Tunneling Through the Great Firewall of China Again

Nearly two years ago now, I wrote about tunneling through the Great Firewall of China (GFW). I recently revisited this topic and wanted to give a more detailed walkthrough of the process I took to make everything work.

Before I dive into the “how,” I first wanted to mention why I recommend SSH tunnels over standard VPN connections. There is really only one reason — China likes to mess with VPN connections (e.g.: here and here). By using SSH tunnels, we avoid this known issue with VPN solutions for circumventing the GFW. Additionally, even if China chose to try and prevent SSH tunneling, this would be nearly impossible due to one simple fact: VPN providers are publically known and a limited number of IP ranges, your personal SSH server is not publically known and could be any IP anywhere.

If you are convinced that this is the right approach for your tunneling needs, I highly recommend that you have multiple servers available. You never know when a server will go offline or when the Middle Kingdom will opt to block an IP and you do not want to find yourself stranded with no tunnel available. Redundancy is a must.

PuTTY Configuration

The first step is configuring the various PuTTY connections you plan to use. When setting up accounts on your server(s), I recommend making these accounts highly restricted as they only need to be able to port forward. This can be easily achieved using rbash, as described in Creating a Restricted SSH User for SSH Tunneling Only. Once your servers are setup with appropriate tunnel user accounts, you’ll want to configure your PuTTY settings as follows:

  1. Session: Set the host IP address (not hostname) and port number.
  2. Window -> Behavior: Uncheck “Warn before closing window.”
  3. Connection: Set “Seconds between keepalives” to 30 (or some other number as appropriate)
  4. Connection -> Data: Set “Auto-login username” to the user you’ve setup on the target server.
  5. Connection -> SSH: Check “Don’t start a shell command at all” and “Enable compression.”
  6. Connection -> SSH -> Tunnels: Set “Source port” to 8080, select “Dynamic” radio button, then click “Add”; you should now have “D8080” listed in the “Forwarded ports” box.
  7. Go back to Session, under “Saved Sessions” type the name you want this configuration saved as and click “Save.”
  8. For each of your remaining servers, change the hostname/port on Session tab and set the username on the Connection -> Data tab, then re-save with a new name (this avoids repeating all of the above steps for each server).
  9. * If you are doing this setup for a non-technical friend and cannot be at their computer for some reason, you can configure PuTTY with all of the servers to be used on your machine, then send the configurations to the friend. Unfortunately, PuTTY stores configurations in the registry, making it a bit tricky to access, but I used the export PowerShell script show here to create a reg file after doing all of the necessary configurations. I then sent the reg file to my friend, who can simply double click the file to merge the PuTTY settings into their registry.

Once PuTTY is configured, you’ll probably want an easy way to launch PuTTY each time you need to browse. There are many ways to do this, by my solution was a one-line batch file:
start "Proxy" "%~dp0putty.exe" -load hello-china -pw ******

In the above line, “hello-china” should be replaced with the name you saved your server configuration as in step #7 above. If you configured multiple servers, you can just create multiple batch files, one for each configuration. Note that this script expects putty.exe to be located in the same directory as the batch file. If it’s somewhere else, you should modify %~dp0putty.exe accordingly.

Firefox Configuration

As of writing this, Firefox is still the only mainstream browser I know of where SOCKS5 proxying is supported, which is necessary for remote DNS resolution — a requisite for this approach. Since I wrote the first post on this topic, Firefox has made the necessary settings much more accessible, no longer requiring searching through about:config settings.

To enable proxying through your SSH tunnel, perform the following steps:

  1. Launch Firefox and go click the top right button with three horizontal bars and in the resulting menu click “Options.”
  2. Go to “Advanced” in the left navigation bar, then click “Network” in the top navigation.
  3. Under the Connection header, click “Settings…”
  4. Select the “Manual proxy configuration” radio button and fill in SOCKS host as “127.0.0.1,” port as “8080,” then check the “Remote DNS” box.
  5. Click OK.

With all of this setup, launch one of your configured SSH tunnels and in Firefox visit ipecho.net and verify that your IP is reported as the IP address of the SSH server your are using to proxy connections. Further verify that if you kill your PuTTY connection and try to browse anywhere in Firefox you get a proxy error.

And that’s it. Happy browsing!

1 thought on “Tunneling Through the Great Firewall of China Again”

  1. Very interesting. Other places I’ve read users were saying this wasn’t possible, but your explanation of VPN vs personal SSH makes sense. Thanks for the share~


    Sam Smith
    Technology Evangelist and Aspiring Chef.
    Large file transfers made easy.
    http://www.innorix.com/en/DS

Leave a Reply