-2

For bypassing filtering in my country, I've rented an abroad server (CentOS 5) with 256 MB of RAM. Client is Ubuntu 12.04. I run this command in client to set up the tunnel:

ssh -CNfD 1080 <user>@<server-ip>

In Firefox settings, I defined a socks proxy server:

localhost:1080

By using this method, everything works properly and I can bypass the limitations. But, the speed degrades reasonably. I don't know why. I guess some reasons and I want to share them with you and have your opinions:

  1. If I use direct connection, most sites use http, but when I use proxy, all sites have to use the secure connection prepared by ssh. My provider may have decreased the speed of secure connections. (I think this may be the matter, but it seems that https sites not using the proxy still open faster.)

  2. Such tunnelling essentially causes the internet speed to decrease. Maybe because of overhead which applies to secure packets or some other reason. If so, what can I replace? I have a working dedicated server.

PS. The server internet connection speed is much higher than the speed (bandwidth) between client and server.

PPS. May I set up an http tunnel? Or use some software instead of ssh to be faster and has less overhead or not to use https?

Please help me figure out what is really happening, since I'm not so familiar with these concepts.

Boann
  • 48,794
  • 16
  • 117
  • 146
hamidi
  • 1,611
  • 1
  • 15
  • 28
  • Encryption necessarily increases latency and reduces throughput, so it's unreasonable to expect HD video streaming over such a VPN. Still, if you drop compression (`-C`) and specify _blowfish_ as the block cipher, things may speed up a bit. The command is thus `ssh -c blowfish -NfD 1080 @`. The above assumes that the slow-down is CPU bound; if you open a second "normal" ssh connection to the server and run `uptime` or `top` there while downloading a big file at the client, you should see a high load. – Mike Bessonov Apr 04 '15 at 11:23
  • thanx, useful comment. but how can I seamlessly use the server? – hamidi Apr 04 '15 at 11:54
  • My suggestion was just to modify the ssh command on the client and leave all the rest as is. Opening the second ssh connection is a one-off, for investigation purposes only: to make sure that the CPU load on the server is the bottleneck. The average server load during data transfer over an ssh tunnel is an important piece of information helping to figure out what really happens. – Mike Bessonov Apr 04 '15 at 12:18
  • I changed the tunnel creating command to what you suggested and nothing differed. I also changed it to no -c or -C. It didn't change also. In top command, I see no high CPU or RAM usage. I try opening facebook, but I can't. It seems that it fails for timeout. – hamidi Apr 04 '15 at 12:39
  • I changed the port from 1080 to 61626, a random port which i thought is not used by any program to be filtered. but no change in speed occurred. tries lead to timeout of some parts of my facebook page (images, etc.). so poor connection. while with the same connection (not filtered), i've no problem and speed is good. i also payed attention to CPU in 'top'. it's 98% to 100% idle. the barrier seems to be my secure connection to server. it seems that the only way is that it must be non-secure. – hamidi Apr 04 '15 at 12:51
  • Is there a software to scramble data from client and send it to server to be descrambled? via non-secure connection. and it must also work as a socks proxy to be setup in firefox. – hamidi Apr 04 '15 at 12:52

1 Answers1

1

I am afraid there is not much you can do...

Indeed it is to be expected that speed, latency and throughput decrease when you tunnel your payload data through an encryption tunnel. Reason mainly is the overhead of encryption and also, depending on the connection at hand, the modified (longer) routing. You have to take into account that most of the encryption has to be done by your tunnel endpoint, so your server in this case. If that system lacks computation power, then the result will be reduced throughput, obviously. Things like CDN also won't work the same any more.

It might very well be that your service provider throttles different types of connection. Especially in areas with high control and censorship over communication content it clearly makes sense for the authorities to prefer not encrypted payload, so payload that can be controlled and filtered. Everything that keeps people from using encryption is in their interest. So throttling encrypted communication only makes sense from their point of view. Sad, but true nevertheless.

The only thing that could have an impact is some details about your tunnel endpoint, so your server in this case. Increased computation power could reduce an bottle neck if that system shows high load cause by the encryption.

Also it's network connection is of interest, just as your local connection: the encrypted tunnel requires much more control data on the upload side compared to not encrypted traffic. Since typically the upload bandwidth is much lower than for download this could also be an issue.

arkascha
  • 41,620
  • 7
  • 58
  • 90
  • thanks for your comments. unfortunately I couldn't mark it as useful because I'm a beginner and my reputations is below 15. I really want to solve the problem. So, I need to follow the steps. At the moment, as you described, it seems that I've not to count on an ssh tunnel. Maybe a server/client software which may provide a tunnel by using normal connection (over ftp, http or some other non-encrypted protocols) may be a better solution. I may also log CPU usages at server side. Even a normal ssh is delayed. So, I think CPU or RAM may not be the problem. It seems that ssh itself is the barrier. – hamidi Apr 04 '15 at 12:05
  • I doubt using something non-encrypted will help against such censorship. If id does (meaning the authorities are pretty dumb then), I would suggests you setup a simply http proxy on your server. In general it would be wise to find out more details about how your internet access gets filtered, so by what means and strategy. That should certainly help to identify promising approaches. – arkascha Apr 04 '15 at 13:23
  • my idea is to communicate only with my server which is unfocused, because it's an unknown server, with a data which is unknown (scrambled) with a protocol which is not monitored. for example if a translate https://facebook.com which is a secure connection to a monitored site to a normal http or ftp request to my site with a scrambled data that only my server may know and descramble and use the same mechanism to get the answer data from server, this may be unseen by filtering. how is it possible and what may be the most straightforward and easiest way to reach this goal? – hamidi Apr 04 '15 at 13:33
  • Sure, got that. But now you turn yourself around in circles. Either you _do_ want to encrypt/scramble, then things get slow, or you _don't_ but use non-encrypted communication. But for non-encrypted communication I would expect that the authorities are not _that_ dumb that they do not check headers you send as requests. Otherwise working around the censorship would be trivial for everyone... Usually censorship is more than just blocking direct access to a few listed servers. That is why I suggest to find out more details first. – arkascha Apr 04 '15 at 13:36
  • Ah, and I really hope you don't do the effort for something as bad and evil as facebook... – arkascha Apr 04 '15 at 13:37
  • is there any other software than ssh to provide a tunnel? maybe a stupid question, but may eg. telnet which i hope to use a non-secure connection provide a normal tunnel? – hamidi Apr 04 '15 at 13:38
  • Telnet won't help here. It is either ssh or stunnel for encrypted tunnels, a proxy server for an easy, non-encrypted solution or you have to create something yourself using something like `netcat` or similar. But as said: I would expect web requests through a non-encrypted tunnel to be filtered too. – arkascha Apr 04 '15 at 13:39
  • no, i really don't need to send my data over https. it's just enough that a tunnel be produced. who can know that what is the data inside my normal http requests or what i get inside http packets? in http headers, i may eliminate all data and send/receive empty headers. all data may include inside the data, even what i need to send/receive in headers. they may not figure out what is really happening while they can't decode the data. and about facebook, what did u mean that it's evil? is its speed low also in other countries? – hamidi Apr 04 '15 at 13:49
  • Sorry, you may want to read more about how web requests work. You cannot do them "with empty headers" or similar. The web servers have to understand your request. And a "tunnel" is nothing magic, all communication through it can be read just like any other http access. In fact there is no difference in what data is sent. – arkascha Apr 04 '15 at 13:50
  • assuming they're dumb enough not to listen to headers, what can i do? see, i want to tell my server to open facebook. i send a request with header like my-server-ip/xfswouitjlhsfg. at server side, xfswouitjlhsfg is translated back to facebook.com. the page is sent back including what facebook.com includes. isn't it possible? – hamidi Apr 04 '15 at 13:56
  • If you use a tunnel, then your request header will NOT be "my-server-ip/xfswouitjlhsfg", but "facebookcom/...". A tunnel only forwards a request, it does not magically alter it. This is why I can only repeat: if tunneling _really_ works, then install a proxy software like `squid` on your server and all is done. Fast, easy to maintain, good. If that does _not_ get through because of getting filtered, then you have to either encrypt or obfuscate, which comes out the same. For encryption you can rely on standard solutions which work, for obfuscation you have to implement something yourself. – arkascha Apr 04 '15 at 14:19
  • I can only repeat: you want to read more about how web requests work. Your phrasing " i want to tell my server to open facebook" suggests you have only fuzzy knowledge about that. Don't get this wrong! But you have to know what you are doing, otherwise you will not find a satisfying solution. Your server never "opens" a web page. It only forwards a request you sent. The only difference to a "normal" web request is that it is routed via your server, thus the phrase "tunnel". The request is the same! Which is why I would expect it to get filtered. – arkascha Apr 04 '15 at 14:23
  • maybe i can't clear what i mean. if tunneling just means forwarding, no, what i need to implement is something beyond it. a packet is sent to the proxy on local host. the proxy may be a custom software. it then converts it and makes a different packet which is unknown for filtering. it's to my server which translate it back to make the original packet and forwards it. the answer of the internet is converted with this mechanism back to the client. isn't it possible? – hamidi Apr 04 '15 at 14:33
  • Sure it is possible. That is called "encryption". – arkascha Apr 04 '15 at 14:33
  • about squid, i've setup squid already. but it can't work completely, because name of facebook exists in the header of packets. – hamidi Apr 04 '15 at 14:33
  • Sure, just as I predicted. – arkascha Apr 04 '15 at 14:34
  • and yes, i'm too newbie about web programming. have never worked with socket programming. have been always standalone applications programmer. – hamidi Apr 04 '15 at 14:34
  • All fine, we all learn all the time! No worries! You need to understand how things work before you can work around issues. For now you need to 1. understand how the filtering is done actually and 2. how web requests work and 3. how encryption/tunneling really works. – arkascha Apr 04 '15 at 14:35
  • and because of that, i prefer to use already provided solutions instead of writing code myself. – hamidi Apr 04 '15 at 14:36
  • There is such code. You are using it: tunneling by means of ssh. Please understand that you cannot have both: encryption yes, but not with the disadvantages of using encryption. That is not possible. – arkascha Apr 04 '15 at 14:36
  • or there may be a complete tutorial to follow and learn the complete work. then i may write my own solution. but still i prefer ready solutions. – hamidi Apr 04 '15 at 14:37
  • You have several ready-to-use solutions. Yet you don't want to use them. So what now? I can only repeat: encrypted tunneling by means of ssh or stunnel, using netcat together with compression or finding your own solution. One of these, your decision. But even when writing your own solution, I dare say it will not give better results than the existing solutions. – arkascha Apr 04 '15 at 14:39
  • This might give you an insight into using netcat: http://www.linuxquestions.org/questions/linux-networking-3/adding-gzip-compression-to-a-netcat-proxy-932423/ – arkascha Apr 04 '15 at 14:42
  • i think the ready solutions use encryption which differs in 'protocol'. when protocol is secure, it will be slow. but when raw data is encrypted and sent still as raw data with non-secure protocol, it doesn't get slow. isn't it right? – hamidi Apr 04 '15 at 14:42
  • Sorry no, that is completely wrong. Encryption is nothing magic and no other protocol. It is a layer on top of the same protocol. If you want to use http protocol (which you must to access web servers) but not have the data readable/filterable, then you have to somehow scramble it. That process is called encryption. There is no such thing as "raw data", there is only data. – arkascha Apr 04 '15 at 14:43
  • oh really?! but i thought https is something different from http. – hamidi Apr 04 '15 at 14:44
  • No, it is not. It is the same, just with an additional encryption layer. https is http with ssl. The same as what you do when you use http over an ssh tunnel. OK, this is simplyfied, but kind of true. The only difference for a tunnel is the ssl layer is used on a persistent socket, so you do not create a new connection for each request you tunnel. – arkascha Apr 04 '15 at 14:45
  • oh ok. but still the way of converting packets to something different is what i may follow. – hamidi Apr 04 '15 at 14:47
  • You are not interested in packets. You are interested in the stream. – arkascha Apr 04 '15 at 14:49
  • i mean blocks of data, whatever name they have. they include a header, a body containing data and a footer. they may be hoax, especially headers which is browsed by filtering. they may be converted, sent, and converted back. – hamidi Apr 04 '15 at 14:51
  • No, you confuse things. packets are a low level detail from your points of view. They know nothing about headers or the like, they only contain content, bytes. You are interested n a higher level, the stream. And you want to send the stream, but disguised. That is possible. It is called encryption. you cannot encrypt but not use encryption. – arkascha Apr 04 '15 at 14:54
  • Not more I can say, I offered three approaches. I'd say: encryption is easiest for you, otherwise take a look at `netcat` and its endless possibilities if a simple proxy strategy does not work around the censorship. Good luck, I wish you success and that you may learn a lot! – arkascha Apr 04 '15 at 14:56
  • i think without knowing deep in what packets are and how network requests work and many other things like this, i just waste your time. so, before going further, i need to increase my knowledge. would you introduce some valuable sources for this purpose to me? – hamidi Apr 04 '15 at 14:59