Travelling

Bypassing Blocked Ports in (Public) Wifi Networks

Wifi networks at conferences or hotels often block certain ports, either for enhancing security  or simply by misconfiguration. Blocking ports can be used for preventing some applications from accessing the internet via their access points. Other usages can be to force users to use encrypted protocols, instead of their clear text alternatives. In order to make this process easier, in many cases the ports which should be allowed are whitelisted, whereas everything else is blocked. If your company mail server uses a rather exotic port for some reason, sending and receiving emails does not work. Eduroam is an example, where different policies and configurations are in place, where often the port 25 of mail servers is blocked.

You can use the following command to verify if a port is blocked or open:

telnet mail.example.org 25

If you receive the timeout after some time, the port is very likely to be blocked.

Trying 111.222.1.0 ...

telnet: Unable to connect to remote host: Connection timed out

Fortunately SSH allows tunneling connections, as long as its standard port 21 is open, which is often the case. All you need is a server with an SSH enabled account outside of your current network, which can connect to the mail server. The following command establishes such a SSH tunnel and connects your local port 25 via an SSH secure tunnel to your web server, where the tunnel exits and connects to your mail server.

sudo ssh -L 25:mail.example.org:25 user@web.server.org

You need to enter your password for your user account on the web server here. As soon as the tunnel is established, you can connect any service to your localhost and all traffic on port 25 gets tunneled via your server. If you now try the telnet example again, you should be able to connect.

telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 Email Service

How to establish an SSH tunnel in Windows is described elsewhere.
You can now use this tunnel also in your email program such as Thunderbird, to send emails and bypass the blocked port by tunnelling.Note the localhost as the new server address. This is the only thing that you need to change.

In some cases the tool will detect that the certificate does not match. So you need to accept the certificate warning or add the certificate by your mail server address manually in the dialogue.

Use a TP-Link TL-WR710N Router as a Repeater with OpenWRT

The  TL-WR710N offers five modes of operation:

  • Router mode
  • Client mode (connects ethernet devices to an existing wifi)
  • Repeater mode (extends existing wifis)
  • Access point mode (create a wifi hotspot from a wired connection)
  • WISP Client

Unfortunately the firmware which is installed on the device is very instable and barely usable for my purpose. I could not get connectivity by using the software which is pre-installed although it would offer a nice interface for all the mentioned modes.

Open source software to the rescue! Fortunately there exists a OpenWRT version which can be easily installed and which empowers this little device quite a bit. Have a look at the OpenWRT homepage and ensure that you have a supported hardware version (in Austria you will most likely get the EU 1.2 version with 8MB flash memory and 32MB RAM). You can use the upgrade dialog in the original firmware in order to upload the OpenWRT firmware. Be careful during these steps and avoid power outage and upload errors. Once you installed the new firmware, just follow these steps in order to setup a range extender with OpenWRT.

  1. Connect your laptop with an Ethernet cable to the TL-WR710N router.

  2. Establish a telnet session. The default IP is 192.168.1.1

telnet 192.168.1.1

There is no standard password.
3) For security reasons you should use a SSH session. To do so, you need to set a new root password by issuing the following command in the telnet session.

passwd

You will be prompted to enter the new root password twice. After you set the password, the SSH daemon becomes active and telnet gets disabled. Exit the telnet session with

exit
  1. Connect via SSH by using the following command:
ssh root@192.168.1.1

In the next step you need to configure the network interfaces. We want to have one Ethernet port eth1, one loopback device lo and of course the wireless interface wlan0.
Use the vi editor and open this file

vi /etc/config/network
  1. Enter this interfaces into the opened file.
config interface 'wan'
        option ifname 'wlan0'
        option proto 'dhcp'

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config interface 'lan'
    option ifname 'eth1'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

Save and close with :wq

  1. Now we just need to configure the wireless connection. Use
vi /etc/config/wireless

to open the file.
8) Enter this wireless connection details below:

config wifi-iface
      option device radio0
      option network wan
      option mode sta
      option ssid 'WEAK-NETWORK-SSID'
      option encryption psk2
      # option encryption none
      # option encryption wep
      # option encryption psk
      # option encryption psk2
      option key 'PASSWORD'

config wifi-device  radio0
    option type     mac80211
    option channel  11
    option hwmode    11g
    option path    'platform/ar933x_wmac'
    option htmode    HT20
    # REMOVE THIS LINE TO ENABLE WIFI:
#    option disabled 1

# This is the bridged interface
config wifi-iface
    option device   radio0
    option network  lan
    option mode     ap
    option ssid     'REPEATED-WIFI'
    # option encryption none
    option encryption psk2
    option key 'mobileAP'

This wireless configuration contains the details how to connect and thereby extend an existing wireless network. In the configuration example above the name of this network is WEAK-NETWORK-SSID and the password for the PSK2 secured network is PASSWORD. Other encryption methods you could use are

              # option encryption none
              # option encryption wep
              # option encryption psk
              # option encryption psk2 

The second interface REPEATED-WIFI is your new, repeated wifi network where you then connect your laptop or your mobile phone with.

  1. Reboot the router with this command
reboot

You should then see a second wifi with the name REPEATED-WIFI in the available networks list. As the small router still has a better range than some devices, you should have a nicer connection.