Proxy and Tunneling at JTAN

Using Tunnels for Privacy and JTAN Service Access

Another term for a tunnel is a "Virtual Private Network" or VPN. The idea is that your network connection disappears into the tunnel and then reappears here at JTAN as if you were directly connected. You are then "Virtually" connected to our local "Private Network".

A VPN Tunnel to JTAN is useful for enhancing your privacy, facilitating the transport of multiple services through firewalls, and accessing services restricted to JTAN local hosts such as

WWW Proxy
NNTP Usenet News
SMTP Relay

If you are not one of the fortunate few with a direct network connection to JTAN (with a local IP address), then you must use a tunnel to access any of these services.

A key benefit to using a secure VPN Tunnel is that all your network activity is encrypted and funneled through a single network connection to a single port. This makes your activity both difficult to snoop, and easier to thread through a narrow hole in a firewall or router. Of course, once your traffic leaves the tunnel, it travels through the net in the normal way.

There are several sorts of VPN Tunnels that JTAN supports. The following sections show how to set them up.

SSH Port Forwarding

If you have a JTAN ProShell or ProWeb account, you have shell access to a JTAN host. With that access comes the ability to create a VPN tunnel using SSH port forwarding.

The SSH protocol has the ability to forward arbitrary network connections to specific ports over your encrypted SSH connection to the JTAN shell machine. For example, you could use an SSH tunnel to connect from your home computer to the WWW proxy server at JTAN. Even if your company's firewall blocks SSH, there are tricks you can use to get around this.

In order to use SSH port forwarding to connect from your local machine to a port on a remote server, you need to:

Choose a port number on your PC for your local end of the tunnel.
Select the host address and port that you want to connect the other end of the tunnel to.
Configure your SSH client to create a Local forwarded port between your local port and the remote host and port.
Configure network applications on your PC to use "localhost" and the local port to access the service you are tunneling.
Log in with SSH and use the tunnel.

For example, you might want to connect port 8080 on your local PC through the tunnel to the anonymizing WWW proxy at JTAN on "webproxy.jtan.com" port 3128. It doesn't really matter what port you use at your PC, so long as it isn't used for something else. Some folks like to use the same port number at both ends. Once SSH is configured to create this local forwarded port, log in to JTAN with your SSH program. You will find the WWW proxy service you are tunneling forwarded to localhost at the selected 8080 port.

SSH Applications

There are SSH applications for every OS. See the JTAN SSH Resource Page for details. Most of these applications do port tunneling, but not all, so choose carefully.

Tunneling Using Putty

PuTTY is probably the most popular SSH application that people use on Microsoft Windoze PC's. The capability to create VPN tunnels has been recently added (version 0.53 has it). The PuTTY User's Manual has a good discussion of Port Forwarding here.

With PuTTY, before you start your SSH connection, be sure to go to the Tunnels panel (see section 4.19.2 of the manual). Make sure the "Local" radio button is set. Enter the local port number into the "Source port" box. Enter the destination host name and port number into the "Destination" box, separated by a colon (for example, webproxy.jtan.com:3128 to connect to JTAN's anonymizing WWW Proxy server, use 3129 for transparent mode).

Be sure to click the "Add" button so the details of your port forwarding appear in the list box.

Putty Tunnel

Now start your session and log in to your shell account. Be sure to select SSH and not Telnet. (Port forwarding will not be enabled until after you have logged in with SSH). Remember that your local end of the tunnel is on "localhost". So if you are setting up the WWW proxy, specify "localhost" as your proxy address, with the port number you chose at the local end (8080 in the example above). Here's an example of what the proxy config on MSIE 5.5 looks like when using a SSH tunnel.

Proxy Tunnel

To check that PuTTY has set up the port forwarding correctly, you can look at the PuTTY Event Log (see section 3.1.3.1). It should say something like this:

2001-12-05 17:22:10 Local port 3110 forwarding to
         popserver.example.com:110

As long as you keep the shell connection open, the tunnel should remain operational.

Other useful tunnels might be

news.jtan.com:119
smtp.jtan.com:25
bots.jtan.com:9999

Again, it's OK to use a local port number that is the same as the remote port if you want, so long as your local PC isn't using that port for something else.

Puncturing Firewalls that block Port 22

What if your firewall blocks port 22 on home.jtan.com? Not a problem. Try using any of the unorthodox ports for connecting to our server with SSH.

SOCKS4 with SSH

OpenSSH, including the Cygwin (www.cygwin.com) port for Windows, has the -D option which creates a SOCKS4 compatible forwarding service on the local host. Using this technique, you can forward one application or specific SOCKS compatible applications to follow the SSH tunnel while all other port 443, 80, etc. traffic continues to go out normally so you can easily access internal resources, etc. without setting up complicated routes. The command looks something like this:

        ssh -p 443 -D 8080 hostname

Then turn on the proxy options and select localhost and port 8080 for the application(s) that you would like to forward.

OpenVPN Setup

OpenVPN allows your PC to "tunnel" through the internet and appear as if its part of the JTAN LAN. This is useful if you want to protect your privacy, or if you want to access JTAN features that require you to be on our LAN.

In order to use OpenVPN, you need to download and install the 2.0 beta series OpenVPN client software. Note that 2.0 series features are required. The 1.x version will not work. OpenVPN clients are available for Windows 2000/XP, Linux, BSD, and Mac OS X. Clients can be downloaded from the OpenVPN web site. Once you have OpenVPN installed, you will need the following four, client certificate files available from the JTAN Members Pages. Look for these files at the "JTAN Client Certs" link under Account Services, Misc, on the lower right.

The OpenVPN Config File
Your JTAN Client Certificate
Your JTAN Client Private Key
JTAN's VPN CA Certificate

Save each of these files to the directory which holds your OpenVPN configuration files. (This is probably C:\Program Files\OpenVPN\config on Windows, and /etc/openvpn on Unix.)

Once these files are in place, you can start OpenVPN. On unix, run "/usr/local/sbin/openvpn --config /etc/openvpn/jtan.ovpn". On Windows, open the OpenVPN config directory, right click on jtan.ovpn and select "Start OpenVPN on this config file".

If you see the error message: "Unrecognized option or missing parameter jtan.ovpn:s5: pull", you have the 1.x version installed, and need to replace it with a 2.x version.