How to have external requests from a LAMP server bypass internet censorship?

4

I had another question at the askUbuntu site, and migrated this version from a Server Fault question, as I think that Super User is the best location for asking it.

Background:

I have a local (Drupal) development environment consisting of a LAMP server running on a virtualized Xubuntu 12.04 OS with a host OS of Ubuntu 12.04. Bridged networking is not enabled.

I would like to begin experimenting with the web 2.0 integration aspects of Drupal (ie. Youtube and Facebook integration) but these websites are all blocked by a massive filtering regime that includes at the very least IP blocking, DNS filtering, URL filtering, and packet filtering--and uses connection-reset packets to enforce these rules. It appears that some ISPs also use deep packet filtering to discover ssh tunnels which are then bandwidth limited--luckily my ISP in my apartment does not appear to do this presently. Foreigners are not prohibited from using proxies/vpns/etc. as long as they do not use these to break the law (ie. sharing restricted material with Chinese nationals).

For normal web browsing and other tasks that require accessing blocked content I use an ssh tunnel to a server (Ubuntu Server 10.04, with only ssh and openvpn enabled) in another country as a socks5 proxy. Chromium and Firefox are both able to natively send DNS requests through the socks5 proxy (the former by default and the latter by changing a config setting). This solution works perfectly for all browser-side connections to restricted sites.

However, many of the web 2.0 intregation Drupal modules also require that the server itself request the restricted external sites.

My question is:

What would be the best way to route through my ssh tunnel and past the filtering regime either:

  • All external requests and DNS lookups from my Apache2 server,

or

  • Only the requests (and DNS lookups) from my Apache2 server to specified hosts?

Considered/Attempted Solutions

  • The simplest solution would be to use a LAMP server on the machine outside of the filtering regime (the one I ssh to). I would prefer not to do this however for a number of reasons (no physical access to this machine in case something goes wrong, older hardware, if I losemy connection to this server I cannot continue development, etc.)

  • Use global proxy settings - Xubuntu does not have the capability for global socks5 settings according to my research. Also I don't know if this would catch my DNS lookups.

  • use tsocks: this seems to be the best candidate but I have two problems/questions:

    1. Where is the script that starts/restarts Apache2 so I can preface these commands with tsocks?

    2. How do I catch and redirect the DNS lookups through the socks5 proxy?

      Editing the /etc/hosts/ file provides a limited workaround but sites like youtube.com load media and other content from so many external sites (and thus URLs) that keeping track of all these (potentially connection resetting) third party URLs is nearly impossible. Using socat to capture, convert and send UDP traffic through the socks5 proxy (as described here) seems like a good solution but I have been unable to implement it as described in the linked tutorial. (If using socat is confirmed to be the proper way to solve my problem I can post the commands I am using for review)

adempewolff

Posted 2012-05-28T06:21:53.803

Reputation: 143

1You want a VPN, which can then have all traffic directed across it at the network layer. – Darth Android – 2012-05-28T08:10:38.213

@DarthAndroid Yeah, a VPN would be ideal. Unfortunately I was never able to get openVPN configured properly on my server--actually I suspect that it is a router problem on that network. So I started using SSH instead, which I actually now prefer because it allows me to choose what traffic to pass through the tunnel and what traffic to not to. – adempewolff – 2012-05-28T08:15:10.920

1If they are successfully trying to prevent direct OpenVPN connections but SSH is unaffected you could tunnel OpenVPN through SSH. A router problem apart from censorship is unlikely since OpenVPN uses normal TCP or UDP packets. – Gurken Papst – 2012-07-09T19:49:45.593

Answers

1

Apache isn't really making the outbound connections; PHP is. So it's PHP that needs to talk to the SOCKS proxy.

Relevant: https://stackoverflow.com/questions/10490962/establishing-socket-connection-in-php-using-socks-proxy

It would be easier if you had an HTTP proxy, and easiest with a VPN. Perhaps you should give setting up OpenVPN another go?

Alternately, you can set up Privoxy on your server to talk to your SOCKS proxy, and then configure PHP to use Privoxy as an HTTP proxy.

Michael Hampton

Posted 2012-05-28T06:21:53.803

Reputation: 11 744

Great answer, I haven't had time to test it yet but I've marked it as accepted anyway because I suspect that at least one of the possible solutions you mention will meet my needs. Thanks! – adempewolff – 2012-07-10T01:07:41.360

Asked: 2012-05-28T06:21:53.803

Viewed: 426 times

Active: 2012-07-09T19:40:25.833