I have a machine (Windows 10) behind a very restrictive firewall where connecting to a public server's SSH on port 80, 443, 53, etc. just don't work. Putty/Kitty say "Software caused connection abort". Such machine also has like 3 AVs installed and the user has no admin rights.
I assume there's a way to connect to the public server "emulating" an HTTPS connection. That way I can do port forwarding and be able to reach a server within the machine's internal network.
However, most tutorials I find online are about having others connect to the machine (like, to publish a website or connect to it using VNC). What I want to archieve is the other way around: Connect to the public server so I can enable port forward, and then on the other side with my home computer, I'd connect to the public server and make a tunnel too.
I.e.: My Home connections to the SSH server VPS:22 at the internal port VPS:5000 would go through the HTTPS connection that Firewalled initialized at VPS:443, listening at VPS:5000, creating a local tunnel at Firewalled:4200 that would go to 10.0.0.1:80 - where this is a machine inside Firewalled's network.
Since I can't connect directly to Firewalled, I need it to initiate the connection instead, create a reverse tunnel, and then be able to use it. I used to do this some years ago, but this firewall seems to crash SSH connections at any port (unless maybe I try to masquerade them or something inside an HTTPS packet).
Basically I want to do this:
Explained here:
Except that in my case, Office PC can't initiate any connection to bserver.outside.com because plain SSH packets don't seem to be able to go through the firewall in raw format.
Any pointers are greatly appreciated!
1 Answer
If your firewall filters ssh packets no matter what port they use, then you can't use an ssh tunnel. So instead of an ssh tunnel, you must use some other kind of tunnel. Preferable a kind of tunnel that will go through your firewall.
There are probably multiple solutions for that, but one candidate is the Secure Socket Tunneling Protocol (SSTP). For the firewall, this tunnel will look very similar to normal HTTPS traffic. This has the additional advantage that you don't need an extra client for it on Windows, it is one of the protocols you can select when you ask Windows to establish a VPN connection.
So you need to run the corresponding server on bserver.outside.com. An open source solution for that is SofEther VPN.
Note that this will route your complete internet connection through your server, and make your office network vulnerable to attacks from the outside, as you are bypassing the firewall. So this will not only violate your office network policies, it will get you into deep trouble should anything happening because of that.
2
