Lately I’ve had a couple of less technical people ask me how to get around corporate blocking of certain ports (google chat, built into gmail is one good example). I want to tell them that setting up an SSH tunnel to some remote server is the best way to do that, but everyone stares at me blankly when I say that.
So I saw this fairly technical article on what “tunneling” is, but it sorta geeks out, so I’m going to take a minute and break it down a little simpler. Here is the article for reference if you want to read it:
http://www.enterprisenetworkingplanet.com/netsp/article.php/3624566
The internet is an interesting beast. Everyone has addresses assigned to their computer, sometimes that address is an ‘internal’ address behind a router, sometimes it is a normal IP address that the world can see. Lots of people have a basic understanding that your IP address is like your street address for the internet, and that an ‘internal’ address is like the equivalent of someone else who lives in your house (or in other words, your router) going through the mail and handing you only the mail with your name on it.
But, what people don’t know is there are a couple of other interesting things about how all that works. And this is the bit that explains tunneling, and why it kicks ass.
1) Ports: The internet, and all TCP/IP and UPD (the type of protocols the internet likes to use) has ports. These ports are used to establish communication for only one type of data. For example, the web, or HTML stuff, or what we could call hypertext uses port 80, and for the https (secure stuff like when you log into banks, and passworded stuff) uses port 443. AIM, google chat, ssh, itunes, and anything else uses a different port Each port is used to establish communication between one point and another for a certain type of traffic.
I kinda like to think of this like a “port” for boats. Only one boat carrying one kind of thing can be in one port, or dock, at a time. Not a great analogy, but all i got for now.
2) Packets: Once you make a connection to a port, you don’t have continuous information just streaming in raw bits until you get an entire webpage. You instead have packets. It is like if we were sending someone mail, instead of sending them the whole thing in one envelope with the address, return address, and stamps, we send them one letter or one word at a time, and each one has it’s own address, return address, and error correction. Then, when the sending computer tells you it has sent everything the receiving computer starts reassembling the entire thing again. It is at this stage that the receiving computer can say “Hey, I didn’t get everything.” And the sending computer will send the missing parts again. (This is called packet loss when it happens).
Tunneling then, is when we connect to a server somewhere else on a port, say 22, cuz that is the port for SSH (stands for secure shell…like telnet, only sucks less). So, I then tell the SSH server and client that I want to make a tunnel on that port, and that I’m going to send traffic that normally uses a different port on it…say port 80 for webpages.
So, I then open my web browser, and try to connect to a webpage, and what happens in the background is that my request is that each packet (for the request) is wrapped up in another packet. The second packet contains all the addressing information for going over port 22, but inside of it contains information about making a webpage request over port 80. When it reaches the server, the server unpacks the information that came over port 22, and takes a look at it, sees that it is actually a ‘tunneled’ packet that wants to make a request on port 80. So the server makes the request on port 80, and the webpage that is returned is then put inside packets and sent back to you on port 22. Your computer unpackes that information, sees it is a webpage, and displays it in your browser.
This gets around corporate restrictions on surfing or AIMing because the actual request for the webpage or chat is made on the opposite end of the tunnel. To get a server that supports this you either have to pay for it like I do with my webhosting company, or you have to set one up in your house (which I have also done).
I like SSH as opposed to setting up proxy servers or other things because your employer sees that you have traffic going over port 22, but SSH encrypts its traffic so they can’t read it, and with a proxy you don’t have that.
That is enough geeking out for now….I’m going to help clean up the church.
rachael says
get me on there please