July 27

Why I Use an Onion To Bypass Restrictive Firewalls (and How I Do It)

Tor logo

10 a.m. of a very cold Tuesday morning.

I usually don’t come out of my home office but today I said to myself: “Myself, you should go out more.”

So I decide to go to a public library to work on some research. I get to use free WiFi there so I turn on my laptop and prepare to get going with my research.

Some of my files are on a server to which I usually connect via SSH, some are on emails.

I am able to browse a few internet pages before I start to realize something is slightly off…

I try to check my email through Evolution – an email client… Connection timed out.

I try to connect to the SSH server… Same thing…

SSH timeout
SSH? sdf.org? To know more, you can pay them a visit on http://sdf.org.

I fire up nmap to confirm my suspicions.

Yep. The firewall is blocking a few ports

What is it with the blockade?

I understand that institutions have to exercise some sort of control over what services people use but, come on, SSH and email services?

Yes. Censure is alive and well, I guess. Thank you for asking.

You see? I believe that there should be no restriction on knowledge and information if it is for socially acceptable purposes -like accessing your own, for example. I don’t believe in Security through Obscurity, let alone by forbidding people access to services that otherwise would be perfectly admissible.

Enter The Onion

On the same line, I believe that it is a safer approach to open source security. It is thanks to people joining forces to create -to develop- that we also have come with some interesting Open Source programs. The Onion Router is one of them. But most people know it simply by the initials: Tor.

Tor is an anonymity and an “effective censorship circumvention” tool that relays all your internet communications to other computers and bounces them all over the world while encrypting them in multiple, nested layers at the application level -like an onion- making them practically untraceable.

In addition, it uses the popular and well-known TCP port 443 to make the connections, which is the port used to connect to websites that use the SSL protocol (those that show the secure padlock in the address bar, such as this website). As usual, it sits within each person how you use the tool. Some people use hammers to drive nails, some people use them to nail drives… You get the idea.

Should I or Should I Not?

I check that I’m not about to break any library rules, because I’m nice like that. I approach the customer service desk and they tell me that the IT department does not offer any kind of technical support nor cannot be held liable on connectivity issues. No surprises here. I guess I’m on my own on this one…

The System

Fedora 26 Specs

My laptop runs on Linux Fedora 26, so all I have to do is install tor with

sudo dnf install tor

If you are running on a Debian-based Linux system -such as Ubuntu- and want to install from the command line, just replace dnf for apt-get.

Or just install the whole Tor Bundle from Tor’s website.

Additionally, since I am going to be using alternate ports (22 for SSH and 993 for IMAP over SSL), I will need torsocks.

sudo dnf install torsocks

Torsocks is a “library for intercepting outgoing network connections and redirecting them through a SOCKS server”. In English, that means that your internet browser/email client/fridge/whatever, whenever it needs to connect to internet, will do so through Tor.

Let the fun begin!

Once installed these nifty jewels, all I have to do now to connect to internet (and bypass that silly firewall) is open a terminal and run

tor

tor

Note that you could have just run tor in the background with tor & but I did it without the ampersand so I could see the log in real-time should any issue arise.

Some people have reported that running tor out-of-the-box reports not enough permissions and downright quits. Just change the ownership of tor in /run to your user name with sudo, like:

sudo chown myUserName:myUserGroup /run/tor

It will reset back to its default toranon:toranon when you restart the system.

You can change this in the tor configuration file torrc or, if you want it available at all times and don’t want to mess with user names and groups, you can just run it as a service with

sudo service tor start

And, if you definitely want to run it automatically after reboot:

sudo systemctl enable tor

Want to know if it is running properly now? Check it with:

sudo service tor status

Ok, ok. Now, to connect to an SSH server, all you have to do is “torify” the SSH connection with the command torsocks (seriously, who comes up with these commands?)

Does Tor really suck?

SOCKS actually stands for SOCKet Secure and is the protocol in charge of forwarding whatever port your favourite application is using to the tor network and visceversa. So, to connect to SSH via Tor, you type:

torsocks ssh [email protected]

or your favourite email client via Tor:

torsocks evolution &

(If you are paying attention: Yes. I did run that in the background. That’s what the ‘&’ does.)

So, after what seemed like a long time (more like three minutes), I was finally able to connect to my email accounts and my SSH server.

There is a lot more to what you can do with the mighty tor and its lucky companion torsocks (see what I did here?), but, as you can see, it is relatively easy to bypass almost any firewall. The most hardened ones will take a bit more time.

So, what do you think? Have any easier (and faster) ways to bypass a firewall? Let me know in the comments! (Turning it off does not count.)