “Warn before closing window.”
  3. Connection: Set “Seconds between keepalives” to 30 (or some other number as appropriate)
  4. Connection -> Data: Set “Auto-login username” to the user you’ve setup on the target server.
  5. Connection -> SSH: Check “Don’t start a shell command at all” and “Enable compression.”
  6. Connection -> SSH -> Tunnels: Set “Source port” to 8080, select “Dynamic” radio button, then click “Add”; you should now have “D8080″ listed in the “Forwarded ports” box.
  7. Go back to Session, under “Saved Sessions” type the name you want this configuration saved as and click “Save.”
  8. For each of your remaining servers, change the hostname/port on Session tab and set the username on the Connection -> Data tab, then re-save with a new name (this avoids repeating all of the above steps for each server).
  9. * If you are doing this setup for a non-technical friend and cannot be at their computer for some reason, you can configure PuTTY with all of the servers to be used on your machine, then send the configurations to the friend. Unfortunately, PuTTY stores configurations in the registry, making it a bit tricky to access, but I used the export PowerShell script show here to create a reg file after doing all of the necessary configurations. I then sent the reg file to my friend, who can simply double click the file to merge the PuTTY settings into their registry.

Once PuTTY is configured, you’ll probably want an easy way to launch PuTTY each time you need to browse. There are many ways to do this, by my solution was a one-line batch file:
start "Proxy" "%~dp0putty.exe" -load hello-china -pw ******

In the above line, “hello-china” should be replaced with the name you saved your server configuration as in step #7 above. If you configured multiple servers, you can just create multiple batch files, one for each configuration. Note that this script expects putty.exe to be located in the same directory as the batch file. If it’s somewhere else, you should modify %~dp0putty.exe accordingly.

Firefox Configuration

As of writing this, Firefox is still the only mainstream browser I know of where SOCKS5 proxying is supported, which is necessary for remote DNS resolution — a requisite for this approach. Since I wrote the first post on this topic, Firefox has made the necessary settings much more accessible, no longer requiring searching through about:config settings.

To enable proxying through your SSH tunnel, perform the following steps:

  1. Launch Firefox and go click the top right button with three horizontal bars and in the resulting menu click “Options.”
  2. Go to “Advanced” in the left navigation bar, then click “Network” in the top navigation.
  3. Under the Connection header, click “Settings…”
  4. Select the “Manual proxy configuration” radio button and fill in SOCKS host as “127.0.0.1,” port as “8080,” then check the “Remote DNS” box.
  5. Click OK.

With all of this setup, launch one of your configured SSH tunnels and in Firefox visit ipecho.net and verify that your IP is reported as the IP address of the SSH server your are using to proxy connections. Further verify that if you kill your PuTTY connection and try to browse anywhere in Firefox you get a proxy error.

And that’s it. Happy browsing!

FFmpeg Supported MIME Types

I’m shocked… Maybe I’m missing some well-hidden FFmpeg flag, but for the life of me I can’t find a way to pull out the supported MIME types.

There are some commands that come sort of close, but not MIME types. For example, ffmpeg -formats will list supported formats, which give a general idea of what types of files can be encoded/decoded, but not MIME types.

After over an hour googling (I’m really persistent…), I’ve come to the conclusion that a clean solution doesn’t exist. For that reason, I’ve developed my own unclean solution. It’s dirty, but it meets my needs. Maybe someone out there will also find it useful.

The Downside of the WordPress Plugin Directory

One of the most powerful and useful parts of WordPress and other popular CMS software offerings is the seemingly endless number of available plugins to extend functionality in nearly any way you like. WordPress provides the Plugin Directory, where developers can publish their open source plugins free of charge for other users to download and use at no cost. In fact, I’ve contributed to the Plugin Directory with a number of offerings over the years, including Document Gallery, Hello Simpsons Chalkboard Gag, and Prezi Embedder. But, with all this power does come a downside…

As a site owner planning to use one of these plugins, you either have to read every line of code from the plugins you are planning to to use (and understand the code enough to spot any possible security vulnerabilities), or you have to trust that the plugin developer has made the code secure. If the developer was careless, your site could quickly be compromised (hacked!).

Continue reading

Removing COM Module from Honeywell UtilityPRO

A few weeks ago, my apartment complex installed new UtilityPRO programmable thermostats in all of the units. As part of the CPS Energy Peak Saver program. Quite a convenient little gadget, but a little creepy too. With this thermostat, CPS has the ability to modify the temperature remotely without me knowing. Although I personally couldn’t care less, I spoke with some friends who didn’t like this idea. So that got me thinking — I wonder how difficult it would be to disable this remote access.

A little googling revealed that the thermostat I had was a Honeywell UtilityPRO, which handles remote communication through the ZigBee protocol. With this knowledge in hand, I did what any good computer scientist would do and ripped the damn thing apart (carefully, of course). What follows are the steps that I followed in removing the ZigBee COM module, which in turn disabled any remote communication with the thermostat.

Continue reading

OS-Agnostic Ghostscript Detection

In developing one of my more popular WordPress plugins, Document Gallery, I was faced with a challenge that stumped me for a bit. Recently, some of my users had asked for additional functionality to support auto-generation of thumbnails for the documents in their gallery. These documents could be any number of filetypes, but for this particular post we’ll be discussing PDF thumbnail generation.

PDFs are actually quite simple to thumbnail and the process is well-documented across the web. If I had been content with simply using the PHP Imagick extension to wrap my access to Ghostscript (GS), which does the actual conversion for PDFs, then the process of generating a thumbnail would have been quite straightforward, but I was not content with this solution, the primary reason being inefficiency. The way that Imagick processes PDFs before passing it down to GS is very slow. Thus, I went about setting up a framework to directly execute GS from PHP’s exec() with Imagick as a fallback in the event that I was unable to find a GS executable.

This all should have been quite simple, but it wasn’t. In order to accurately find and execute GS in a platform-agnostic way is actually quite challenging, and surprisingly poorly documented on the web. First, one must determine whether exec() is available. This is quite a convoluted thing to determine in-and-of-itself, but thankfully I found someone else’s solution for this and did not have to develop it myself. Finding the GS executable, however, was another story entirely. Continue reading

Tunneling Through the Great Firewall of China

Among the things that the People’s Republic of China is known for is the Great Wall of China, however, we tech nerds also associate the country with the Great Firewall of China (GFW). The GFW, officially known as the “Golden Shield Project,” is an ever-growing effort by the Chinese government to implement strict censorship of the Internet content accessible to its citizens. Sites that are or have previously been blocked include Google, Facebook, YouTube, and WordPress, plus many more.

Chinese flagRecently, a friend of mine was planning a trip to China in order to teach an ESL course. In addition to his understandable desire for some level of privacy in his internet access, he also needed access to YouTube in order to do some of the segments in his curriculum. When he asked for recommendations on how best to circumvent the GFW, my first thought was to use a VPN, but, after doing some reading, I discovered that the GFW has added technology in recent years to detect and block IPs associated with VPNs (see here and here).

With a true VPN no longer a reliable option, the next best thing I could think of was to use an SSH tunnel as a VPN alternative. Instructions for running an SSH tunnel on a Windows OS using PuTTY are scattered over the web, including here and here. The “gotcha” that you may well run into (as my friend did), is that you must enable remote DNS lookup, otherwise the URLs you are requesting will be visible to the GFW.

In order to do this, you only need to navigate to about:config in your Firefox browser (unfortunately, no other popular browsers currently support SOCKS5, which is required). In config, search for “dns” and double click on the line called “network.proxy.socks_remote_dns.” Once this value is set, Firefox will resolve all queries through your SSH tunnel, returning the encrypted content for your viewing pleasure.

So that was my experience tangling with the GFW. This great technological wonder is ever-evolving and has begun to defend against VPNs, one of the newer forms of secure access to the web. It is possible that the GFW could also detect and block the SOCKS5 protocol in the future, but for now at least SSH tunnels are still a viable option for tunneling through the GFW.

Accurately Track Your Dynamic IP With Text Messages

A few weeks ago, I posted about how to send SMS messages via command line. Today, as promised, I am going to follow up on that post by providing a practical use for this functionality.

My current setup at home includes a hole in my firewall to allow SSH access to a machine sitting inside of the network. On this machine sit various items that may be useful to me when traveling outside of my home network, including movies, music, and various other files. However, this open SSH hole does me zero good if I don’t know what my machine’s IP is, and I generally would not know since the IP is dynamically allocated by my ISP.

In order to always know where my machine is currently located, it needs to phone home every time the allocated IP changes. In this case, I mean to phone home literally. I have setup this particular machine to regularly check its IP, then, if the IP has changed since it last checked, it will send me a text message with the new IP.

Continue reading