access wikipedia (walk through the great firewall of China)

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Dec 7 22:54:10 PST 2006 

??? wrote:
> Hello. My office use this method to access wikipedia behind the great
> firewall of China:
> 
> 1) we have a server in europ, let's call it server;
> 2) I run this command on my desktop:
> $ ssh -L 80:en.wikipedia.org:80 server;
> 3) everybody in the office edit /etc/hosts, add this line:
> [my_ip_addr] en.wikipedia.org
> 
> So my computer become a 'proxy'.
> 
> The trouble is I have to keep the ssh running there. The 'proxy' will
> not automatically set up next time I reboot my computer.
> 
> Is it possible to install some software to run as a daemon and do this
> proxy?
> 
> I think of stunnel, but I have too few knowledge to know if stunnel can
> do this.

There are two general possibilities here:

  a) A Web cache/proxy -- squid is the canonical example, but you can
     do this sort of stuff in apache very readily.  I think apache 
     would be a good place for you to start, as most sysadmins have
     at least a passing acquaintance with its configuration.

     You'ld need set up a proxy on your European server to redirect
     any web traffic to en.wikipedia.org -- your users would use the
     service exactly as they do at the moment, but they'd put the
     IP of the European server into their hosts file, rather than
     your desktop.  If that is a problem, then you can chain together
     a series of proxies starting with your desktop machine, then
     the European server -- but performance may be a tad slow.

  b) IPsec or other VPN tunnel between your server in Europe and a
     local firewall -- preferably your local firewall should be on
     the egress path from your LAN.  Then you can arrange routing
     so that packets to destinations in Europe pass through the 
     tunnel and use your European server as the gateway to the
     internet.  In this case, there shouldn't be any need for your
     users to have to spoof the address of en.wikipedia.org in 
     their hosts files.  IPSec comes standard with FreeBSD, but
     you'ld probably want to combine it with pf(4) or other firewall
     software which you can use to control redirecting appropriate
     packets through your tunnel.  If IPSec is too mind-mangling
     for you, OpenVPN (in ports) is a pretty good alternative.

     You'll almost definitely want to configure a NAT gateway on
     the European server.
 
Either of these solutions will run automatically on system startup, if
so configured.  Option (a) will send your web traffic across the net
in clear-text unless you can chain two proxies together and get creative
about using HTTPS.  Or you can combine both approaches: use a local HTTP
proxy with a VPN tunnel to your European server.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20061208/7a482d23/signature.pgp

More information about the freebsd-questions mailing list