After the course of _Computer Network_, I think it's time to dig into some real stuff in network now. Bypassing internet content filters has awalys been a huge need for me, so I would like to study how to build a covert proxy to accomplish this task.

Why not VPN?

When using VPN, the network traffic of the whole system will be forward to the VPN server and the connection with the server will be kept all the time. Obviously, for our purpose it's not flexible enough since some traffic may not need to be forward.

As for proxy, only the traffic of applications whose proxy has been configured will be forward to the server, but the problem is that many applications especially games do not have build-in proxy config or inherit the IE proxy setting. Even so I think proxy is more flexible and practical than VPN.

How does proxy work?

Applications produce network packages and normally these packages are sent to the destination directly along the routing path. But what if the target server is blocked by some firewall or we want to hidden our own address?

The idea of proxy is simple and we just let someone else to send the request for us. Here the someone shouldn't be blocked by our firewall.

We need to set up a web service in the proxy server to forward the data. As a server application it should have a static port number for us to connect and here we have two ways of connecting the server and cilent.

Direct way

In the server we run the forward program and open its port, in the cilent we just simply fill out the ip and port of applications.

For example, you have got proxy server's ip and port and then you can set the proxy setting in the Internet proxy as

However, such direct way of connection can be insecure since the content of data package is sent as clear text.

(Some applications support proxy with username and password like SOCKS proxy, at first I think it's used for encryption, but when I actually tried I found out it's just for authentation, the data is still sent as clear text.)

So if the firewall blocks connections to the, it can analyze the content of package if it's a clear text.

Indirect way

In order to pevent the firewall finding out our real destination, we can encrypt the data before sending the package, but unfortunatly, most applications like browsers don't have such encryption function.

So we need another local service which encrypt the data and then send the data to the real proxy server like, as a solution, we can set up a local sevice which accomplish this task, what we need to do in the application is just to set the proxy as the address of local service like

In a word, the indirect way of connection is setting up a secure tunnel which encrypts the connection in advance and use the tunnel to communicate with proxy server.

The implemention of proxy

Forwarding the request is simple, but undoubtedly we need the function of authentation, which means we need another specific protocol.

SOCKS5 is an existed protocol that satisfied our purpose well but of course we can design a new protocol. SOCKS5 supports serveral methods of authentication and it supports proxy of both TCP and UDP protocol. For more imformation about SOCKS5 you can read the articale Fast Introduction to SOCKS Proxy and RFC specification.

To do summary, what we need now is forwarding, encryption and authentication.

Use exist tools

One of the exist tool is SSH. Normally, we use SSH to connet to the remote server like this:

ssh username@host

But actually ssh has a parameter -D port, below is the description:

... allocating a socket to listen to port on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, ..., Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server.

We need do

  1. run sshd service in the server and open the port
  2. use ssh to set up a local server and connect to the remote server
  3. configure the proxy setting in application

In windows, you can use some SSH tools or even Putty to set up a SOCKS proxy with SSH.(Use PuTTY as a secure proxy on Windows)

But if you have used SSH before, you may know that SSH is not stable that it may disconnect with the server and won't reconnect automatically, which is not convenient as a proxy service.

Use socket programming

to be continued...

Is this enough?

Now the traffic of application can be forwarded to the specific server with authentication and the data is encrypted, everything seems fine.

However, even the firewall don't know the real target of our requests, they can know that we are using proxy. For some ISP which forbid the use of proxy, they may block the connection to the proxy server.

Actually the use of proxy may bring some traffic characteristic, ISP or firewall can detect the use of proxy by it.

What is the characteristic of traffic through proxy?

to be continued...

We have a new goal now: confuse the firewall.

How to confuse the firewall?

to be continued...


to be continued...