i need help with es-sh over wabsoket over see-dee-yen

[BK8000L]

I live in a country with internet censorship, all my vps/proxy servers are not accessible from here, but I have limited access to cloudflare cdn. i came across this https://sshocean.com/sshwebsocket and i have access to these servers via cloudflare cdn using opentunnel(android), netmod(pc) program. But these servers are constantly overloaded, I would like to use my vps and your websocket tool. Using a PC with full internet access and a wireshark, I tried to analyze what is used in sshocean, but could not figure it out. I am attaching a traffic dump with a successful ssh connection to the sshocean server. Can you understand it and can your tool do the same?

[vi]

I also used WebSockets to circumvent censored internet (when all obviously encrypted connections like TLS or SSH failed) by tunneling them through Websocat. In fact, idea to create Websocat was born in conversation about tunneling SSH or Openvpn traffic through corporate transparent HTTP proxies.

On VPS, run the following:

websocat  -E --binary ws-l:127.0.0.1:8080 tcp:127.0.0.1:22

On client, run this:

websocat -bE tcp-l:127.0.0.1:2222 ws://yourserver.net:8080/

For tunneling Wireguard you should use udp instead of tcp.

If you use Nginx or Caddy or other reverse web proxy on the VPS, you can forward some URLs to Websocat (or multiple instances of Websocat) using rules like this. This way wss:// would also work. I haven't personally tried, but probably you can also point CDN to your VPS as well, if CDN supports WebSockets.

Note that Websockets are not designed for obfuscation and would only superficially mask connection signatures (and the data is scrambled only in one direction). If it used against some sophisticated solution like Golden Shield, expect it to not work or work only for a short time. The more people use this method and the data you transfer that way, the more you are exposed to the ban possibility. You may want to deploy a dedicated solution like shadowsocks.

[vi]

You can outsource the TLS part from Websocat a command line tool. Client Websocat would just spawn a process instead of doing TCP or TLS itself. See this section of moreexamples.md for examples.

websocat -bE tcp-l:127.0.01:2222 --ws-c-uri=ws://myvps/path_inside_vps ws-c:cmd:'some_magical_tool_that_talks_to_plain_HTTP_on_your_VPS'

It assumes you can already can reach some HTTP-esque endpoint on your VPS and just need to bend it into forwarding SSH for you.

[vi]

netmod direct connection to sshocean.zip

Superficially it looks like an incoming WebSocket connection with SSH data inside, but there are a number of deviations from the standard protocol:

1. There are no Sec-Websocket fields, neither is HTTP request nor in reply.
2. There is Connection: upgrade in reply, but no Upgrade: websocket.
3. \Content-Length: 1048576000000 - Content-length is incompatible with Connection: upgrade, there is a stray backslash character.
4. Client-to-server traffic is not scrambled, as it is supposed to be over a WebSocket.
5. Data is not framed per WebSocket protocol, content is streamed directly into the connection instead.

So it is not a WebSocket or HTTP connection, it is just plain SSH connection, but with preambles masking it for WebSocket establishment.

[vi]

I don't need TLS on the server, cloudflare makes it for me.

Command line I mused about was about the client side.

Netmod is stuck at 101 Switching Protocols if i use websocat --binary ws-l:0.0.0.0:80 tcp:127.0.0.1:22

What is Netmod? If it makes connections similar to the traffic dump attached above (i.e. not really WebSocket connections, just TCP connections with some HTTP-esque WebSocket-esque introduction messages) then Websocat may be not the tool to use, at least without some modifications.

Maybe you can run Netmod in some server mode on your VPS?

Is there a traffic dump from your VPS during the attempt to connect to websocat --binary ws-l:0.0.0.0:80 tcp:127.0.0.1:22 from your Netmod client?

---

Websocat can aid this scheme:

[Your Client] --(TLS connection with a masked SNI)-> [Cloudflare] --(usual connection)-> [Your VPS]. 

But as a first step you probably want to ensure you can e.g. configure a website on your VPS and access it in a secure way (i.e. without exposing SNI) from your client. Then, when you can access your own website, your can a pair of Websocats to add additional function to the website: tunneling SSH for you. The scheme would look like this:

.------Your PC----------------------------------------------.                                        .----------- Your VPS ---------------------------.
[SSH client] -> [client Websocat] -> [Connector (Netmod?)] -> [Censored Internet] -> [Cloudflare] -> [Web server] -> [server Websocat] -> [SSH server]

[vi]

from_vps.zip

Here I see proper WebSocket establishment headers and server accepting a WebSocket connection.

However, instead of WebSocket frames, client sends raw, plain SSH data. Server replies with the data once, but connection is stuck or interrupted because of invalid incoming data (expected: websocket frames, got: raw data).

Using this payload in netmod

So netmod is just prepending static fixed header before the data, i.e. using WebSocket negotiation as if it were some HTTP CONNECT request. This is not Websocat expects, Websocat expects the data itself to be also transformed a bit (packed into WebSocket frames). If needed Websocat can be configured to just to that step (without HTTP negotiation at all).

only netmod is available for windows

Both PuTTY and Websocat are available on Windows. If you combine them, then the only missing link would be that "only with netmod i can mask SNI".

SSH client is included there and makes a socks proxy it can only connect to ssh server, no port forwarding or anything else

What do you mean by SOCKS proxy? That Netmod can act as a SOCKS proxy or be a SSH client? Or that after connecting to SSH, Netmod offsers SOCKS proxy that routes traffic though SSH (that is port forwarding).

You probably need to investigate what Netmod does and how exactly it masks SNI.

what tool should i use?

Just created another simple tool: tcpprepend. Maybe it would be compatible with that Netmod thing you use as a client.

Suggested server command line:

tcpprepend 0.0.0.0:80 DQoNCg== 127.0.0.1:22 SFRUUC8xLjEgMTAxIFN3aXRjaGluZyBQcm90b2NvbHMNClNlYy1XZWJTb2NrZXQtQWNjZXB0OiBJZ05meXFrWVpFcWNSQUJmRnVxYTlERUhKRXM9DQpDb25uZWN0aW9uOiBVcGdyYWRlDQpVcGdyYWRlOiB3ZWJzb2NrZXQNCg0K

[maleeqB]

Hi @BK8000L , please I need your help

We have the same requirement, I also have limited access to cloudflare cdn and I also use https://sshocean.com/sshwebsocket and i have access to these servers via cloudflare cdn using HTTP CUSTOM

I have my own VPS also, please with @vi 's response to your questions, do you now understand how to implement such functionality? I want to use my own VPS also

I can't see your questions, seems you've deleted them, I can only see VI's response to your questions

Thanks in advance 🙏🏽

[antnb]

What do you mean by SOCKS proxy? That Netmod can act as a SOCKS proxy or be a SSH client? Or that after connecting to SSH, Netmod offsers SOCKS proxy that routes traffic though SSH (that is port forwarding).

basically its bypassing internet censorship , netmod create HTTP connection with HTTP header something like this

GET ws://xxx.ap-southeast-3.compute.amazonaws.com  HTTP/1.1 [crlf]Host: myvpsserver[crlf]Connection: Upgrade, HTTP2-Settings
 > Upgrade: h2c [crlf]User-Agent: [ua][crlf]Upgrade: websocket[crlf][crlf]

myvpsserver is configured to receive ssh connection on port 80 and then net mod creates a sock proxy on port 1080

while xxx.ap-southeast-3.compute.amazonaws.com or any cloudflare hosted host is a government-white-listed website (not blocked by government) and has websocket enabled natively

[maleeqB]

Thanks @antnb for your contribution, I now understand how that works

But that's for ssl/tls method, what about ssh + ws without tls? It uses port 8880 on the sni and the HTTP header is something like:

GET / HTTP/1.1[crlf]Host: myvpsserver [crlf]Upgrade: websocket[crlf][crlf]

How do I go about setting my vps up in this scenario?

[its0ka]

what about ssh + ws without tls?

it depends on your client software, there is no ssl/tls in tcpprepend, you should add it if you need it by yourself with nginx or stunnel i didn't see your question from nov 21 2022, sorry, and don't understand your new question

[maleeqB]

Thanks @its0ka, yea Telegram would be better. I'll do that just now