2

I'm trying to establish a connection between my laptop and a workstation that's sitting behind a SOCKS/HTTP proxy server and which I have no access to, or possibility of configuring the router. At the very least I would need to connect w/ SSH, an if possible with VNC protocol as well.

From what I've gathered (there is plenty of info on the opposite connection though - accessing a machine from behind a Firewall or Proxy server), I would need to use tunneling over HTTP to achieve this, but every attempt I tried failed. I know the address and port of the proxy server, but that's about it. The workstation is also using a dynamic IP within the network, but since I have no way to configure port forwarding on that network, I'm limited to HTTP and HTTPS ports (80 and 443).

I've set up dynamic DNS (ddclient with No-IP) on the workstation, and I'm first trying to test if I can "see" the workstation from outside the network:

telnet myworkstation.ddns.net 443
    Trying 192.168.197.8...

Which makes me believe the dynamic DNS is properly set up (the IP is indeed correct). I've seen some docs recommending proxytunnel over corkscrew for the tunneling, but when I try

proxytunnel -p <socks_addr>:<socks_port> -P <user>:<pw> -d myworkstation.ddns.net:443

I get error: Socket read error. If instead I attempt to use corkscrew to tunnel SSH:

ssh -o ProxyCommand='corkscrew <socks_addr> <socks_port> myworkstation.net 443' usar@my-workstation

I get kex_exchange_identification: Connection closed by remote host and Connection closed by UNKNOWN port 65535.

What exactly am I missing here? (Using Ubuntu on both machines)

EDIT:

I've noticed that from behind the proxy server / within the remote network, I'm able to actually get

ssh -o ProxyCommand='corkscrew <socks_addr> <socks_port> myworkstation.net 443' usar@my-workstation

to work. This by itself does not achieve my goal of accessing this workstation externally, but luckily there is already a VPN server provided that I use to authenticate into the network, and then ssh into the workstation. (I still need the proxy here because I get assigned an IP on a different subnet than the workstation's).

Still, while tinkering I noticed that there are actually two (at least) proxy servers available (the organization documentation is rather poor on this regard and I'm by no means an expert on this stuff)

One is a SOCKS5 server that I can ping from outside the network, the other is the proxy server which I use to ssh into the workstation but I can't "see" from the internet.

So I'm assuming I would need to chain both proxy servers in order to directly access the workstation with a single ssh call? Where exactly would I authenticate with the remote network?

joaocandre
  • 643
  • 6
  • 11
  • 22
  • About "I would need to use tunneling over HTTP to achieve this": see [this answer](https://superuser.com/a/1213778/432690) and make sure the proxy you want to use supports CONNECT. Note the following citation: "Not all HTTP proxy servers support this feature, and even those that do may limit the behaviour". Example where CONNECT was not supported: [here](https://superuser.com/q/1198315/432690). Note in this example GET worked, but to tunnel an arbitrary protocol you need CONNECT. – Kamil Maciorowski Aug 31 '22 at 15:48
  • @KamilMaciorowski updated my question – joaocandre Aug 31 '22 at 15:58
  • @KamilMaciorowski how would I check if the proxy server supports CONNECT? – joaocandre Aug 31 '22 at 16:00
  • I guess by trying a tool that explicitly uses CONNECT. Unfortunately we're on the edge of my expertise, so I cannot help you further at the moment. Anyway, your question is now substantially better than it was; you may want to improve it more by specifying the OS. – Kamil Maciorowski Aug 31 '22 at 16:07
  • Try a port scan both from the machine that should be running the server on port 443, and try a command like lsof on it too to see if anything is running(though it would if the port scan showed it open). And then see if port 443 looks open from another machine by doing a port scan from some machine to that machine that should have port 443 open. I don't think i've tried a setup like you described.. only did something vaguely similar well over a decade ago – barlop Aug 31 '22 at 16:15
  • @joaocandre "how would I check if the proxy server supports CONNECT? " <-- I supppose you could get some familiarity with what it's doing by looking at it in wireshark , i've done that before .. I even entered CONNECT before long ago on a raw connection with the telnet command. Looking at it in wireshark helps to know a bit what's going on, which is useful. And isn't tons of detail – barlop Aug 31 '22 at 16:18
  • At this stage I'm fairly certain CONNECT is supported, as I was able to ssh into the workstation from *within* the network, but from a different subnet (I've updated my question with some more information) – joaocandre Aug 31 '22 at 22:36

0 Answers0