i need help with es-sh over wabsoket over see-dee-yen #171
Comments
|
I also used WebSockets to circumvent censored internet (when all obviously encrypted connections like TLS or SSH failed) by tunneling them through Websocat. On VPS, run the following: On client, run this: For tunneling Wireguard you should use If you use Nginx or Caddy or other reverse web proxy on the VPS, you can forward some URLs to Websocat (or multiple instances of Websocat) using rules like this. This way Note that Websockets are not designed for obfuscation and would only superficially mask connection signatures (and the data is scrambled only in one direction). If it used against some sophisticated solution like Golden Shield, expect it to not work or work only for a short time. The more people use this method and the data you transfer that way, the more you are exposed to the ban possibility. You may want to deploy a dedicated solution like shadowsocks. |
|
You can outsource the TLS part from Websocat a command line tool. Client Websocat would just spawn a process instead of doing TCP or TLS itself. See this section of moreexamples.md for examples. It assumes you can already can reach some HTTP-esque endpoint on your VPS and just need to bend it into forwarding SSH for you. |
Superficially it looks like an incoming WebSocket connection with SSH data inside, but there are a number of deviations from the standard protocol:
So it is not a WebSocket or HTTP connection, it is just plain SSH connection, but with preambles masking it for WebSocket establishment. |
Command line I mused about was about the client side.
What is Netmod? If it makes connections similar to the traffic dump attached above (i.e. not really WebSocket connections, just TCP connections with some HTTP-esque WebSocket-esque introduction messages) then Websocat may be not the tool to use, at least without some modifications. Maybe you can run Netmod in some server mode on your VPS? Is there a traffic dump from your VPS during the attempt to connect to Websocat can aid this scheme: But as a first step you probably want to ensure you can e.g. configure a website on your VPS and access it in a secure way (i.e. without exposing SNI) from your client. Then, when you can access your own website, your can a pair of Websocats to add additional function to the website: tunneling SSH for you. The scheme would look like this: |
Here I see proper WebSocket establishment headers and server accepting a WebSocket connection. However, instead of WebSocket frames, client sends raw, plain SSH data. Server replies with the data once, but connection is stuck or interrupted because of invalid incoming data (expected: websocket frames, got: raw data).
So netmod is just prepending static fixed header before the data, i.e. using WebSocket negotiation as if it were some HTTP CONNECT request. This is not Websocat expects, Websocat expects the data itself to be also transformed a bit (packed into WebSocket frames). If needed Websocat can be configured to just to that step (without HTTP negotiation at all).
Both PuTTY and Websocat are available on Windows. If you combine them, then the only missing link would be that "only with netmod i can mask SNI".
What do you mean by SOCKS proxy? That Netmod can act as a SOCKS proxy or be a SSH client? Or that after connecting to SSH, Netmod offsers SOCKS proxy that routes traffic though SSH (that is port forwarding). You probably need to investigate what Netmod does and how exactly it masks SNI.
Just created another simple tool: tcpprepend. Maybe it would be compatible with that Netmod thing you use as a client. Suggested server command line: |
BK8000L
changed the title
|
Hi @BK8000L , please I need your help We have the same requirement, I also have limited access to cloudflare cdn and I also use https://sshocean.com/sshwebsocket and i have access to these servers via cloudflare cdn using HTTP CUSTOM I have my own VPS also, please with @vi 's response to your questions, do you now understand how to implement such functionality? I want to use my own VPS also I can't see your questions, seems you've deleted them, I can only see VI's response to your questions Thanks in advance 🙏🏽 |
basically its bypassing internet censorship , netmod create HTTP connection with HTTP header something like this myvpsserver is configured to receive ssh connection on port 80 and then net mod creates a sock proxy on port 1080 while xxx.ap-southeast-3.compute.amazonaws.com or any cloudflare hosted host is a government-white-listed website (not blocked by government) and has websocket enabled natively |
|
Thanks @antnb for your contribution, I now understand how that works But that's for ssl/tls method, what about ssh + ws without tls? It uses port 8880 on the sni and the HTTP header is something like: How do I go about setting my vps up in this scenario? |
it depends on your client software, there is no ssl/tls in tcpprepend, you should add it if you need it by yourself with nginx or stunnel |
|
Thanks @its0ka, yea Telegram would be better. I'll do that just now |
I live in a country with internet censorship, all my vps/proxy servers are not accessible from here, but I have limited access to cloudflare cdn. i came across this https://sshocean.com/sshwebsocket and i have access to these servers via cloudflare cdn using opentunnel(android), netmod(pc) program. But these servers are constantly overloaded, I would like to use my vps and your websocket tool.
Using a PC with full internet access and a wireshark, I tried to analyze what is used in sshocean, but could not figure it out. I am attaching a traffic dump with a successful ssh connection to the sshocean server. Can you understand it and can your tool do the same?
The text was updated successfully, but these errors were encountered: