Breaking out of a proxy jail: Active Port Forwarding

Active Port Forwarding provides a simple means to make services running on a machine behind a firewall accessible to clients on the WLAN. It does this via an intermediate server, which the clients connect to. The communication between the server and the intermediate can be done via TCP or a HTTP/HTTPS proxy server either bundled in POST headers or using CONNECT (see Desproxy and ProxyTunnel). It can be used to forward services such as HTTP or FTP servers, but more interestingly a SOCKS server. Through this method (which is similar to using a reverse SSH tunnel) you can effectively act as if you were inside the firewalled network (VPN-esque).

Installing on Windows

The Windows build uses cygwin (cygwin1.dll is bundled). Different version of cygwin running on a system can cause unusual errors. Only use one version at a time. Eg, Desproxy also uses cygwin but is bundled with a different version of cygwin1.dll. Overwrite one DLL with the other so they are the same, otherwise one of the two will fail to load. You shouldn't need to use Desproxy anyway, because HTTPS support is built into APF.

Download the Windows binary from gray-world.net.

Installing on *nix (including OS X)

Download the source: apf-0.7.5.tgz.

Extract the contents of the archive:

tar vxfz apf-0.7.5.tgz

Change directory to extracted files:

cd apf-0.7.5

Configure the Makefile:

./configure

Build the binary:

make

Install (may require root):

make install

Usage is the same on both *nix and Windows builds. To view usage, use "afserver --help" and "afclient --help".

The server runs on the machine outside the firewalled network with full access to the WAN. It listens for connections from users on the "listen port" (-l or --listenport) and listens for connections from afclient on the "manage port" (-m or --manageport). Use should resemble this:

afserver -v -P -l 50127 -m 50126 -n 127.0.0.1

-v stops the server deamonising. Use -vvvvv for full verbose (for debugging connection problems). -P tells the server to expect HTTP proxy stuff. Although -n shouldn't need to be specified normally (unless you have multiple network interfaces), it's more likely to work with it expressed.

Then on the client, use:

afclient -S -P yourproxy.local -X 8080 -C puser:ppass -n yourserver.com -m 50126 -d 127.0.0.1 -p 1080

This will connect to afserver running at yourserver.com with a manage port of 50126 via an HTTPS proxy server running at yourproxy.local on port 8080 (logging in as puser with ppass).

Now when a connection is made to afserver on the listen port (50127) the connection will be forwarded to the afclient machine on port 1080. If 1080 is a SOCKS server (use socks) you have yourself a VPN-esque setup.

It's worth reading the documentation on the homepage, as well as the other stuff on the site I've not talked about here.