Archive for March, 2009

SSH tunnel through HTTPS

Thursday, March 12th, 2009

Many people at corporate jobs find themselves behind a firewall which only allows outgoing traffic to destination ports 21 (ftp), 80 (http) and 443 (https). To access one’s network at home, the workaround is to run the SSH server at home on port 443 instead of the usual port 22, then use the SSH client to create a tunnel so that arbitrary traffic will be sent through your home machine instead of through the firewall.

Some people who are even unluckier find themselves behind a firewall which does layer 7 packet inspection, meaning that traffic outgoing to a destination port of 443 that does not look like HTTPS traffic will be dropped by the firewall.

Fortunately, PuTTY combined with proxytunnel will allow the passing of non-HTTPS traffic through this type of firewall. It is accomplished through a “triple-proxy” method, where a connection is made to your HTTPS proxy web server at home through your restrictive corporate proxy, then an SSH session is tunneled through the HTTPS connection, and then the SSH connection acts as a proxy for the network traffic that is not permitted to pass through the corporate network. All traffic is encrypted and completely unidentifiable by packet inspection as anything other than a normal encrypted HTTPS session.