Monthly Archives: March 2013

Encrypt your traffic from your Android device using a ssh tunnel

As I said with a previous ocasion in China the goverment is filtering the internet traffic (including mobile trafic, dohh) so you can't access different websites and/or services and this thing is very annoying. Well, what do you have to do if you want to navigate to for instance? Hmmm... you will have to encrypt your traffic somehow. Bellow I will tell you what do you need and how to accomplish this from your Android device.

First of all you will need a ssh server configured somewhere outside China (preferably on a different port).

After getting a ssh server, you will need to download from Android Market the SSH Tunnel application written by MAX LV.

All you have to do is to complete Host, Port, User and Password filds and thick Use socks proxy, Enable GFW List, Enable DNS Proxy (this one is extremly important) options.

That's it!

OpenVPN through SSH

This is useful if you are behind a restrictive firewall that uses SPI to block services rather than plain old port blocking. An SPI firewall is able to distinguish between one packet type and another, without just checking the port that is in use.

You’ll need root access to the OpenVPN Server, as you have to change some of the server config files.

You need to do the folllowing changes:

  • change the line proto udp to proto tcp on client and server configuration file
  • add socks-proxy localhost 5555 in the OpenVPN client configuration file
  • create an SSH tunnel between the client machine and the OpenVPN Server. Assuming you’re running Linux/Unix with the OpenSSH client binary installed then run the command:

[codesyntax lang="bash"]

ssh -ND5555



Note: If you are using Windows please read what this guy wrote here:

Encrypt your web browsing session in one command

Recently I accepted a job proposition in Shenzhen/China. So, China here I come. Things are great here, western propaganda has nothing to do with what's going on here, except one thing: internet filtering. Google results are censured, so only "accepted" results are displayed, sites like,,,, and so many more... What do you do to pass this filtering? The solution is to encrypt your browsing session.

Using a simple SSH command, I can encrypt all my web browsing traffic and redirect it through a trusted computer when I'm on someone else's network. Today I'll set up a local proxy server that encrypts my online activity from my desktop. Here's how:

What I'll need.

  • a SSH server to act as your proxy
  • a SSH client on the computer you're using

Note: Mac and *nix machines have SSH client built right in at the command line. Windows users can set up OpenSSH with Cygwin or PuTTY

What we are going to do.
What I am doing is setting up a "middle-person" (the SSH server which will act as a proxy) between me and the internet. Using the proxy, my browser hands off web page requests to the proxy server, which handles the request and fetches the page for me from the internet. The web site actually thinks the request is coming from the proxy server, not from my computer, which is a good way to obscure my originating IP address.

The good thing about this is my traffic is over SSH which is an encrypted protocol. This prevents wifi sniffers from seeing what I am doing online.

Setting up the server.
On the computer which is acting as desktop I am going to open up a connection to the SSH server:

[codesyntax lang="bash"]

ssh -ND 9999


What this command does is hand off requests to localhost, port 9999, to the SSH server at to handle.


  • if your SSH server listen on different port that standard port (22/tcp), it can changed using -p switch
  • the -N tells SSH not to open an interactive prompt, so it will just hang there, waiting. That's exactly what I want.

Setting up the client.
Once proxy's up and running, configure Firefox to use it. From Firefox's Tools menu, choose Options, and from the Advanced section choose the Network tab. Next to "Configure how Firefox connects to the Internet" hit the "Settings" button and enter the SOCKS information, which is the server name (localhost) and the port you used (in the example above, 9999.)

Save those settings and hit up a web page. When it loads, it's actually coming from the proxy server over an encrypted connection.


  • Set your proxy server to resolve DNS requests instead of your computer; in Firefox's about:config area, set network.proxy.socks_remote_dns = true.
  • For those with slower connections, you can use the -C command line option to use SSH's compression (gzip).