Making IP Tunnel over SSH

As long as I’ve been a [TelkomSpeedy](http://telkomspeedy.com/) customer, I’ve never been able to log on to any IM services. Yahoo! Messenger, MSN Messenger, Jabber, ICQ, AIM: all didn’t work at all. I’m not alone, other Speedy customers like [Devi](http://devigirsang.blogspot.com/2006/12/dial-up-to-adsl.html) and [Tya](http://blog.raditya.net/) also experienced the same problem. I’m still curious why they chose to filter all IM traffic on their router.

They do allow [SSH](http://en.wikipedia.org/wiki/SSH) though, and this is how I managed to ‘fix’ the problem by redirecting IM traffic over an SSH tunnel.

First, the prerequisite. I need a server, directly connected to the Internet, and a root access for it. This may be a tough requirement for casual users, but thankfully I do have root access on several dozens of servers.

Second, I need to prepare the server for [NAT](http://en.wikipedia.org/wiki/Network_address_translation). For my intent and purposes, this server will act as a (second) gateway for my computer. This needs to be done on the server:


iptables --table nat --flush
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface ppp+ -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

Not much different from my usual NAT setup, except this time it is the other way around: –out-interface is now eth0, and –in-interface is now ppp+, because eth0 is the interface connected directly to the Internet, and ppp0 becomes a link between the server and my computer.

And now, to create the tunnel itself. This needs to be done on my computer:


/usr/sbin/pppd updetach noauth silent nodeflate pty \
        "/usr/bin/ssh root@server.example.com /usr/sbin/pppd \
        nodetach notty noauth" ipparam vpn 10.0.0.1:10.0.0.2

Substitute `server.example.com` with the real server name. This should create a new ppp0 interface on both the server and my computer. I should now be able to ping 10.0.0.2 and it should respond back.

Next, I need to modify my routes. First I need a dedicated route to my current gateway, so that the tunnel doesn’t get dropped: `route add server.example.com gw 192.168.1.1` where `server.example.com` is the server hostname and `192.168.1.1` is my current gateway. And second, I need to change my default gateway to the tunnel: `route del default ; route add default gw 10.0.0.2`.

All done, now all traffic will be redirected to my server. Any connection that originates from my computer will be translated by the server, and the destination will see the server as the origin of connection, not my computer.

Please note that tonight they already fixed the problem and for the first time I can run IM without tunneling. I don’t know if my little chat with KWW yesterday has anything to do with this :).

53 comments

  1. Speedy=Limited wired Connection on limited Telkom customer numbers. Can’t use on wireless, I think. Wah, masalah kaya’ gini butuh 2 server ya? Server Linux lagi.
    It’s Broadband Trouble? How about Fren Maxsurf? StarOne? Just dial them up.

  2. This may be a tough requirement for casual users, but thankfully I do have root access on several dozens of servers.

    Hmm…
    Something fishy here…

  3. 1# Sama Gak Ngerti Juga!
    20 besar gak yah???:d:d:d
    Kali ini Rank Jauh lebih penting sepertinya!!:d:d

  4. gak ngerti juga :)

    btw dirumah sekarang aku make wifone, gara2 ada pameran di carefour. tertarik ama iklannya aja, daripada pake telkomnet instant :d

    15 besar ??? :-“

  5. kalo gw ngga di set di servernya, tunnelingnya via putty aja,

    di set via socks proxy..

    127.0.0.1 port tertentu

    lebih secure, karena cuman gw doang yang bisa make

  6. Gue pakai Speedy di Bali dan Jogja, yg paket 300 ribuan itu.

    Gak ada masalah tuh, mau YM, ICQ, MSN, Skype ataupun SIP phone.
    Aneh juga tiap kota beda policy :o

  7. temen2 yg pake speedy fine2 aja tuh, bisa semua IM. btw, speedy good enough gak sih buat maen CS online (indonesia) atau radio internet (indonesia)? temen2 yg pake speedy pada pelit banwidth sih //lirik deepblue ;)). kalo ok buat game online mau deh ikutan. <):)

  8. I’m still curious why they chose to filter all IM traffic on their router.

    Not just IM traffic, but also IRC and CVS/SVN as well as other ports including HTTP ports 8080 and 8089.
    It’s already been fixed, after complaining for about a week!
    Speedy kampre… I mean… holy sh*t, Batman!!1

  9. Dari pertama make speedy di Yogyakarta sampai sekarang saya tidak bermasalah dengan IM. Hanya saja beberapa teman saya di Jakarta memang mengeluh tidak bisa memakai IM sekitar seminggu yang lalu. Tapi itupun hanya 2 hari. Setingan IP tunnelnya diatas kok rumit ya, masih belum ngerti juga 8-|

  10. but thankfully I do have root access on several dozens of servers.

    yeah.. and sadly i’m just a casual user :p

    Please note that tonight they already fixed the problem and for the first time I can run IM without tunneling. I don’t know if my little chat with KWW yesterday has anything to do with this :)

    kayanya, emang harus lewat pak priyadi nih kalo mau komplen produk :))

  11. Emang betul, mungkin vendor yg ngeset router beda2 kalee
    sehabis routernya jebol minggu kemaren
    sekantor kagak bisa YM
    males banget nelpon 147 yg sux itu
    yg ngaranin pake meebo aja
    gile loe ya 147

    ya udah gaimnya di set dari port 5050 ke port 80 aja
    and alhamdulilah problem solve
    telkom emang sux

  12. Ehm, saya baru saja menemukan cara yang “sedikit” lebih mudah. Sewa sebuah Virtual Private Server (VPS), lalu install SQUID. Config squid`nya supaya accept koneksi dari koneksi localhost (dari VPS itu) saja, supaya tidak disalahgunakan orang. Lalu dari komputer anda, tinggal gunakan command ini ssh -N -l 8888:127.0.0.1:[port-squid-anda] [username]@[ipserveranda] Pastikan anda mempunyai program ssh yang sama dengan punya linux (bisa pakai punya cygwin kalo anda di Windows). Setelah itu tinggal set YM/MSN/dll menggunakan proxy ke localhost (local komputer anda) port 8888. Koneksi ke server akan terenkripsi oleh SSH. \:d/

    Saya sendiri sering pakai ini untuk sekalian buka browsing ke beberapa site yang diblokir dari network kampus…

  13. Wahahaha… Priyadi make Speedy selalu apes ya. Ada aja masalahnya. Saya pake Speedy sejak September dan selalu baik2 saja. YM atau GAIM ndak masalah.

    Dulu tahun 2004 Priyadi juga yang komplain soal Speedy. Tapi akhirnya dia pake Speedy juga.

    Tapi kok IP saya jadi Australia ya?

  14. ada yg pake speedy di bdg ga ? gmana speednya ?
    nb: kalo org telkom jangan ngasih jawaban pertanyaanku ya… ( i dont trust you!! )

  15. owalah mas.. nasibmu apes bgt..

    gwe make speedy dari awal ampe sekarang… g ada apa2. ok2 ajah tuh.

    btw, salahnya dimana yach?

  16. saya pake speedy juga. ping ke usa kalo siang lebih dari 2000ms dan itu sering. so bwt apa isp dengan latency segitu gede? jangankan ke usa, ke server di iix aja (cbn.net.id, indosat.com) lebih dari 300ms. sering putus lagi koneksinya :((

Leave a Reply to daus Cancel reply

Your email address will not be published. Required fields are marked *