By 苏剑林 | March 07, 2016
As is widely known, the two most valuable resources of a campus network are: first, IPv6, which is the most ideal way to access websites like Google (though not all universities have IPv6); and second, paper databases. Generally, universities purchase download rights for various databases (CNKI, Wanfang, etc.) for campus users. While there are many ways for off-campus users to access Google, such as VPNs, accessing resources like CNKI is particularly precious. Usually, off-campus users have to ask someone on campus to download papers for them, or they have to pay for them (and it's expensive!).
As the webmaster is still a student, I enjoy both IPv6 and paper database resources at school, which is indeed very convenient. Since I started using an OpenWrt router, I have been thinking about how to share these campus network resources. I previously considered setting up a PPTP VPN, but I felt it was slightly complicated (granted, compared to other VPNs, PPTP is very simple, but I still didn't like it much). Furthermore, I hadn't solved the issue of intranet penetration at that time. Recently, by using SSH reverse proxy to achieve intranet penetration, I realized that through SSH dynamic port forwarding, I could actually set up a proxy and achieve remote access to internal (campus network) resources. Moreover, almost no configuration is required on the router itself. I must say, SSH is truly an extremely powerful tool.
Adding a Regular Account
Since the goal is sharing, there is no reason to share the root account. Therefore, the first step is to add a proxy account on OpenWrt. For security and privacy, this account should be prohibited from actually logging into the server to perform operations; it should only be allowed for port forwarding.
First, install useradd using the following commands:
opkg update
opkg install shadow-useradd
Once installed, add the guest account using the following command:
useradd guest
Then, edit /etc/passwd. The last line should look something like this:
guest:x:1000:1000::/home/guest:
Complete it as follows:
guest:x:1000:1000::/home/guest:/bin/false
Then add a line to /etc/shells:
/bin/false
With this, the proxy account setup is complete. You can then change the password via passwd guest. This account must be operated using the ssh -N mode—that is, it does not execute any remote commands. If you attempt to log in normally via SSH, it will fail.
Dynamic Port Forwarding
Dynamic port forwarding basically means that after connecting to the router via SSH locally, you can establish a SOCKS proxy locally. Although this proxy is local, it sends local requests to the router; the router fetches and returns the results, which are then passed back to the local machine. This proxy allows us to achieve our objective.
In Linux or Mac OS, you can establish a local SOCKS proxy for dynamic port forwarding with just one line of code:
ssh -ND 7070 guset@1.1.1.1 -p 22222 -v
As mentioned before, -N is mandatory. The D parameter is used to specify the port to listen on. The final -v flag turns on debug mode, which prints out the data stream. If you don't add the v parameter, there will be no output at all. (Some people feel uneasy if they don't see any output. ^_^)
After establishing the SOCKS proxy, simply set the corresponding proxy in your browser. Be sure to use a SOCKS5 proxy—do not mistakenly select HTTP. SOCKS4 can also work, but SOCKS4 does not support IPv6; if you use SOCKS4, IPv6 resources will be inaccessible. If you use Google Chrome, you can use plugins such as SwitchyOmega, SwitchySharp, or "Smart Proxy" to easily switch proxies. For other browsers, please find your own solutions. As far as I know, all current mainstream browsers allow for easy SOCKS proxy setup. After confirming the proxy is set successfully, you can check if you can open baidu.com and type "IP" in the search box to see if your IP has changed to the remote router's IP.
In Windows, the second step is the same, but the first step differs. Since Windows does not have a built-in SSH client, you need to download and install one. While many people think of PuTTY when it comes to SSH tools for Windows, there is actually a better command-line version called Plink. Plink's usage and parameters are similar to SSH under Unix, and it is even more convenient in some ways (it can specify a login password for automatic login, whereas SSH cannot unless you install sshpass). In plink.exe, simply execute the following command:
plink -N -D 7070 guset@1.1.1.1 -P 22222 -pw 123456 -v
The final pw parameter is used to specify the password, assumed here to be 123456. Note that the P to specify the port here is uppercase.
Why not use PuTTY? Many online tutorials suggest using PuTTY to establish a proxy, but I did not find an option in PuTTY corresponding to the -N mode. Therefore, PuTTY is ineffective in this situation. In fact, many SSH proxies found online disable remote command execution rights using similar methods, leaving Plink as the remaining option.
sshuttle
Finally, another solution for those with an SSH account is sshuttle. This is a VPN program built on SSH that directly implements VPN functionality without requiring manual proxy settings. However, it is based on Python and can only be used on Linux or Mac OS. Interested friends can explore this on their own.
Sharing the Campus Network
Up to this point, if your browser uses the established proxy, you should be able to normally access Google, Wanfang, and CNKI (if it still doesn't work, try selecting "IP login" at the login page), and you can download papers from the databases for free.
This is truly the most powerful server for scientific web surfing!
SSH is invincible!
For more content, please visit: http://bbs.spaces.ac.cn/topic/show/15