apt-get install via tunnel proxy but ssh only from client side

Asked 1/4, 2016 at 10:26 Answered 8/12, 2022 at 13:10

So... this is my problem:

I can access to a VPN from my machine. I can access to a server in the VPN via SSH, but this machine has no access inside out because a firewall is blocking the reverse ssh connections. So I can't use Internet via tunnel to use apt-get.

How can I emulate:

sudo ssh -D 9999 root@<machineoutsidevpn>

But from outside the VPN. Or any way to use the Internet connection to install packages?

Gonidium answered 1/4, 2016 at 10:26 Comment(1)

I tried with this solution: superuser.com/questions/370930/ssh-reverse-socks-tunnel using the command "ssh remotehost -R remoteport:localhost:localport "ssh -D 9050 localhost -p remoteport"" but it doesn't work either – Gonidium 1/4, 2016 at 11:23

Setup:

Computer A

Has access to Internet
Has access to Computer B
SSH is installed

Computer B

Doesn't have access to Internet
OpenSSH Server is installed

Steps:

ssh into Computer B from Computer A

sudo ssh -R <selected port>:us.archive.ubuntu.com:80 [email protected]

Edit Computer B's /etc/apt/apt.conf to include the following lines:

Acquire::http::Proxy "http://localhost:<selected port>";
Acquire::https::Proxy "https://localhost:<selected port>";

Run your apt-get update or install or upgrade on Computer B and it should work.

A few notes:

You HAVE to keep the original session of ssh from Computer A to Computer B active while using Computer B to access apt-get repositories.
You DON'T have to use the same ssh connection to utilize the tunnel (meaning if you have multiple ssh connection into Computer B, they should all work)

Using Putty

This can also be achieved using Putty (assuming that Computer A is the Windows machine).

When starting the session, select SSH --> Tunnels
Source Port: <selected port>
Destination: us.archive.ubuntu.com:80
Select the "Remote" radio button
Select "Add" button
Configure your session as you normally would.
Follow steps 2 & 3 above

Diminutive answered 18/4, 2016 at 23:18 Comment(6)

Thanks! You save my life. It worked for the official repositories, but... what if I need extra packages or use python pip. – Gonidium 21/4, 2016 at 10:30

I tried in computerA: ssh -R 8889:pypi.python.org:443 [email protected] and in computerB: sudo pip --proxy=localhost:8889 install <package>. But it doesn't work – Gonidium 22/4, 2016 at 12:45

@Gonidium python pip present an entirely different problem. I wasn't able to get it to work in the limited time I spent on this. I just manually install packages instead. – Diminutive 31/8, 2016 at 15:28

for debian distro use: ftp.us.debian.org:80 – Phonotypy 22/8, 2019 at 13:14

This only partially works: It fails for most https traffic. Even if you make apt ignore the certificates, it still doesn't work. But it is good enough if you're lucky... some things might install. – Underground 14/12, 2021 at 3:29

is it possible to do it purely using apt's command lines in place of step 2? In my case, my account doesnt have sudo access – Pegg 14/3 at 9:8

This worked for me:

On computer B, do not change /etc/apt/apt.conf, I suggest to create/edit /etc/apt/apt.conf.d/proxy.conf with this:

# "socks5h" means proxy with DNS resolving ability
Acquire {
  HTTP::proxy "socks5h://127.0.0.1:8080";
  HTTPS::proxy "socks5h://127.0.0.1:8080";
}

This will keep the proxy configuration separate from other APT configuration.

On computer A: run SSH e.g:

ssh -R 127.0.0.1:8080 [email protected]

On computer B you can verify that the proxy works as expected using curl eg:

curl -v --socks5 localhost:8080 http://security.debian.org/debian-security

Kenaz answered 8/12, 2022 at 13:10 Comment(2)

Does not work for me on 24.04 when I used one server as jump host and ssh tunnel. But it works in case of A: jump host, B: port forward(ssh -R 127....), C: server without internet – Sputnik 14/6 at 20:15

sudo curl --proxy socks5h://localhost:8080  -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc

– Sputnik 14/6 at 20:22

An option would be to enable SSH Tunneling. This lets you run an SSH session inside another protocol, this option lets you bypass the firewall by fooling it into thinking that the Incoming Connection is actually a http port 80 reply instead of port 21. an example is below, you may need to fine tweak it to your liking.

ssh -L 9000:serverIpAddress:80 [email protected]

Good luck!

Rileyrilievo answered 1/4, 2016 at 11:11 Comment(2)

I tried but it doesn't work, I think all out connections are forbidden. I can connect from outside using the command "ssh -L 9000:serverIpAddress:80 [email protected]" but when I'm connected in the server inside tsocks doesn't work. (I previously configured tsocks on 127.0.0.1 and port 9000) – Gonidium 1/4, 2016 at 11:19

If its a deep packet inspecting Firewall, it will get pretty complicated. try find out what type of firewall you are dealing with. – Rileyrilievo 1/4, 2016 at 12:46

Install proxychains and tmux: you might have luck with something like:

sudo ssh -R 8080:us.archive.ubuntu.com:80 [email protected]
echo 'Acquire::http::Proxy "http://localhost:8080";' | sudo tee /etc/apt/apt.conf.d/proxy.conf
apt-get update
apt-get install proxychains tmux
sudo rm /etc/apt/apt.conf.d/proxy.conf

Notice the last line there undid the apt proxy configuration?

After you have proxychains and tmux, you can get much more reliable operation, and without funky apt configuration changes, and pip / curl etc works too.

First, start up tmux. (quick primer, uses CTRL-B than another key, 'c' for another new shell, 'n/p' for cycling between shells, 'd' to detach and leave things running).

tmux

Next, we'll make a ssh connection from the isolated computer back to any computer it can SSH to which does have internet access, lets call it server.

ssh -f -NT -M -S ~/.ssh/ssh_socket_for_proxychains -D 127.0.0.1:17471 server

This doesn't seem like it's done anything, because it's running in the back ground. You can see it with ps aux |grep ssh or so.

Now, configure /etc/proxychains.conf:

sudo nano /etc/proxychains.conf

Change the last line from socks4 127.0.0.1 9050 to socks5 127.0.0.1 17471.

Finally, you can now run things like sudo proxychains apt upgrade -y and proxychains pip install ... without having them fail.

As a bonus, you can detach the tmux session (CTRL-b,d) and come back to it later (ssh back in, then tmux a).

For raspberrypi's, it works if you change 'us.archive.ubuntu.com' to 'archive.raspberrypi.org', and for random debian you might have luck with 'ftp.us.debian.org'

For me, the use case is things like raspi's on a isolated static ip network, where I have another server with two network connections (one with internet access, another to the isolated lan) where it does not route: It's running trueNAS, and the lan is staying isolated. But it does have opensshd that I can ssh into, and then ssh along to the pi.

In this case, its isolated lan ip address is the 'server' the pi connects back to. And its the pi that gets proxychains and tmux and can then be updated via apt.

Credit to James Mertz for the ssh -R part, but it only works with http traffic, anything that has an https URL will fail; and it won't work for pip: where things get fetched from a bunch of different random servers. Still, it's good enough to use to get proxychains.

The proxychains howto part came curtesy of https://yuzhangbit.github.io/tools/use-apt-get-behind-socks5-proxy/

Underground answered 14/12, 2021 at 4:3 Comment(1)

Looks interesting. Would be good to get a bit of info about what the role of proxychains and tmux are in this setup, rather than just the how-to. – Neigh 31/5, 2023 at 3:20

Setup:

Steps:

A few notes:

Using Putty

Recommended topics

Hot tags