Never again be thwarted by restrictive “guest” wifi (e.g. on buses or airplanes)

 Last week, I took a Megabus from New York to Boston. It’s a four-hour trip and Megabus advertises free wifi, so I expected to be able to get in some serious undisturbed working time.

Imagine my disappointment when I opened my laptop, connected to wifi, tried to ssh into a server I’m working on, and then watched helplessly as ssh timed out again and again without connecting.

I’m not exactly sure what Megabus is doing, but my guess is that they block all non-web traffic (probably primarily to avoid torrents hogging bandwidth), and they do that by just blocking all network traffic on ports other than 80 and 443 (the traditional http port), or by filtering certain communications protocols like SSH. Once I got to Boston, I tried to use another guest wifi network that was also randomly blocking ports I needed to connect to other servers, so I decided to put a stop to this nonsense once and for all.

The solution? Create a (mostly free) micro server on Amazon’s EC2 cloud and use it as a “poor man’s VPN” by routing all traffic from your laptop through the server and from there out onto the internet. The worked marvelously on the Boston guest wifi, and as I’m writing this it’s letting me connect to EC2 servers via SSH on a Southwest flight.

This is easier than it sounds to set up, provided you have directions. So…here you go!

1)   Launch an EC2 micro server instance running Linux. This is straight forward but a bit complicated if you haven’t done it before, so if you need help Google something like “quickstart set up EC2 server linux” and you should find a good guide.

2)   Ssh into your server (“ssh ubuntu@your-host-name”)

3)   Open up /etc/ssh/sshd_config (“sudo nano /etc/ssh/sshd_config”)

4)   Find the line “Port 22”, and under it add the line “Port 80” (the normal web port) and “Port 443” (the https port) – this tells the server to listen for incoming ssh connections on Port 80 and 443 as well, which will almost always be unblocked on guest wifi because they’re needed for web traffic.

5)   On your laptop, visit https://github.com/apenwarr/sshuttle/ and clone the repo into somewhere convenient (i.e. “git clone https://github.com/apenwarr/sshuttle/”)

6)   Go into the sshuttle folder, and type “./sshuttle -r username@sshserver:80 0.0.0.0/0 –L 127.0.0.1:443 -vv

That’s all there is to it!

Now all of your TCP traffic will be securely routed to your server through port 443 via ssh, and then forwarded on to the internet by your EC2 server.

This has two benefits:

1)   No more pesky port / protocol blocking on the guest wifi

2)   All your data transmitted over the open wifi network is encrypted, so you can’t be snooped on with wireshark.

Now you can do whatever you want and Megabus (and now confirmed on Southwest Airlines) can’t say a darn thing about it. Unless they, you know, change their security policies.

If you like this guide, follow me on twitter (@rogueleaderr) for more like it soon.

WARNING: this only encrypts TCP traffic, not other kinds like DNS (unless you use an extra flag in sshuttle) or UDP etc. So some kinds of traffic may still be snoop-able.  Also, you are not anonymous since your traffic can still be traced back to your EC2 server, which has your name on the billing records. So not that you would anyway, but don’t go committing any cybercrime.

Edit: I’m shocked by how much traffic this post got. I’ll freely admit that I’m a networking n00b and that although this approach worked for me it’s probably not ideal. Many commenters on the Hacker News thread had great suggestions for alternative approaches. Check out the comments at http://news.ycombinator.com/item?id=4410195 for more options on how to get around network restrictions.