# I saw on reddit that someone made a BSD server to have websites unblocked at their school, How can I do this?



## elicannon (Jul 21, 2020)

According to the reddit post, the kid made a server, and used ssh to connect to it. He had a version of firefox that ran on the chromebooks/PCs on a flashdrive that routed the requests to the BSD server rather than the schools dns filter.




I have putty connected, the firefox and flashdrive is all that i need, Thanks for your help!


----------



## SirDice (Jul 21, 2020)

Nothing to do really, just use the dynamic port forwarding of SSH and configure your browser to use that port  as a SOCKS5 proxy.


----------



## elicannon (Jul 21, 2020)

SirDice said:


> Nothing to do really, just use the dynamic port forwarding of SSH and configure your browser to use that port  as a SOCKS5 proxy.


Thanks!


----------



## zirias@ (Jul 21, 2020)

Probably not worth even trying, modern filtering solutions have DPI firewalls in place and will block SSH (exactly because it can be used to tunnel anything). What could still work is tunneling through https with something like HTTunnel, but that would be pretty slow and a bit more complicated to set up. All of this has nothing to do with FreeBSD.


----------



## SirDice (Jul 21, 2020)

Zirias said:


> Probably not worth even trying, modern filtering solutions have DPI firewalls in place and will block SSH (exactly because it can be used to tunnel anything).


Don't need a DPI firewall for this, just block _all_ outgoing connections and force everyone through a proxy for web access. But you'd be surprised how often regular workstations have full, unfettered, access to the outside world.


----------



## Mjölnir (Jul 21, 2020)

Also RTFM tor(1), torify(1), torsocks(1), torsocks.conf(5) & torsocks(8)
I.e. you can set up your home tor(1) server to listen on HTTP port and connect from everywhere...  Often you need a DynDNS provider for that.


----------



## elicannon (Jul 21, 2020)

Im new to ssh and port forwarding. I have expirance in creating websites so i do have some knowledge.

so i use this example:

```
ssh –L 5901:188.17.0.5:4492 pnap@ssh.server.com
```
https uses 433, so i will change 5901 to 433. and then i change the rest to the IP of my server and the port?


----------



## SirDice (Jul 21, 2020)

You got the gist of it. Yes, you could do that. But the downside is that it only works for that particular website you're forwarding to. Quite useful in many cases. In this case however, you'll want to do something like `ssh -D 8080  myuser@myserver.example.com`.  Then configure your browser to use a SOCKS5 proxy on localhost port 8080 (assuming the browser and the SSH session run on the same computer).  The browser's proxy settings will direct the traffic through the tunnel and out the receiving end (myserver.example.com).


----------



## Mjölnir (Jul 21, 2020)

These tips are only for legal use, or e.g. to cope with restrictions under a dictatorship.  Do not use that to escape your schools internet rules, right?


----------



## Aeterna (Jul 21, 2020)

I don't know about legality of this. Anyway, it is easy way to avoid censorship (tested in quite restrictive environment). Tor is rather visible and always will get scrutiny.
To make it short: hide traffic in https. In contrast to ssh (as in the case of tor), it is very difficult to monitor, detect and block (https is quite general protocol).


----------



## Mjölnir (Jul 21, 2020)

elicannon said:


> I have putty connected, the firefox and flashdrive is all that i need, Thanks for your help!


Have a look at nomadBSD


----------



## elicannon (Jul 21, 2020)

mjollnir said:


> Have a look at nomadBSD


Ight ill look at it
as for legal stuff, i mean what will the school do about it. I singed something that said that i will abide by the rules, but i mean i am not at the age where i can legally sign something. ALSO uh yeah everyone bypasses the filter and it will just be epic this way


----------



## elicannon (Jul 21, 2020)

also i got this error

 :/


----------



## Mjölnir (Jul 22, 2020)

elicannon said:


> as for legal stuff, i mean what will the school do about it. I singed something that said that i will abide by the rules, but i mean i am not at the age where i can legally sign something. ALSO uh yeah everyone bypasses the filter and it will just be epic this way


_De jure_, you might not have _full_ legal empowerment.  But still you can sign _some_ - not all - contracts.  Anyway, IMHO it's much more important your school tells you _which & why_ content is inaccessible.  You're gifted with a brain to think, and if you decide e.g. to watch inter-species sex, well, if that thrills you, that's your decision... 
Did you read the man page of ssh(1) & the chapter in the handbook?  A user name of _server_ is fairly unusual... maybe you mixed things up?


----------



## elicannon (Jul 22, 2020)

mjollnir said:


> _De jure_, you might not have _full_ legal empowerment.  But still you can sign _some_ - not all - contracts.  Anyway, IMHO it's much more important your school tells you _which & why_ content is inaccessible.  You're gifted with a brain to think, and if you decide e.g. to watch inter-species sex, well, if that thrills you, that's your decision...
> Did you read the man page of ssh(1) & the chapter in the handbook?  A user name of _server_ is fairly unusual... maybe you mixed things up?


i aint into that stuff gladly. anyways yeah i made a new user account, but the root password isnt working and the display is showing no signal


----------



## SirDice (Jul 22, 2020)

elicannon said:


> also i got this error


That is  not an error. Whenever you make a _new_ connection to a server (or any other machine), you're asked to validate the signature to positively identify the server you're connecting to. Once you accepted the signature it will be stored in  ~/.ssh/known_hosts. The next time you connect to that machine the signature will be compared with the stored one from known_hosts. If the signatures don't match ssh(1) will scream bloody murder warning you somebody may be trying to hijack your connection. It is an extra validation check to make sure you're connecting to the right  machine.


----------



## olli@ (Jul 22, 2020)

SirDice said:


> Don't need a DPI firewall for this, just block _all_ outgoing connections and force everyone through a proxy for web access.


In that case you can still tunnel ssh (and thus anything) through the proxy using CONNECT. See the -X and -x options of nc(1) and the ProxyCommand setting in ssh_config(5). Been there, done that.

However, modern corporate proxies often prevent that, for example by transparently intercepting the HTTPS traffic using MITM methods.


----------

