Could not really find any place to post this...

I am a consultant and find myself working in various law firms around the country about six months out of the year. Network admins, being the nazis that they are, tend to lock down everything that they can, which causes me to be blocked out of GS and AIM on a frequent basis.

I am considering setting up a proxy server back at my office that I can route through for access to GS and AIM when I am on the road. I am pretty computer savvy (I can use Windows without a mouse...amazing how many people can't) and can run the server in windows or Linux depending on need. The thing is that I don't know the first thing about setting up a proxy server. If anyone has some links for info, suggestions for software or any recommendations for this project please send them along. If I manage to get this working I intend to open it up to everyone.

Thanks.

What you really need is to create an SSH tunnel to do this. Use MyEntunnel (http://nemesis2.qx.net/software-myentunnel.php) to route the GS ports to your server, which will redirect them to Simu.

Essentially, your GS traffic is then wrapped up in an SSH session. As far as network admins are concerned, you've just opened an SSH session up to a server. All the traffic underneath is encrypted. You can also open an outbound SSH session from behind almost any firewall, as it doesn't require any special inbound rules -- only that port 22 is not blocked outbound. You can even get around that by having your SSH server listen on port 80 instead.

I do this from work -- I'll snag my settings on Monday for you. Alternately, I think if you search for people who play WoW from work, you may find similar suggestions. It can be done with pretty much any traffic type.

--
Caede

Great, cannot wait to see how that works.

bump?

This is going to take a bit of explaining and it's not really a 'beginner, follow step 1-3' sort of thing. Here goes nothing.

For these instructions, there are two things I'm going to refer to a few times:
SERVER: This is a PC you've set up as an SSH server, which will be proxying your traffic through an SSH tunnel.
CLIENT: This is the PC you are playing the game from, which is probably behind some restricted firewall.

Here's the 'Quick Installation', which I'll follow with a more verbose set of instructions.

1) Build an SSH Server.
2) Install MyEntunnel and supporting stuff on the CLIENT.
3) Set up SSH forwarding on the CLIENT.
4) Change the Windows HOSTS file to repoint the Simutronics hosts to 127.0.0.1 (localhost).
5) Play Gemstone.

Easy, right? If none of that sounds too daunting, here are the full instructions:

1) Build an SSH Server
Let's set up the SERVER. The server needs to have pretty much unrestricted outbound access. This is normal if you're behind a standard home router/firewall. It also needs incoming SSH available, which means you'll need to open TCP port 22 to it from your router/firewall.

I'd highly recommend Debian or Ubuntu for the SERVER system, since I'm quite happy with their package managers. You could, in theory, make this a Windows system, but it may be a bit trickier to get setup initially. The only thing that really needs to run on this system is an SSH server. So, go ahead and install one.

For Windows:
http://sshwindows.sourceforge.net/ or possibly http://freesshd.com/

For Linux:
http://www.openssh.com/

I'll pretend you're using Debian, in which case all you'd do is:
# apt-get install ssh-server

...not too hard, right?


2) Set up the CLIENT
Once the SERVER is configured as an SSH server, you'll need to make sure that you can connect to it from your CLIENT system. I'm going to assume the CLIENT is a Windows PC. To connect to your SSH server, you'll want to use a terminal application like PuTTY. And to use MyEntunnel, you'll also need Plink. Download both here:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

I'd suggest the Windows installer, if you don't want to manually create the directories and copy the files. Aside from this experiment, PuTTY can be used to just remotely log into your SERVER and putz around.

So, now you've got an SSH SERVER and a CLIENT system that has PuTTY and Plink. Time to download and install MyEntunnel:
http://nemesis2.qx.net/software-myentunnel.php

Follow the directions there to get it installed.


3) Now that you have MyEntunnel installed, let's set it up.

After you start up MyEntunnel, go to the "Settings" tab. Enter your server name/IP, username, password, etc.

http://i7.photobucket.com/albums/y283/caede/ss1.gif

Then, go to the "Tunnels" tab. This is where the important stuff goes.

Enter the following under the "Local" section.


7900:eaccess.play.net:7900
5535:medusa.simutronics.com:5535
4900:prime.gs4.game.play.net:4900
10024:storm.gs4.game.play.net:10024


The first two entries are for the SGE and Updater. The third is for Wizard FE, the fourth is for SF.
You'll have to add other entries for Plat -- I'll see if I can dig those up.

It should look like this:
http://i7.photobucket.com/albums/y283/caede/ss2.gif

Once you've put these in, you can "Connect" and you're almost there.


4) Change the Windows HOSTS file to point GS to localhost.

Find your Windows HOSTS file. Here are two common locations:
c:\windows\system32\drivers\etc\hosts
c:\winnt\system32\drivers\etc\hosts

Edit your HOSTS file, and put in the following entries:


127.0.0.1 eaccess.play.net
127.0.0.1 medusa.simutronics.com
127.0.0.1 prime.gs4.game.play.net
127.0.0.1 storm.gs4.game.play.net


This will repoint these hosts to your local CLIENT PC, which is then using MyEntunnel to forward these ports through your SSH SERVER. Save the file.


5) Fire up Gemstone.
It should automagically work.


CAVEATS AND WARNINGS:
- This will not work with Psinet without a lot of tweaking, and may not work period.
- This will not work with Lich without a bit of tweaking, perhaps even running Lich on the SSH server.
- If you want to connect normally, you MUST remove the entries from the HOSTS file.
- If Simutronics ever changes the host names they use, you'll need to update this process appropriately.

So... questions? Heh.

Good luck.

--
Caede

As a quick update, I was able to get this to run with Lich in two ways.

1) Use the 'Install to Registry' option for Lich on the CLIENT.

2) Run Lich for Linux on the SERVER, and change the MyEntunnel forwards for the two game ports (4900 and 10024) to point to localhost instead of their respective names.

My inner geek really likes the second option, so I've started using it.



~/lich# ./lich
IP:port = gs3.simutronics.net:4900
Pretending to be the game host, and waiting for game client to connect to us...
Connection with the local game client is open.
Connecting to the real game host...
Connection with the game host is open.


Unless you do something really sneaky, Psinet won't work. It has some protections in place to ensure that it's data is 'clean' and not manipulated upstream.

--
Caede

Caede is a bad ass and my hero.

Will this still work if your work has the ability to install software on your PC turned off? (if you're set up as a user instead of poweruser or admin)?

I'm going to guess "NO", since this relies on using the HOSTS file and without administrative privileges I doubt you'd be able to modify it.

All of this assumes you have full privileges on your CLIENT system at work/wherever. The magic is that all the GS traffic is rolled up into an SSL tunnel that is a) encrypted and b) indistinguishable from any other SSL traffic. To get around CLIENT-based restrictions... eh, that's tough.

--
Caede

Good luck.
--
Caede

AWESOME POST!

Will get to work on it this week, I have a box sitting in the corner here just waiting to be come a server.

Thanks!

If anyone else isn't so knowledgeable, it's also sometimes viable to use remote desktop software like LogMeIn (which, Deathravin, requires only the ability to run ActiveX controls and even has a lower-level option but it's nowhere near as cool) on your home PC. I don't really have a need to ever mask the fact that I'm connecting elsewhere, and it works very well when I need to access resources that are otherwise unavailable.

I don't really have a need to ever mask the fact that I'm connecting elsewhere, and it works very well when I need to access resources that are otherwise unavailable.

Heh, SSH doesn't mask a thing. Sure, it builds an encrypted tunnel hiding the traffic within, but any network security person is going to know exactly what's going on there. For that matter, I've seen people fired for it. It went something like this, "Hi, we see an SSH tunnel leaving our network and going to a high speed ISP address. We appreciate that the effort you've put into bypassing Websense, now get the fuck out."

It depends. I spent 90% of my day in SSH sessions, so having additional traffic going through one of many SSH tunnels doesn't look at all suspicious.

Of course, it helps that I'm also the network admin guy at my company...

--
Caede

If anyone else isn't so knowledgeable, it's also sometimes viable to use remote desktop software like LogMeIn (which, Deathravin, requires only the ability to run ActiveX controls and even has a lower-level option but it's nowhere near as cool) on your home PC. I don't really have a need to ever mask the fact that I'm connecting elsewhere, and it works very well when I need to access resources that are otherwise unavailable.

LogMeIn still doesn't work if you don't have install privleges on the computer you're accessing from.

There's nothing to install. You'd have to be very seriously crippled in IE for it to not work, like not being able to view anything that isn't simple HTML.

Well I use RemoteAdmin to get into my home PC from work. But I'm an admin over my domain. Honestly I was just curious to see if your method would work to see if my users could be getting around our restrictions with your method... Sorry, I'm the anti- what you guys are talking about... LOL. I can just install it and play if I wanted to...

No, no one knows what you're doing through the SSH tunnel, other that you are engaged in a session on a remote host. The port mapping is done at the SSH host, and has nothing to do with the tunnel endpoints. What you are doing and your reasons for establishing that connection are unknown. Any of your system administrators saying "we know what you're up to" are just speculating. If they have a policy that allows them to fire you if you initiate an SSH session, they can fire you for it. They don't see a tunnel, they see a session. They can determine the location of the machine running the sshd and determine how much traffic is being sent between you and that host.

My network admin was talking about a connection for months that 'looks like somebody is looking at their home TIVO or something'. One day I'm Remote Desktop'ing into my home PC for something, and I hear 'There it is again!' from the other room. So I tell him about my RD, the port I'm using, and the Ip I'm going to... He was glad it wasn't a user, but still pretty pissed that he was chasing a ghost coming from 12 feet away for months.

They can determine the location of the machine running the sshd and determine how much traffic is being sent between you and that host.

Exactly what I said. They know exactly where it's going (high speed ISP IP address) and the service (SSH). Most every firewall in place these days is stateful and that is going to have to be added to the state table, which is usually logged, in order for the connection to be established. Further, if it's a company laptop then they can drop something like Spector on the machine without your knowledge or consent and then sit and watch what you do.

It's a irrelevant anyway as any company with even a half decent staff isn't going to allow RDC, SSH or any of that shit outbound to any desitnation. Having a firewall rule that that says permit tcp any any eq ssh is going to get flagged in an audit. Correctly configured firewalls only allow necessary services in either direction.

Unless you have an encrypted tunnel, Stormfront and the wizard communicate in plain text, so any admin worth his salt would be able to look at any given packet and see it's not anything work related almost instantly.

<<Unless you have an encrypted tunnel,>>

SSH is encrypted...???

<<Unless you have an encrypted tunnel,>>

SSH is encrypted...???
I meant the port forwarded portion, obviously the shell connection is encrypted. But the SF port is not going to be encrypted, and your SF client is going to send cleartext to your SSH server.

Well, you certainly said it would do that but the "SSH doesn't mask a thing" comment gives the impression that you think it's useless. If we're talking about a situation where someone has total control of your machine and enjoys installing monitoring software, there's certainly tons of "or they could..." means for someone to figure out what you're doing.

My point was... simply seeing an employee initiate an SSH session with some computer which has an IP address owned by Comcast, Verizon, or whoever else isn't grounds for firing someone. Those were the only things you mentioned in your post. They can see you SSH to your home computer all day in the firewall logs but it doesn't prove anything about what you're doing.

If you mentioned a method they used to actually inspect what was being sent through the tunnel (or that they simply used one), my post would have certainly whistled to a different tune. I'd say it's pretty important to give such details before making something that sounds like a blanket statement to the effect of "that's useless." It's good to point out what this person should be mindful of; I'm in favor of it. Just be more explicit for the sake of this person's understanding.

Celephais:
Yes, the host has to unwrap the traffic before forwarding it along to the Simu server, but the point is the host is trusted with that traffic. In this case, he's trying to avoid his admins from spying on him. Whoever runs the SSH host can certainly see what he's up to as it's being routed out to the destination, but he presumably owns the host himself and his administrators at work have no control it or the network it sits on.

Woops, you're right, misread something there in the setup, should be clear from any packet sniffing.

Well, you certainly said it would do that but the "SSH doesn't mask a thing" comment gives the impression that you think it's useless. If we're talking about a situation where someone has total control of your machine and enjoys installing monitoring software, there's certainly tons of "or they could..." means for someone to figure out what you're doing.

Not to say it doesn't exist, but I don't know of any corporate environment where they don't have total control of your machine as well as the network.


My point was... simply seeing an employee initiate an SSH session with some computer which has an IP address owned by Comcast, Verizon, or whoever else isn't grounds for firing someone. Those were the only things you mentioned in your post. They can see you SSH to your home computer all day in the firewall logs but it doesn't prove anything about what you're doing.

It proves you are bypassing corporate security measures and in most companies that is an offense you can fire someone for. If you VPN, SSH, RDC, whatever out of a company network to a home network for hours at a time every single day then it's pretty clear what is going on and you're going to have a hard time coming up with a valid work excuse for doing it.


If you mentioned a method they used to actually inspect what was being sent through the tunnel (or that they simply used one), my post would have certainly whistled to a different tune. I'd say it's pretty important to give such details before making something that sounds like a blanket statement to the effect of "that's useless." It's good to point out what this person should be mindful of; I'm in favor of it. Just be more explicit for the sake of this person's understanding.
Sorry, pretty much felt it's understood that when you're on your work PC on your work network that you're not going to be able to ever really hide anything regardless of encryption. However, it really just depends on the company and whether or not they care.

At any rate, most enterprise level firewalls (Cisco, CheckPoint, Juniper) either have a built-in implicit deny rule or it's the first rule configured when the firewall is set up. So if you want to allow SSH out, then you have to add the rule manually and no one worth a shit is just going to add an ANY/ANY SSH ALLOW rule to a firewall.

It doesn't prove that you're bypassing security measures! There are other purposes for using these protocols (which I know you're aware of). It is certainly cause for speculation and I wouldn't be surprised if that leads an admin to watch you more carefully but it's not PROOF.

The problem is that the Admin will watch you carefully while you have no clue it's taking place. It's not like you're going to see that they are paying a closer eye on you and you can quit doing it.

There's nothing to install. You'd have to be very seriously crippled in IE for it to not work, like not being able to view anything that isn't simple HTML.

Then please, please explain to me why every time i try to access my computer, it tells me to run or download something that is blocked by my network. I can not get in. At all.

KTHXBAI

Because you're trying to use the ActiveX control.

But since I feel like you're being a little less than genuine in asking me to legitimately explain why it's not working, have a nice, "Fuck you," on top of it.

Because you're trying to use the ActiveX control.

But since I feel like you're being a little less than genuine in asking me to legitimately explain why it's not working, have a nice, "Fuck you," on top of it.

Got past the ActiveX requirements, (refused to install) but bit now its failing to let me bring it up. I pulled it up on a computer not associated with my network without ActiveX, but I could just look at the screen, no actual computer interface. I'm assuming that is something to do with my configurations, but i could be wrong about that.

How much more genuine can I be? I want to find out why it's not working, i have several work-related files on my home computer i'd like to access.

Log in.
Select the computer i want to access
Get the first ActiveX screen - click the link to bypass
Get to the Control panel
Go to Remote Control
Asks me again to download/install ActiveX - Click No
Connection screen shows up
Immediately fails

Working on WindowsXP
Limited User Privleges (mostly just can't install, blocked websites, etc. Can Download. Can watch internet videos on sites that are not blocked. Proxys work for blocked sites, unless the proxy site is blocked.)

Isn't it strange how two little words "Then Please" in front of that sentense can change the tone of the entire post to where if it weren't there bob would have explained it nicely, and with them there, he says it with "a nice 'fuck you'".

true true, my bad bob.

<<I pulled it up on a computer not associated with my network without ActiveX, but I could just look at the screen, no actual computer interface.>>

Yeah, ActiveX is what lets it look halfway decent. I only use it without ActiveX when I really really need something - it's a PITA to complete a task, honestly.

As for why it's flat out failing, I couldn't tell you. I've never had it happen to me and my school, while the IT people are absolutely retarded, pretty much blocks all access to everything; I can still use the non-ActiveX interface at logmein.com, however.

i guess my it guys are geniouses, and lern to block the importat things. tehy even have it blocked occassionally that i can't write to my external

Sort of getting back onto topic...

Using SSH to tunnel is very nice for forwarding simutronic's game traffic, even when you're dealing with firewall rules that disallow the IANA SSH port. In high school we had to deal with NATing firewalls that would only allow outgoing connections to tcp ports 25, 80 and 443 (thats SMTP, HTTP, and HTTPS). 80 would get pushed through a transparent proxy, which meant it was effectively useless for any simple fix. 25 was clear though (however, there are SMTP proxies out there.) I simply had a redirection rule on my linux box at home in which any tcp:25 traffic from my school's NATing router's public IP address would be redirected to my tcp:22. Most routers nowdays don't do deep packet inspection (unless you're in china) so this should just look like a bunch of SMTP traffic.

A plus for me was that my school district had been busted for logging into a student's home POP account from credentials sniffed from the network, so they were really very wary of doing anything that might get the DA's attention again.

I didn't forward through tcp:443 because I was running an https service on that port which I wanted to be accessible at the school, however if I had a spare IP address, using this port would have been perfect. You could even embed the SSH session within a TLS session over tcp:443 (or even the raw game stream over TLS, but SSH is a nice multiplexer) which is what HTTP is doing on the same port (and the payload is obscured with TLS.)

Now, there still are methods for determining what you're doing over TLS. TLS doesn't do a very good job of obscuring the size, timing, or synchronization of your communications. Which means theoretically, some crafty IT monkey could setup some sort of signature database and figure out if you're surfing over tcp:443, using a shell over tcp:443, or even playing a MUD over tcp:443.

Now as we all know, any IT monkey would pounce at the opportunity to mindlessly analyze data that is supposed to be there. People are lazy, and they probably have something better to do, especially something better than analyzing the traffic of the consultant their boss called in.

And yes, in a fully corporate setting, you're going to be just as concerned with software on your box thats keeping an eye on what you're doing, as you will with firewalls and such keeping logs on what you're doing. Oddly, I have nothing to say about that.

And one final thing.

Deathravin: If you save (instead of opening with the launcher) the .sal files that simutronics gives you after character/FE selection and open it with notepad, vim, or any other normal text-editor, you'll find that it looks like a configuration file. If you update the following line to:

GAMEHOST=localhost
And use the port forwarding mentioned earlier, it might work. The launcher's auto-update will likely hang though, which either means it will pause for 30 seconds, then work just fine, or pause for 30 seconds, and die horribly.