| skipped 178 lines |
179 | 179 | | ### SSH SOCKS proxy |
180 | 180 | | |
181 | 181 | | |
182 | | - | OpenSSH has a built-in SOCKS proxy. If you run an SSH server on the |
183 | | - | tunnel server, you can use dnstt to tunnel the SSH connection, the SSH |
184 | | - | server will proxy connections for you. Let's assume you have the SSH |
185 | | - | details configured so that you can run `ssh tunnel-server` on the tunnel |
186 | | - | client. Make sure `AllowTcpForwarding` is set to `yes` (the default |
187 | | - | value) in sshd_config. |
| 182 | + | OpenSSH has a built-in SOCKS proxy, which makes it easy to add a SOCKS |
| 183 | + | proxy to a server that already has sshd installed. |
| 184 | + | |
| 185 | + | On the server, make a localhost SSH connection, using the `-D` option to |
| 186 | + | open a SOCKS listener at port 8000. Then configure the tunnel server to |
| 187 | + | forward incoming connections to port 8000. Have the tunnel client listen |
| 188 | + | on its own local port 7000. |
| 189 | + | |
| 190 | + | ``` |
| 191 | + | tunnel-server$ ssh -N -D 127.0.0.1:8000 -o NoHostAuthenticationForLocalhost=yes 127.0.0.1 |
| 192 | + | # Enter the password of the local user on tunnel-server |
| 193 | + | tunnel-server$ ./dnstt-server -udp :5300 -privkey-file server.key t.example.com 127.0.0.1:8000 |
| 194 | + | ``` |
| 195 | + | |
| 196 | + | ``` |
| 197 | + | tunnel-client$ ./dnstt-client -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:7000 |
| 198 | + | tunnel-client$ curl --proxy socks5h://127.0.0.1:7000/ https://wtfismyip.com/text |
| 199 | + | ``` |
| 200 | + | |
| 201 | + | The above configuration, by locating the SOCKS client port on the |
| 202 | + | server, makes a SOCKS proxy that can be used by anyone with access to |
| 203 | + | the DNS tunnel. Alternatively, you can make an SSH SOCKS proxy for your |
| 204 | + | own private use, with the SSH connection going through the tunnel and |
| 205 | + | the SOCKS client port being located at the client. |
| 206 | + | |
| 207 | + | Let's assume you have the SSH details configured so that you can run |
| 208 | + | `ssh tunnel-server` on the tunnel client. Make sure `AllowTcpForwarding` |
| 209 | + | is set to `yes` (the default value) in sshd_config. Run the tunnel |
| 210 | + | server and have it forward directly to the SSH port. |
188 | 211 | | |
189 | 212 | | ``` |
190 | 213 | | tunnel-server$ ./dnstt-server -udp :5300 -privkey-file server.key t.example.com 127.0.0.1:22 |
191 | 214 | | ``` |
192 | 215 | | |
193 | | - | The `HostKeyAlias` ssh option lets you connect to `tunnel-server` as if |
194 | | - | it were located at 127.0.0.1:2222. Replace `tunnel-server` with the |
| 216 | + | Run the tunnel client with the local listening port at 127.0.0.1:7000. |
| 217 | + | The `HostKeyAlias` ssh option lets you connect to the SSH server as if |
| 218 | + | it were located at 127.0.0.1:8000. Replace `tunnel-server` with the |
195 | 219 | | hostname or IP address of the SSH server. |
196 | 220 | | |
197 | 221 | | ``` |
198 | | - | tunnel-client$ ./dnstt-client -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:2222 |
199 | | - | tunnel-client$ ssh -N -D 127.0.0.1:7000 -o HostKeyAlias=tunnel-server -p 2222 127.0.0.1 |
| 222 | + | tunnel-client$ ./dnstt-client -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:8000 |
| 223 | + | tunnel-client$ ssh -N -D 127.0.0.1:7000 -o HostKeyAlias=tunnel-server -p 8000 127.0.0.1 |
200 | 224 | | tunnel-client$ curl --proxy socks5h://127.0.0.1:7000/ https://wtfismyip.com/text |
201 | 225 | | ``` |
202 | 226 | | |
| skipped 144 lines |