NX (SSH) over http proxy
 

Hi there.

I recently discovered NX. It's kinda like VNC, but better. I'm not using freeNX, but the nomachine.com one (Free Edition 3.0.0-74), since it actually works. NX is based on SSH but provides a graphical interface to your machine.
I try to access my machine at home from work.
But there's a problem. Here's some information first:

connection:@ work over proxy, @ home directly to internet with dynamic IP and DynDNS
proxy: only HTTP traffic allowed, authentication required. Browsers on Windoze/Linux work when set up correctly.
OS: @ work Windows, @ home Linux

Direct connections from different locations to my NX server at home work. But at work, I'm getting problems with their proxy.

1st try:
I set the NX client (the Windows one) up to use the proxy and authentication.
results: didn't work
conclusion: proxy only lets http traffic through

2nd try:
Use desproxy to tunnel through proxy
results: proxy returns "not allowed"
conclusion: desproxy does not imitate http traffic close enough

3rd try:
Use httptunnel (which needs to be set up both on client and server)
configuration (port): NX client -> (900) -> httptunnel@work -> (80) -> proxy@work-> (80) -> httptunnel@home -> (22) -> NX server
results: connection to PC at home works, however aborts at some point.
test: Tried the same client configuration (but without proxy) at a friends
results: same as at work
test2: Tried the same client configuration (but without proxy) at home in local network
results: It works.
conclusion: wtf?

I get a connection alright, but it aborts.

client log:
I can't figure out why this happens. There's nothing in the logs on my machine (server)
Obviously, the remote host (which is my machine) closes the connection. Why does it do that? I wonder if that's because it discovers that a tunnel is used.

Any ideas?

You may want to take a look at this Article on the NoMachine Knowledge Base:

How to set-up a basic environment to connect NX through a HTTP proxy
http://www.nomachine.com/ar/view.php?ar_id=AR04E00457

Please browse/search the Knowledge Base for any other information as there is lots of good information there regarding the product.

Let me know how it goes.

Thanks, but I already read that and it didn't really help since I'd need access to the proxy's configuration, which I don't have.
The proxy lets traffic only through port 80, so I set NX up to use that port. It didn't work, see first try

The only thing I see from a quick standpoint might refer to this NX Knowledge Base article:

Problems involving ssh_exchange_identification
http://www.nomachine.com/ar/view.php?ar_id=AR04D00382

Looks very similar to the messages you are getting in the client log.

Oh my, I kept looking for something regarding proxys, not the actual error...
I'll definitely look into that, thanks!

No problem. Let me know how it goes.

Today i tried modifying my /etc/hosts.allow according to this tutorial
http://www.snailbook.com/faq/libwrap-oops.auto.html
and connect from work.
Sadly it didn't work, I get the same error as before. Do I need to restart networking when I change hosts.* ? I only restarted SSH and nxserver.

I noticed at work that when I try to connect, the httptunnel client closes. I don't know if that's a result of the termination of the connection, or the cause of it. I'm going to try other tunneling software tomorrow.

Not to rain on the parade or anything, but have you asked your IT people at work about this? It could very well be that they've locked down their network so this sort of thing doesn't happen. And, at least in my experience, administrators are particularly humorless about attempts to circumvent their restrictions. At more than a few companies, it is grounds for dismissal.

I wouldn't worry about that. I talked to them the other day, they're cool with me doing this, as long as I don't screw their network up.
Also they barely know how to configure this stuff (typical Windows user) and they're afraid they'd break it if they change anything. As far as I could tell, they're not using anything that could prevent this from working. It's a simple http proxy.

There's a simple way to trick your proxy at work. Since it only allows http and https traffic, you need to fool it into thinking that your NX server at home is a web server.

Here's how I did it:

My FC7 box at home is behind a router, so I configured the router to open and forward port 443 to my FC7 box at port 22. All traffic destined for my home ip at port 443 will be forwarded to my FC7 box at port 22 (where NX is listening). My Asus router allows me to specify the port to forward to on the internal machine, but I know some routers may not have this feature. In this case, you'll need to edit sshd_config on your home machine to listen on port 443, or create an iptables rule on your home machine to forward port 443 to port 22.

On the NX client at work, I first configure the proxy settings, then I configure the server host with the dyndns name of my home ip, then use 443 as the port number. Since the connection through the proxy is sent through port 443, the work proxy sees it as https traffic and lets it through. Simple.

I'm writing this on my FC7 box from work over NX.

That's exactly what I tried at first - I set NX and SSH up to use port 80, forwared it through iptables and my router and configured the NX client to use that port and the proxy@work - the proxy refused the connection, so I figured it only lets real http traffic through.

Anyway, I'm still working on this problem. The farthest I got so far was by using httptunnel, but for some strange reason the tunnel software closes on the client side and terminates the connection (or the connection terminates, which closes the software, I can't really tell)
But I'm out of ideas...