Thursday, January 28, 2010

Of IPv6 and proxies: squid vs socks

I stumbled upon something interesting today, it should have been obvious but still I found it to be quite a surprise. First, a bit of background. I have a friend that lives on the coast almost four hours away. For years I've administered her simple network remotely mainly via the single open port to the Internet (ssh). All device on the network, aside from the PCs she insists to use, could be managed via ssh or http. For the http hosts I've kept a Squid http proxy running and I'd connect to those devices via a ssh tunnel using port forwarding and for years this setup was "good enough". Plus it gave me a remote host on the Internet were I could redirect my http traffic should I be so inclined. There are drawbacks to this setup, first and foremost my DNS queries would be resolved on my local network and the http traffic would travel over the tunnel thus bypassing any http proxies, but the evidence of my trespass was still evident in the DNS queries. Granted this wasn't a problem as I was never going places I really shouldn't have been in the first place so it wasn't ever a concern.

The old command I used to use to connect to my Squid proxy was: http greg@myserver.remotenetwork.com -8080:127.0.0.1:8080. After the tunnel was set up I'd go into Firefox and set up the proxies under Network Settings to use 127.0.0.1 as the proxy IP address and 8080 as the remote host.

Flash forward to last week. The remote ssh host in question is an iMac desktop and during a recent trip I upgraded the iMac to Snow Leopard. This caused a few applications to seize, most notably Squidman, my old trusty http proxy. I left the beach without installing a new Snow Leopard friendly proxy. Whoops. I just wrote it down on the to-do list next time I needed a salt air fix, and being a business at the beach this is certainly what we can define as the "slow time" of the year and I wouldn't likely have a need to connect to any http hosts between trips in the first place.

It's true that I am an old network dog but I occasionally learn a new (old) trick and I did that this week. A discussion started over e-mail about proxies and what-not someone suggested using a SOCKS proxy which would do two things: resolve DNS on the ssh host, not the local network and redirect http/https traffic (among other cool things). I tried it out using the following command:

ssh greg@myserver.remotenetwork.com -D 8888

From there I set *ONLY* the Socks proxy in my Firefox network settings to 127.0.0.1 and port 8888 and, as if magic with no configuration of extra software on the iMac my http requests were redirected over my tunnel just like when I used to use Squid. Cool!

But here's where things got interesting. Because my DNS queries were also being redirected I could resolve addresses for IPv6 hosts, such as ipv6.google.com and m0n0.ch. Cooler yet was even though my machine was on an IPv4 only network I could reach IPv6 webpages via http. This was very cool indeed. Had I thought about this prior to today it should have been obvious this would have worked but it still surprised me and I'm happy to have the IPv6 connectivity and I just think it's cool that I can tunnel requests for IPv6 hosts when my laptop is on a network that only supports IPv4.

Give it a shot, it works pretty well.

1 comment:

KeithF said...

With a socks proxy I can also access the ipv6 network with an ipv4 only ISP, using an ipv6 enabled VPS