1

I have a hired server that doesn’t allow me to access to a URL. Can I access to that URL from the server using my home computer as bridge with SSH tunnel? In the server I only have command line access.

I can access to some URLs but this is not on the whitelist. This is what I get.

wget https://jenkins-ci.org/debian/jenkins-ci.org.key
--2015-03-30 13:21:20--  https://jenkins-ci.org/debian/jenkins-ci.org.key
Resolving jenkins-ci.org... 199.193.196.24
Connecting to jenkins-ci.org|199.193.196.24|:443... failed: Connection timed out.
Retrying.

I want to use a SSH tunnel or something like to download the key file and the packages on the server.

Improve this question
10
  • 2
    What do you mean by "blocks a URL"?
    – DavidPostill
    Commented Apr 2, 2015 at 20:35
  • @DavidPostill I mean that is on a blacklist.
    – 0x2b3bfa0
    Commented Apr 2, 2015 at 23:19
  • @DavidPostill: I reworded my question to try to fit the rules... Did I anything wrong?
    – 0x2b3bfa0
    Commented Apr 5, 2015 at 10:54
  • You could use some free VPN service whose URL is not blocked, to connect to your server, this way bypassing the block. Just google for "free vpn". You wouldn't need then to go thru your home PC.
    – harrymc
    Commented Apr 6, 2015 at 20:23
  • @harrymc: And how I configure it from command-line? I ask you this because you suggested it, however don't feel obligated to answer.
    – 0x2b3bfa0
    Commented Apr 6, 2015 at 20:37

3 Answers 3

Reset to default
2
+100

To rephrase your question, based on one of your later comments, you want to

access [website] from a server that hasn't access to that URL using a personal computer with no open ports as tunnel - Helio

At first glance, what you are asking for seems impossible. Upon closer inspection, what you need is some highly advanced networking voodoo. Specifically:

  • A VPN server running on your personal computer (let's call it herpyderp)
  • An SSH server running on the remote server (call it.... megatron. why not?)
  • A VPN client on megatron.

Set up the VPN server

The process of setting up a VPN server is... quite complex, and well beyond the scope of this answer. I'll put some resource links at the end for you.

Anyway, set it up to listen on 127.0.0.1, and disable pushing a default route. (You also may need to set it to use tcp; I'm not sure how udp will react in this... odd situation.)

Forward the port over SSH

For the sake of simplicity, I'm going to assume you have an OpenVPN server on herpyderp properly set up and listening on 127.0.0.1:1194. Connect to megatron and forward the appropriate port back to herpyderp (on localhost):

ssh -R 8088:localhost:1194 awesomeuser@megatron

Connect VPN

Again, for simplicity, I will assume you have a config file for the OpenVPN client on megatron. Ensure that it is configured to not set a default route, and to connect to the server at address 127.0.0.1:8088.

Note that if megatron has something already listening on 8088, you will need to use a different port number.

Add routes

Finally, you will need to route requests to the blocked IP through the VPN with the ip route add command. Use ifconfig to get the ip address of the VPN adapter and its destination address. Use ping or nslookup to obtain the ip address of the site in question. Then, armed with this information, add the route:

ip route add <SITE_IP_ADDR> via <VPN_DEST_ADDR> dev <VPN_ADAPTER>

If everything goes just right, you should be able to access the blocked IP from megatron via herpyderp's internet connection.

But...

That being said, I'm fairly sure that any network admin that's made it this far into the answer is either weeping or in shock by now. There is nothing... right... with this setup. I feel as if I've committed a sin for even suggesting it.

Also, I wouldn't expect any significant throughput. And just... astronomical latency.

Final disclaimer: I have no idea whether this will actually work. It should, but due to the sheer amount of work involved with this setup, I haven't actually tested it. There are about a million things that could go wrong. Good luck, and godspeed.

Resources

EDIT: A word of caution

This absolutely has the potential to make your server completely unreachable over the network. The ip commands especially; the wrong route can block all network activity.

Improve this answer
1

From your home machine run the following:

curl https://jenkins-ci.org/debian/jenkins-ci.org.key|ssh <username>@<ssh server> 'cat > jenkins-ci.org.key'

Replace <username>@<ssh server> with proper ssh information.

Example: curl https://jenkins-ci.org/debian/jenkins-ci.org.key|ssh [email protected] 'cat > jenkins-ci.org.key'

This will place the file in the users home directory. You can change this or simply move it after copying it.

This assumes your home machine uses linux. If it doesn't you could use a cheap/free cloud linux machine to do the same (example: c9.io).

Improve this answer
1

You can try to use an SSH tunnel:

ssh -f user@yourserver -L 2000:jenkins-ci.org:443 -N

Then you can query localhost:2000 for what you want:

wget https://localhost:2000/debian/jenkins-ci.org.key

If you get to domain problems, just add:

127.0.0.1 jenkins-ci.org

To the /etc/hosts file and run:

wget https://jenkins-ci.org:2000/debian/jenkins-ci.org.key

This is a bit “hackish,” but I think that’s what you are looking for.

Improve this answer
6
  • Where run the commands? In the server?
    – 0x2b3bfa0
    Commented Apr 7, 2015 at 10:28
  • You run all the commands on your local machine. The "yourserver" host is the not-blacklisted host.
    – gbuzogany
    Commented Apr 7, 2015 at 10:30
  • Can I make it reverse? Execute the command on the non blackisted machine?
    – 0x2b3bfa0
    Commented Apr 7, 2015 at 10:57
  • If the machine is not blacklisted, you can run: wget jenkins-ci.org/debian/jenkins-ci.org.key straight, right?
    – gbuzogany
    Commented Apr 7, 2015 at 11:01
  • 1
    @Helio You state "no open ports", is this because you don't want anyone to be able to connect to this port? It is possible to firewall this so that only localhost can access the port. Other than that, VPN is pretty much your only other option which is much more difficult. You need to, in some way have another server relay the IP traffic (SOCKS, HTTP Proxy, VPN, etc.) since that IP is blocked. SOCKS is by far the easiest option. Alternatively, it might be easier to ask the administrator for the server to allow traffic to that IP.
    – Goblinlord
    Commented Apr 9, 2015 at 5:09

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .