Priyadi’s Place

8 December 2006

Making IP Tunnel over SSH

Posted under:

Internet

at 01:14

As long as I’ve been a TelkomSpeedy customer, I’ve never been able to log on to any IM services. Yahoo! Messenger, MSN Messenger, Jabber, ICQ, AIM: all didn’t work at all. I’m not alone, other Speedy customers like Devi and Tya also experienced the same problem. I’m still curious why they chose to filter all IM traffic on their router.

They do allow SSH though, and this is how I managed to ‘fix’ the problem by redirecting IM traffic over an SSH tunnel.

First, the prerequisite. I need a server, directly connected to the Internet, and a root access for it. This may be a tough requirement for casual users, but thankfully I do have root access on several dozens of servers.

Second, I need to prepare the server for NAT. For my intent and purposes, this server will act as a (second) gateway for my computer. This needs to be done on the server:

iptables --table nat --flush
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface ppp+ -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

Not much different from my usual NAT setup, except this time it is the other way around: –out-interface is now eth0, and –in-interface is now ppp+, because eth0 is the interface connected directly to the Internet, and ppp0 becomes a link between the server and my computer.

And now, to create the tunnel itself. This needs to be done on my computer:

/usr/sbin/pppd updetach noauth silent nodeflate pty \
        "/usr/bin/ssh root@server.example.com /usr/sbin/pppd \
        nodetach notty noauth" ipparam vpn 10.0.0.1:10.0.0.2

Substitute server.example.com with the real server name. This should create a new ppp0 interface on both the server and my computer. I should now be able to ping 10.0.0.2 and it should respond back.

Next, I need to modify my routes. First I need a dedicated route to my current gateway, so that the tunnel doesn’t get dropped: route add server.example.com gw 192.168.1.1 where server.example.com is the server hostname and 192.168.1.1 is my current gateway. And second, I need to change my default gateway to the tunnel: route del default ; route add default gw 10.0.0.2.

All done, now all traffic will be redirected to my server. Any connection that originates from my computer will be translated by the server, and the destination will see the server as the origin of connection, not my computer.

Please note that tonight they already fixed the problem and for the first time I can run IM without tunneling. I don’t know if my little chat with KWW yesterday has anything to do with this .

53 Responses

Trackback: Use this URI to trackback this entry. Use your web browser's function to copy it to your blog posting.

Comment RSS: You can track conversation in this page by using this page's Comments RSS

Gravatar: You can have a picture next to each of your comments by getting a Gravatar.

1

gak ngerti..
pertama ?
- Comment by dendi
- Posted from Semarang Indonesia
- Using Mozilla Firefox 2.0 on Windows XP
- 8 December 2006 at 01:26
2

Speedy=Limited wired Connection on limited Telkom customer numbers. Can’t use on wireless, I think. Wah, masalah kaya’ gini butuh 2 server ya? Server Linux lagi.
It’s Broadband Trouble? How about Fren Maxsurf? StarOne? Just dial them up.
- Comment by Rumahilmu.com
- Posted from Jakarta Indonesia
- Using Internet Explorer 6.0 on Windows XP
- 8 December 2006 at 01:50
3

Jadi intinya mereka takut dikasih review jelek di blog nya Priyadi sehingga semuanya langsung dibenerin ya
- Comment by BARRY
- Posted from Washington United States
- Using Internet Explorer 6.0 on Windows XP
- 8 December 2006 at 03:17
4

Wah 5 besar nih…

Sudah ikut milis speedy-telkom@yahoogroups.com dan speedy-users@yahoogroups.com? (mungkin ada lagi yang lain).

Kemarin saya liat ada beberapa solusi di milis tsb, kalau tidak salah salah satunya ada yang bilang nurunin MTU jadi 1400.
- Comment by Rendra
- Posted from Jakarta Indonesia
- Using Opera 9.02 on Windows XP
- 8 December 2006 at 03:18
5

speedy lelet
- Comment by Anang
- Posted from Surabaya Indonesia
- Using Mozilla Firefox 1.5.0.8 on Windows XP
- 8 December 2006 at 05:04
6

gw pake speedy dan Y!M maupun GTalk (pake Gaim) jalan tuh..
- Comment by iang
- Posted from Jakarta Indonesia
- Using Mozilla Firefox 2.0 on Ubuntu Linux
- 8 December 2006 at 05:38
7

Prie, enakan pake openvpn deh(pilih yg pake UDP) ato pake CIPE.

ini alasan kenapa pake ssh kurang bagus:
http://sites.inka.de/~W1011/devel/tcp-tcp.html
- Comment by budiap
- Posted from Singapore Singapore
- Using Mozilla Firefox 1.5.0.8 on Windows XP
- 8 December 2006 at 06:10
8

This may be a tough requirement for casual users, but thankfully I do have root access on several dozens of servers.

Hmm…
Something fishy here…
- Comment by kunderemp
- Posted from Indonesia
- Using Mozilla Firefox 1.5.0.1 on Windows XP
- 8 December 2006 at 06:27
9

Sembilan besar?
- Comment by Biho
- Posted from Indonesia
- Using Mozilla Firefox 2.0 on Windows XP
- 8 December 2006 at 06:32
10

Rasanya wajar saja, di unggulin speedy kan main gamenya

btw : link ke telkomspeedy kelebihan http
- Comment by alamster
- Posted from Palembang Indonesia
- Using Mozilla Firefox 1.5.0.8 on Windows XP
- 8 December 2006 at 07:26
11

10 besar
- Comment by Budi
- Posted from Surabaya Indonesia
- Using Mozilla Firefox 1.5.0.8 on Windows Server 2003
- 8 December 2006 at 07:26
12

ada penjelasan resmi gak dari telkom mengenai ini?

YLKI diem aja yaah…

hayooo KWW siapa yah
- Comment by hanindyo
- Posted from Bandung Indonesia
- Using Mozilla Firefox 2.0 on Mac OS X
- 8 December 2006 at 07:36
13

1# Sama Gak Ngerti Juga!
20 besar gak yah???
Kali ini Rank Jauh lebih penting sepertinya!!
- Comment by gila nyambung
- Posted from Jakarta Indonesia
- Using Mozilla Firefox 2.0 on Windows XP
- 8 December 2006 at 07:43
14

gak ngerti juga

btw dirumah sekarang aku make wifone, gara2 ada pameran di carefour. tertarik ama iklannya aja, daripada pake telkomnet instant

15 besar ???
- Comment by Goen
- Posted from Jakarta Indonesia
- Using Internet Explorer 5.5 on Windows ME
- 8 December 2006 at 07:59
15

kalo gw ngga di set di servernya, tunnelingnya via putty aja,

di set via socks proxy..

127.0.0.1 port tertentu

lebih secure, karena cuman gw doang yang bisa make
- Comment by rendy
- Posted from Selangor Malaysia
- Using Internet Explorer 6.0 on Windows XP
- 8 December 2006 at 08:03
16

Gue pakai Speedy di Bali dan Jogja, yg paket 300 ribuan itu.

Gak ada masalah tuh, mau YM, ICQ, MSN, Skype ataupun SIP phone.
Aneh juga tiap kota beda policy
- Comment by Dedhi
- Posted from Singapore Singapore
- Using Mozilla Firefox 2.0 on Ubuntu Linux
- 8 December 2006 at 08:09
17

port 5050 speedy emang sempet ditutup kemarin, entah ada apa. tapi sekarang udah bisa lagi kok. setidaknya di sini
- Comment by aldi
- Posted from Jakarta Indonesia
- Using Mozilla Firefox 2.0 on Ubuntu Linux
- 8 December 2006 at 08:16
18

Speedy yang aneh.
disini juga normal-normal aja, nggak pake tunnel-tunnel’an.
- Comment by Yanuar
- Posted from Kuta Indonesia
- Using Mozilla Firefox 1.5.0.8 on Windows XP
- 8 December 2006 at 08:51
19

nasib… i’net indonesia buat home user.
- Comment by arie
- Posted from Jakarta Indonesia
- Using Mozilla Firefox 2.0 on Mac OS X
- 8 December 2006 at 08:59
20

Kenapa gak pake HTTP Tunnel?
- Comment by gandhim
- Posted from Satellite Provider
- Using Opera 9.02 on Windows XP
- 8 December 2006 at 09:15
21

wah root via ssh
- Comment by arjuna
- Posted from Jakarta Indonesia
- Using Opera 9.02 on Linux
- 8 December 2006 at 09:41
22

aku juga pake spidisux, tapi untungnya fine2 aja tuh
- Comment by boku_baka
- Posted from Semarang Indonesia
- Using Mozilla Firefox 2.0 on Windows XP
- 8 December 2006 at 09:49
23

bingung
- Comment by Luthfi
- Posted from Jakarta Indonesia
- Using Mozilla Firefox 2.0 on Windows XP
- 8 December 2006 at 09:54
24

temen2 yg pake speedy fine2 aja tuh, bisa semua IM. btw, speedy good enough gak sih buat maen CS online (indonesia) atau radio internet (indonesia)? temen2 yg pake speedy pada pelit banwidth sih //lirik deepblue . kalo ok buat game online mau deh ikutan.
- Comment by Fernando
- Posted from Indonesia
- Using Mozilla Firefox 1.5.0.7 on Windows XP
- 8 December 2006 at 10:04
25

I’m still curious why they chose to filter all IM traffic on their router.

Not just IM traffic, but also IRC and CVS/SVN as well as other ports including HTTP ports 8080 and 8089.
It’s already been fixed, after complaining for about a week!
Speedy kampre… I mean… holy sh*t, Batman!!1
- Comment by LouCypher
- Posted from Jakarta Indonesia
- Using Mozilla Firefox 2.0b1 on Windows XP
- 8 December 2006 at 10:39
26

Cari yang lain aja deh…
- Comment by hari
- Posted from Yogyakarta Indonesia
- Using Opera 9.01 on Windows XP
- 8 December 2006 at 10:54
27

Setuju dengan #7. Pake OpenVPN (udp) atau CIPE. SSH dengan tcp nya gak reliable kalo ada gangguan dan latency nya bisa ngebengkak.
- Comment by adhisimon
- Posted from Jakarta Indonesia
- Using Mozilla Firefox 1.5.0.8 on Fedora Linux
- 8 December 2006 at 11:21
28

#2
masih bangga saya pake StarOne … uhui! $\:d/$
- Comment by preaxz
- Posted from Jakarta Indonesia
- Using Internet Explorer 6.0 on Windows XP
- 8 December 2006 at 11:25
29

Pri,

Ini lagi nyoba speedy di Plangi.
Dishare, bisa koneksi kok y!-nya.
- Comment by pipit
- Posted from Jakarta Indonesia
- Using Mozilla Firefox 2.0 on Windows XP
- 8 December 2006 at 11:44
30

Dari pertama make speedy di Yogyakarta sampai sekarang saya tidak bermasalah dengan IM. Hanya saja beberapa teman saya di Jakarta memang mengeluh tidak bisa memakai IM sekitar seminggu yang lalu. Tapi itupun hanya 2 hari. Setingan IP tunnelnya diatas kok rumit ya, masih belum ngerti juga
- Comment by kenz
- Posted from Yogyakarta Indonesia
- Using K-Meleon 1.02 on Windows XP
- 8 December 2006 at 12:40
31

ndak masalah tuhh YM n others pake speedy…
masalah nya cuma lelet
- Comment by miftah
- Posted from United States
- Using Mozilla Firefox 1.5.0.8 on Windows XP
- 8 December 2006 at 13:24
32

but thankfully I do have root access on several dozens of servers.

yeah.. and sadly i’m just a casual user

Please note that tonight they already fixed the problem and for the first time I can run IM without tunneling. I don’t know if my little chat with KWW yesterday has anything to do with this

kayanya, emang harus lewat pak priyadi nih kalo mau komplen produk
- Comment by om7ack
- Posted from Jakarta Indonesia
- Using Mozilla Firefox 2.0 on Windows Server 2003
- 8 December 2006 at 13:46
33

Pri,url ke spidi dobel http.
- Comment by Azil
- Posted from Jakarta Indonesia
- Using Mozilla Firefox 2.0 on Windows XP
- 8 December 2006 at 14:34
34

Emang betul, mungkin vendor yg ngeset router beda2 kalee
sehabis routernya jebol minggu kemaren
sekantor kagak bisa YM
males banget nelpon 147 yg sux itu
yg ngaranin pake meebo aja
gile loe ya 147

ya udah gaimnya di set dari port 5050 ke port 80 aja
and alhamdulilah problem solve
telkom emang sux
- Comment by daus
- Posted from Jakarta Indonesia
- Using Mozilla Firefox 1.5.0.7 on Linux
- 8 December 2006 at 15:36
35

Ehm, saya baru saja menemukan cara yang “sedikit” lebih mudah. Sewa sebuah Virtual Private Server (VPS), lalu install SQUID. Config squid`nya supaya accept koneksi dari koneksi localhost (dari VPS itu) saja, supaya tidak disalahgunakan orang. Lalu dari komputer anda, tinggal gunakan command ini ssh -N -l 8888:127.0.0.1:[port-squid-anda] [username]@[ipserveranda] Pastikan anda mempunyai program ssh yang sama dengan punya linux (bisa pakai punya cygwin kalo anda di Windows). Setelah itu tinggal set YM/MSN/dll menggunakan proxy ke localhost (local komputer anda) port 8888. Koneksi ke server akan terenkripsi oleh SSH. $\:d/$

Saya sendiri sering pakai ini untuk sekalian buka browsing ke beberapa site yang diblokir dari network kampus…
- Comment by Kurniady
- Posted from Jakarta Indonesia
- Using Mozilla Firefox 2.0 on Fedora Linux
- 8 December 2006 at 23:40
36

Ya … Mengherankan …
Mungkin pengen ngetest usernya …
Bisa nggak bikin tunnelling
- Comment by MaIDeN
- Posted from Barat Indonesia
- Using Mozilla Firefox 1.5.0.4 on Windows XP
- 9 December 2006 at 06:20
37

but how?
membaca aja aku sulit
- Comment by oon
- Posted from Jakarta Indonesia
- Using Internet Explorer 6.0 on Windows XP
- 9 December 2006 at 18:48
38

hmm, kalo pake webmessenger (ebuddy.com) bisa masuk ga?
- Comment by elvin
- Posted from Bussum Netherlands
- Using Mozilla Firefox 1.5.0.8 on Windows XP
- 10 December 2006 at 00:39
39

lagi ngomong apaan sih diatas
- Comment by dodol
- Posted from Frisco United States
- Using Mozilla Firefox 1.5.0.8 on Windows 98
- 11 December 2006 at 12:24
40

Lapor bos…. Speedy saya engak ada problemo dengan koneksi YahuiMassage maupun AOL/iChat. MSN ga pernah pake.

Laporan selesai!
- Comment by idarmadi
- Posted from Abadi Indonesia
- Using Mozilla Firefox 1.5.0.8 on Mac OS X
- 11 December 2006 at 16:22
41

Kalau perlu DOWNLOAD CEPET ya make SPEEDY tapi tidak di ANJURKAN di semua daerah… di daerah tertentu aja
- Comment by Jauhari
- Posted from Jakarta Indonesia
- Using Mozilla Firefox 2.0 on Windows XP
- 11 December 2006 at 23:09
42

hehehe… ga ngerti buanggett!!!
tulalit
- Comment by mela depok
- Posted from Jakarta Indonesia
- Using Internet Explorer 6.0 on Windows XP
- 12 December 2006 at 12:35
43

Pake “hopster”, bypass firewall - bypass proxy - http tunnel software..
http://www.hopster.com
- Comment by Lantjiba
- Posted from Jakarta Indonesia
- Using Opera 9.02 on Windows XP
- 13 December 2006 at 11:09
44

Ada howto yg cukup “nakal” buat bypass
firewall & proxy, agar di kantor bisa
chatting & main2 :
http://www.buzzsurf.com/surfatwork
- Comment by Lantjiba
- Posted from Jakarta Indonesia
- Using Links 0.4.2 on Linux
- 13 December 2006 at 11:20
45

Wahahaha… Priyadi make Speedy selalu apes ya. Ada aja masalahnya. Saya pake Speedy sejak September dan selalu baik2 saja. YM atau GAIM ndak masalah.

Dulu tahun 2004 Priyadi juga yang komplain soal Speedy. Tapi akhirnya dia pake Speedy juga.

Tapi kok IP saya jadi Australia ya?
- Comment by Agus
- Posted from Surabaya Indonesia
- Using Internet Explorer 6.0 on Windows XP
- 15 December 2006 at 17:38
46

numpang ngetes OS,,
- Comment by Jukri
- Posted from Yogyakarta Indonesia
- Using Mozilla 1.7.13 on Windows XP
- 15 December 2006 at 18:32
47

Numpang Ngetes OS jg……
- Comment by namakuaji
- Posted from Jakarta Indonesia
- Using Internet Explorer 7.0 on Windows XP
- 17 December 2006 at 10:45
48

ada yg pake speedy di bdg ga ? gmana speednya ?
nb: kalo org telkom jangan ngasih jawaban pertanyaanku ya… ( i dont trust you!! )
- Comment by rtfm
- Posted from Bandung Indonesia
- Using Unknown browser
- 22 December 2006 at 02:14
49

FTP juga gak bisa2
- Comment by valimot
- Posted from Jakarta Indonesia
- Using Mozilla Firefox 2.0.0.1 on Windows 2000
- 8 January 2007 at 15:35
50

owalah mas.. nasibmu apes bgt..

gwe make speedy dari awal ampe sekarang… g ada apa2. ok2 ajah tuh.

btw, salahnya dimana yach?
- Comment by syachiz
- Posted from Indonesia
- Using Internet Explorer 6.0 on Windows XP
- 2 April 2007 at 12:17
51

Mas, saya coba menterjemahkan tulisan ini ke bahasa Indonesia. Selengkapnya bisa di lihat disini.

Jika ada kekurangan mohon direvisi. Thanks.
- Comment by Ferdian
- Posted from Jakarta Indonesia
- Using Mozilla Firefox 2.0.0.3 on Windows XP
- 24 May 2007 at 14:21
52

saya pake speedy juga. ping ke usa kalo siang lebih dari 2000ms dan itu sering. so bwt apa isp dengan latency segitu gede? jangankan ke usa, ke server di iix aja (cbn.net.id, indosat.com) lebih dari 300ms. sering putus lagi koneksinya
- Comment by arnas
- Posted from Jakarta Indonesia
- Using Mozilla Firefox 2.0.0.11 on Windows XP
- 5 December 2007 at 16:31
53

hmmmm belum ngerti akh…
- Comment by yudi
- Posted from San Jose United States
- Using K-Meleon 1.1 on Windows XP
- 8 December 2007 at 00:04

Name (required)

Email (not published) (required)

Website

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Smileys: $\:d/$ more »