Bypass firewall restrictions using DD-WRT and SSH

Data FlowMany firms implementing a major ERP package have large networks centrally managed from a single location--often in another country. In most cases the network engineers are obfuscated by tiers of helpdesk employees and are unreachable except by bureaucratic online forms if at all. For these reasons outbound connections may be over-protected rendering an internet connection useless with regards to productivity protocols like those used by Microsoft Outlook (IMAP over SSL, SMTP over TLS) and Terminal Services Client (RDP). Capturing the packets and passing them through an SSL connection using DD-WRT is an easy way to bypass a poorly-configured firewall and to obscure network traffic from a too-curious network engineer.

What is DD-WRT?

The rich feature set and low price of DD-WRT makes it a very attractive firmware for home and small business. It is relatively easy to install on most supported routers and imbues a $50 router with the abilities of an $800 router.

Many of the features that were made available by the DD-WRT firmware years ago now come stock from the router manufacturer in their proprietary firmware in recent versions, but there are still some gold nuggets that are only available after flashing a router with DD-WRT. One of those features is the SSH shell and the ability to route IP traffic through it making it a very effective and secure proxy server. It is this proxy server that allows a user to use his home internet connection instead of the office network. A good SSH client combined with DD-WRT is what makes this proxy service possible.

Installing DD-WRT

The fist step toward having a private Socks5 proxy is installing the DD-WRT software on the router. Flashing the router isn't a difficult task, but one must buy a supported router. The router must have enough RAM to install one of the flavors of DD-WRT that supports SSH. Almost any supported router with 4MB of PROM will work fine. A full list of supported devices is available from the DD-WRT website along with instructions specifically tailored to every router.

Configuring DDNS

The second step is configuring the dynamic domain name service (DDNS) on the router. There are many DDNS hosting services who provide instructions on how to create an account on their servers and use a hostname that points continuously to a changing dynamically assigned IP address.

Installing OpenSSH

Now comes the difficult part: installing the client software and generating RSA keys. Download this installation package. Extract it to a temporary folder and launch the setup program. Blaze through the screens below unchecking the feature for Server. There's no reason to run an SSH server on a work PC.







Update: Recent versions of Windows 10 has the option of adding OpenSSH as a feature from the Services app. If the laptop runs Windows 10 then first check to see if OpenSSH is already installed by trying to run the ssh program in the command prompt and, if it is not installed then try using these instructions to get OpenSSH installed instead of following the instructions below.

Configuring OpenSSH

Now make some pre-shared keys by dropping into the Command Prompt and navigating to the c:\Progra~1\OpenSSH\bin folder. If the OpenSSH client app is installed under Microsoft 10 or later then it is not necessary to navigate to this folder.

Use the command md c:\rsakeys to make a folder on the root of the hard drive called rsakeys; this is an important step that not only creates the folder to hold the public and private keys, but also sets the security on the folder such that only the current user has access to it.

The OpenSSH client may refuse to use the keys if other users can access the folder. If the OpenSSH client throws an "UNPROTECTED KEY FILE" or "Permissions are too open" error then change the permissions on the folder and the keys. For help, check out either of these articles from superuser or stackoverflow.

Finally, generate a key pair to use with these commands:

ssh-keygen -b 2048 -t rsa -f \rsakeys\keys

Note: There is a key pair available at the bottom of the page that can be used if this step proves to be too difficult.

Open the c:\rsakeys\keys.pub file in notepad and copy the contents to the clipboard. Browse to the "Services" tab in the DD-WRT router and paste the content from the clipboard into the "Authorized Keys" text box in Secure Shell. Be sure to set the radio buttons and port just as shown below. Save the settings.

Update: It is recommended to turn off "Password login" on this screen. It is not necessary if secure keys are used and lowlife hackers have nothing better to do than try to bruteforce attack innocent routers.

Click the "Administration" tab and configure the Remote Management settings as shown here. Apply settings.

Now create a batch file that maintains a connection to the router. The connection will drop several times each day when IPs change or connections bog down and this batch will automatically reconnect the client to the router. The -D9999 is the port on which the SOCKS v5 proxy listens. That will be configured in the browser later.

Now run the batch file. The first time it is run the system will ask if the RSA key being used should be added to the list of authorized keys. Answer this question with the whole word "yes" and not just the letter "y". Do not include the quotes. The command prompt in which the batch is running will look something like this.

Configuring web browsers to use proxy

Configure the browser on the work computer to use the SOCKS v5 proxy server. The hostname is localhost and the port is 9999. Below are two examples using Internet Explorer and Firefox.

Foxy Proxy is a great way to manage what sites are viewed through which proxy in Firefox and is free from the Mozilla website.

We're almost done; the last step in establishing a proxy connection is testing. Browse over to a popular website like SAPLSMW.com to ensure that the client software is working. Troubleshooting issues with connectivity, DDNS, router configuration and internet connectivity are outside the scope of this how-to. IP Chicken is a great internet resource for testing connectivity and determining where your traffic is coming from on the 'net.

Using MS Outlook (and others) through the proxy

There are a host of proxifying tools and each has its strengths and weaknesses. Proxifier is the simplest tool to configure, but it isn't free (unless you have a key), so be prepared to shell out a few bucks for it. Simply defaulting all connections to "Direct" and then adding rules for individual programs will ensure that only the desired programs will pass their traffic across the SSL connection and internal programs (like SAPLogon) will operate internally to the corporate network.

Free-to-use RSA Key Pair:

A set of keys laying around will work in a pinch. Download these keys as rsakeys.zip.

Public Key:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwCGPaBgIdrjHZe+z51JVVmgyDI3mXInImoNTSDSXoEapceHVyUUO+mSzhBwjRcUlo2/52gzqFqIHvFlns65eN3pVq7YCyafWWSFQzCPxXjZ6JuV+jtn1kBMzbgcKwQpfxUabd8/XDAB7yGSQwdwbHYGoCdC7CMvNpwrBKSGgK8e5HZPBiNfaF0ItVDW0hA1r1LKSwDpHzZDeG/u92DieYiK3HbtP8MKv5qLyiRfJ2IAffIU+ZtLIOGIaN38C/ucrEZkZCYiOn+euA0VbDgXl6AVDcO4CEqgd51e/Ih38YURkHpFPkmEjspSNvmKaThBaN3H2JYd5xxdFrIJAb/s45w== Jim@laptopjim

Private Key:

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwCGPaBgIdrjHZe+z51JVVmgyDI3mXInImoNTSDSXoEapceHV
yUUO+mSzhBwjRcUlo2/52gzqFqIHvFlns65eN3pVq7YCyafWWSFQzCPxXjZ6JuV+
jtn1kBMzbgcKwQpfxUabd8/XDAB7yGSQwdwbHYGoCdC7CMvNpwrBKSGgK8e5HZPB
iNfaF0ItVDW0hA1r1LKSwDpHzZDeG/u92DieYiK3HbtP8MKv5qLyiRfJ2IAffIU+
ZtLIOGIaN38C/ucrEZkZCYiOn+euA0VbDgXl6AVDcO4CEqgd51e/Ih38YURkHpFP
kmEjspSNvmKaThBaN3H2JYd5xxdFrIJAb/s45wIBIwKCAQEAuqRCKpsA6Fu6YwYc
ek/7ILz9a0gEWeTuwfvqgKgeQ+zfHivW/giSNRFd7gy0jOtmZEDkFaYlOo7Fr6dO
y831H/Mups4RVi4DbIbDhHqv9R76Uau8xUjCqTc5Rk/70XfKv6Os+Au69bdTrLl2
rbE+6XajPLwjZ6FosOXgNpWxiZu/E83K33Gp1qckPDXhjHqkeyMa0FjS3+Dg1VSc
JaTILT4K1mXsk2rX1/0E7mWnNJFnWxdBgqt/9BgdjT03jN9kj6z55B5mNX1ukbp4
0URETU7cQLM7HkhgCP4qeytoNfI9WdDNLKvK9rCiMk/BWP3vw7LB5HOBjh5X+WkC
G8WACwKBgQD+SXYXHc9a53RffSZHgdJ7wzCbYhkYVuGvebjCKE/MRthjV/Or24Ns
ooI8EzC3ijumL3YYqmMF85pdE8Ux4lP09rq3bYUS86jzQ/Jka4Zt2XvRbVwGVlGj
36C7x6JcG9RZxymGy3wz/91GrU10sjcffhhUKO+1DCvD7jDeuqVeIQKBgQDBbOfw
KqoUHiG/IJu5iDUooc7FLU1HU/xlTi+mPd1PViEMYYvlQUI35cltnpyL1GN/2LNx
W5IJ2JDL5Sf5z1LlLJ1CQD6K7acFKU8+B0/IVYsW0AaoSldEWM99RRo8hmAWevK5
VSUILT2vKJXekxAPM6klr4pG5NtUW7CUPmTmBwKBgHuCxFRe76/Pgaq5ITisxVIO
WXALE4DZvhNnAffnsbr91tEquC7m9rEbu5mFqfK/fA7j2kZ+pSAl3UMm3B+LMBfl
jeQQn7i/ffKAFqXN05Rw8v9SX+XSJ6dd/Z0JMZpz6syFTq8voror0eCAD621pb7W
2J3n/2aQ4g61hXN/OmDrAoGBALZfXld4rv0Gd5by2/gStcc5ec/aQYxlISxRCFrp
30rNjN/Jr8mGrCYTK6HesNucXdBP+aVk92heeeTQv0qe58IiwCiFt0/KISIfonxQ
CWUddIM5KtkwJmUDR0o51uib9DJz7CsVw9SCbVwBseB8B9PRn3tNvOPB1hxWc0nx
r5cNAoGBANZXREGEIQfBaUYKHBtHF87tbahlYJMx4MndFELK2/ngP6ZS43AKR5Yr
1zVGFlJSJrklpRTmQLxUzRgVIxbXtKocIxuWNQgPSQ6rX7LE4sMjM13wNu72ANwO
Cn7YUT7+ls0l+d1dl0CuXXaB34PP0uYVKx/4noAe6f7Hm50q7fTd
-----END RSA PRIVATE KEY-----



Addtional features for DD-WRT

Use DD-WRT to filter out banner ads and malicious software on the 'net by adding this script to the Startup command. Click AdministrationCommands and then copy-paste this into the "Commands" field. Click the "Save Startup" button to commit this to the router's memory. Click AdministrationManagement and then click the "Reboot Router" button to make the router download and use the hosts file. The sleep 60 allows the router to boot up and obtain an IP address from the ISP before attempting to download the file.

sleep 60

wget -O - http://www.mvps.org/winhelp2002/hosts.txt | grep 127.0.0.1 | sed -e '2,$s/127.0.0.1/0.0.0.0/g' -e 's/[[:space:]]*#.*$//' > /etc/hosts
logger "$0: Hosts-file downloaded"

stopservice dnsmasq
startservice dnsmasq

logger "$0: DNSMasq restarted"

Update: The script above worked well back in the early 2000's, but now many websites require HTTPS and older versions of wget do not support HTTPS. Use the blockads script from SAPLSMW.com below to ensure that the router has the latest hosts file every time it reboots.

Bonus: Change the port that DD-WRT listens to for SSH to 443 to better utilize it over public wifi connections. Many open connections on trains or at airports disallow non-web-browsing traffic by simply closing off all ports except for 80 and 443. By telling the home router to listen on port 443, traffic can be passed over a public network encrypted and without fear of eavesdropping.

Adjust the line in the sshme.bat file such that it includes the parameter to use port 443 instead of 22.

c:\progra~1\openssh\bin\ssh -i c:\rsax\id_rsa -C -D9999 -p443 root@your-ddns-name-here.org

Bonus 2: Here are some scripts to add to the Startup Commands. The first causes the router to reboot if the connection goes down (great for wireless bridges) and the second downloads and sets up the hosts file for blocking unwanted popups and banner ads.

sleep 199

wget -O - http://www.saplsmw.com/scripts/fixconnection.txt > /tmp/fixconnection.sh
chmod +x /tmp/fixconnection.sh
/tmp/fixconnection.sh &

sleep 99

wget -O - http://www.saplsmw.com/scripts/blockads.txt > /tmp/blockads.sh
chmod +x /tmp/blockads.sh
/tmp/blockads.sh &

sleep 99

Copy and paste the text above into Commands box under Administration and then click the "Save Startup" button.

Retarding Hacker's Efforts...

One easy way to block 99.99% of hackers is to mismatch incoming ports. Hackers like to try random credentials against Remote Desktop Protocol (formally Terminal Services) at port 3389, but if another port is forwarded to the Windows RDP server then attempts to 3389 can be dropped so that hackers are just wasting their time.

This log is from a Rust server before port 3389 was forwarded to a non-existent server. Hundreds of hacking attempts on the server were thwarted every day by a long, complex password, but preventing the hacking attempts is even more effective than complex passwords.

Creating a non-existent server for all unassigned incoming ports is another great way to retard hacker attempts. Here, the DMZ is set to forward all unassigned incoming ports to a server that doesn't exist and, instead of rejecting the inbound requests, the packets are forwarded to nowhere so that hackers don't know that their time is being wasted.

Data FlowMost hacking attempts come from Russia and China. Blocking the tens of thousands of IP ranges from those countries and others notorious for hacking can tax the processor and memory of a DD-WRT router, but can still be done.

The ipblock script blocks most notorious countries and works well enough for routers with lots of RAM--64MB or more. The ipblocksmall script doctors all of the IP ranges from notorious countries by rounding up to class-B domains and greatly reducing the total number of ip ranges that the firewall must remember.

## Use this one on routers with 64MB RAM or more...
wget -O - http://www.saplsmw.com/scripts/ipblock.txt > /tmp/ipblock.sh
chmod +x /tmp/ipblock.sh
/tmp/ipblock.sh &
## Use this one on routers with 8MB RAM or more...
wget -O - http://www.saplsmw.com/scripts/ipblocksmall.txt > /tmp/ipblock.sh
chmod +x /tmp/ipblock.sh
/tmp/ipblock.sh &

Coronavirus Update

The Coronavirus scare has trapped many resources in their own homes with client laptops and those laptops tend to be locked down such that advanced routing isn't available which means that all internet traffic is passed over the VPN that nobody ever planned to have every employee using at the same time. After noticing that the internal IP address of the DD-WRT router can still be pinged while connected to VPN, a little head-scratching and some research turned up a built-in SSH client in Windows 10 . . .

Data FlowThere are plenty of tutorials available via the 'net on adding this optional feature in Windows 10, so this update doesn't cover that. Instead, tunneling out of a home office while using VPN in order to access internet sites using the home connection instead of competing with every other employee and needlessly-restrictive firewalls is covered.

The almost-too-simple solution is to create an SSH connection to the internal port of the DD-WRT router using SSH and then use that connection as a SOCKS5 proxy to the external port on the DD-WRT router. The steps are simple enough:

  • Generate the RSA keys using the instructions above (after ensuring that the SSH client feature is turned on--it might already be!); ssh-keygen comes with the Windows 10 SSH distribution.
  • Get the sshme.bat file running to SSH to the internal IP address of the DD-WRT router.
  • Configure one of the web browsers to use the localhost:9999 as the SOCKS5 proxy server.

Note: Some Cisco AnyConnect servers allow network connections to the internal network port of the home router while connected. Try pinging the internal network port while connected to different Cisco AnyConnect VPN servers to see which, if any, allow this.

Note: Try to find a DD-WRT router with at least 32MB of RAM. Dropbear takes up a lot of RAM to operate effeciently and demands a lot of processor overhead to keep speeds up.

Consider adding this code to prevent Dropbear (the SSH server) from crashing the DD-WRT with a memory overflow error. Dropbear will consume memory until, when all of the RAM on the DD-WRT router has been consumed, the router will hang and require a soft reset to work again.

The killall inadyn terminates the Dynamic DNS updater after it has had a chance to update the IP address associated with the router's host name. If the router has an automatic reboot (Administration→Keep Alive) scheduled for early each morning then the value will be updated frequently enough and doesn't need to be validated every ten minutes.

The killall resetbutton frees up 1.3MB used by a program that listens to the reset button. This program isn't required as routers are usually soft reset by unplugging the power.

The -p parameter in the dropbear line tells the program to use a non-standard port and to listen only on the internal IP address of the router for additional security. The -W parameter reduces the default receive_window_buffer from 24576 to 1000 in order to reduce the amount of memory used. The -K and -I parameters are for keepalive and idle_timeout respectively and, by reducing the timeouts for these variables, allow the program to free up RAM more readily.

sleep 30

# Free up a megabyte of ram after the DYNDNS work is completed.
# Daily reboot at 05:00 means that this is updated once daily. 
killall inadyn

# Free up 1.3 megabytes by killing this program.
killall resetbutton

# Set timeouts and buffers in Dropbear to prevent buffer overflow. 
killall dropbear
sleep 2
dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_host_rsa_key -d /tmp/root/.ssh/ssh_host_dss_key -p 192.168.1.1:10022 -s -a -I 300 -K 300 -W 1000

Finally, set up the proxy settings in the browser (this example is Firefox) to connect to the SSH proxy running on the local computer. This will direct only the traffic from this browser to the internet instead of through the overtaxed VPN server and corporate network.
Firefox Proxy SSH settings

Data Flow