Remote access to campus VPN

A troubleshooting mini-journal

(Disclaimer: this is not a “pure” technical article. It does not provide all the necessary background for understanding the solution. Plus, it contains detours and rants.)

A while ago, I was tackling the following task: to access and install a software license that requires campus internet connection. At first I thought the solution would be obvious: just connect to U Waterloo VPN. But it turns out that the U Waterloo VPN uses split tunneling: it is only using VPN when the user tries to access U Waterloo resources (like remote server and certain university-affiliated websites), but does not route traffic through the VPN when accessing external websites. A more sophisticated solution is needed.

Essentially we need a way to pretend that we are on campus. The remote servers available to U Waterloo students come to mind. We are basically looking for a way to browse the internet off-campus while pretending that we are doing so on-campus. After a bit (read: A LOT) of google searching, I learned some “advanced” ssh functionality:

ssh -L 3000:localhost:3000 <remote server domain>

This creates a “forward proxy”, which means that traffic to your computer’s localhost:3000 will be forwarded to the remote server’s localhost:3000.

ssh -R 3000:localhost:3000 <remote server domain>

Creates a “backward proxy”, which means that traffic to the remote server’s localhost:3000 will be forwarded to your computer’s localhost:3000.

ssh -D 8132 <remote server domain>

D stands for “dynamic”, and 8132 is just a random port number. Not sure what this means, but this creates a SOCKS proxy on the computer which allows me to proxy traffic through the remote server. This does exactly what I wanted to do: visit a website which requires an on-campus IP.

Once this is done, I was able to configure Firefox to use the SOCKS proxy by entering localhost as the IP and 8132 as the port number. This immediately allowed me to retrieve the academic license key. Hurray!

Not so fast. I thought that this would be the end of the story, but when I tried to install the license key on the computer, I got the error code 303, in which it revealed that my IP was still the local IP and the host being the ISP at my apartment! This means that, somehow, terminal connection to the software installation server was not using the SOCKS proxy. Back to more searching.

At some point I read a comment online and was convinced that a SOCKS proxy was not the way to go – that in order to create an HTTP/HTTPS proxy I would need to use the -L flag to create the ssh proxy connection. That didn’t work out. In fact, that didn’t even work in Firefox, and the IP check kept returning the original IP.

Fortunately I was actually getting quite close to the real solution. The command that I tried for setting up an HTTP proxy after establishing a SOCKS proxy was:

export http_proxy=“localhost:8132”

It turned out that this would work:

export http_proxy=“socks5://localhost:8132”

Problem solved. Yay! (To learn more, check: https://curl.se/docs/manpage.html)

License

Copyright 2016-present George Cushen.

Released under the MIT license.

Kam Chuen (Alex) Tung
Kam Chuen (Alex) Tung
PhD Candidate in Computer Science