[HowTo] ssh to wl-500g under corporate proxy

[rwhitby]

3. Change (add) iptables rules to redirect all incoming on port 443 traffic to port 22.

An easier way to do this is to tell dropbear to listen on both port 22 and port 443 (using the "-p 22 -p 443" command line switches), and then just open the firewall to accept connections from the WAN on port 443.

-- Rod

[mctiew]

An easier way to do this is to tell dropbear to listen on both port 22 and port 443 (using the "-p 22 -p 443" command line switches), and then just open the firewall to accept connections from the WAN on port 443.

-- Rod

I don't understand. Why don't just listen to port 22 and modify the INPUT chain to accept connection from the WAN on port 22 ? Why must we bother with port 443 at all ?

Cheers

[rwhitby]

I don't understand. Why don't just listen to port 22 and modify the INPUT chain to accept connection from the WAN on port 22 ? Why must we bother with port 443 at all ?

Cheers

Corporate proxies often don't pass port 22, but do pass port 443 (for HTTPS traffic). That's what this thread is all about, right?

So people want external access to be on port 443, but LAN access to still be on port 22.

-- Rod

[mctiew]

Corporate proxies often don't pass port 22, but do pass port 443 (for HTTPS traffic). That's what this thread is all about, right?

So people want external access to be on port 443, but LAN access to still be on port 22.

-- Rod

That's being the case why pick 443 ? Should just pick a big obscure number instead of 443, example 22443.

Cheers

[rwhitby]

That's being the case why pick 443 ? Should just pick a big obscure number instead of 443, example 22443.

Cheers

Because usually port 80 and port 443 is *all* that the corporate firewall proxy passes.

-- Rod

[kiewer]

An easier way to do this is to tell dropbear to listen on both port 22 and port 443 (using the "-p 22 -p 443" command line switches), and then just open the firewall to accept connections from the WAN on port 443.

-- Rod

Just didn't know that. Thanks.

[ikerstges]

So if I understand correctly, this approach would create a SSH-"tunnel" from a client pc in the corporate LAN, through port 443 (designated to traverse HTTPS connections) into the WL500G router, using PuTTY (or alike).

Now I wonder: I have read several statements that you can use a SSH-"tunnel" to route VNC traffic.

If I want to use a tunnel to a pc at home (192.168.1.15) which is running behind my WL-500G router (192.168.1.1), would I need to apply something like this in post-firewall?:

Code:

iptables -D INPUT -j DROP
iptables -A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.15:22
iptables -A INPUT -j DROP

How can I use VNC to connect to a remote pc behind the WL-500G router, using a SSH-"tunnel" that is opened with PuTTY?

[kiewer]

So if I understand correctly, this approach would create a SSH-"tunnel" from a client pc in the corporate LAN, through port 443 (designated to traverse HTTPS connections) into the WL500G router, using PuTTY (or alike).

No it doesn't create a ssh-tunnel. This is a simple port redirection. Unfortunatly I can't explain more about ssh-tunnel, because never did it.

[erik_bies]

The tunneling is very easy. but not done on the router side, but on the client side.

In putty (ssh client) go to the SSH->Tunnel tab

the source port is the port you want to connect to locally

so in your case you want to do
sourceport: 5900
destination: 192.168.1.15:5900
if you run vnc on a different port than 'display:0' than the 5900 becomes more
e.g. display 3=port5903

[ikerstges]

I hope somebody will please bare with me here?!..

I connect from the corporate office to my home LAN.

I Am able to SSH to my wl500g now. For that, I have changed my post-firewall so it forwards WAN connections that are coming in on port 443 to port 22 for SSH.

To SSH to the wl500g, I enter in PuTTY:
Connection/Proxy: HTTP with corporate browser proxy name and portnumber.
Session: Protocol=SSH, Host name=TestMyLogin.dyndns.org and Port=443

This opens the connection and I'm able to enter username and password.

Now I try to enter the tunnels information as informed in previous post for a VNC connection to a pc in my home LAN. I have entered:
Connection/SSH/Tunnels: Source port= 5900, Destination= 192.168.1.15:22:5900.
I clicked on 'add' to add this tunnel information to the PuTTY session. With this added tunnel to the session, I'm able to login on my wl500g.

But now:
I run VNC-viewer and try to open a connection to 'localhost', but this gives a timeout. I also tried run VNC-viewer and open a connection to TestMyLogin.dyndns.org (as I'm not sure how to understand this connection over SSH-tunnel) and again: timeout. GRRRrrrr....

Do I need to change the tunnel-destination to run on 443 instead of 22 in the Connection/SSH/Tunnels in PuTTY?
To what host do I connect VNC-viewer when running a connection over the ssh-tunnel?

[ikerstges]

Google is my best friend, I got it working..

The tunnel setup in PuTTY needs to be set as: Source port= 5900, Destination= 192.168.1.15:5900 and have VNC-viewer connect to localhost on my pc at the corporate network.

(Mind: without the :22 that I had in previous posts!)

I'm a happy camper now!