Building a SOCKS proxy on EC2 to get around wifi port blocking

At the NXNE Mobile Hackathon, we ran into a small problem. The wifi set up in the room would only allow connections over HTTP and HTTPS, which made it impossible to do many things you might want to do at a hackathon, like:

  1. Push to GitHub over SSH
  2. Connect to MongoDB instances
  3. Connect to... anything... that isn't on ports 80 or 443... so a lot.

If you can configure your tools correctly, the easiest way to get around this kind of problem is via a SOCKS proxy. Normally, I'd set up an SSH tunnel and run the SOCKS proxy over that... but no SSH. So the next best thing is to get a SOCKS server running on EC2. Let's go through the steps required to set this up so that if you end up in the same situation, you can help those around you.

Doing this assumes that you temporarily have an internet connection that is unrestricted, like a tethered smartphone or a wired connection. I'm also assuming that you know your way around EC2 a bit.

  1. Connect to your unrestricted internet connection
  2. Login to EC2
  3. Ensure that you have a keypair setup
  4. Create an EC2 Security Group that opens ports 22 and 443 to the world
  5. Fire up an Ubuntu 12.04 LTS instance (micro will usually do) with your keypair and Security Group
  6. SSH into the new machine with the SSH key (default username: ubuntu)
  7. Run the following commands at the prompt or in a shell script:
    sudo apt-get install build-essential
    wget http://www.inet.no/dante/files/dante-1.3.2.tar.gz # or another version
    tar -zxvf dante-1.3.2.tar.gz
    cd dante-1.3.2
    ./configure
    make
    sudo make install
    
  8. Put the following config in /etc/sock.conf
    ## general configuration (taken from FAQ)
    
    internal: eth0 port = 443
    external: eth0
    method: username none
    user.privileged: root
    user.unprivileged: nobody
    logoutput: stderr
    
    ## client access rules
    
    client pass { from: 0.0.0.0/0 to: 0.0.0.0/0 } # address-range on internal nic.
    
    
    ## server operation access rules
    
    # block connections to localhost, or they will appear to come from the proxy.
    block { from: 0.0.0.0/0 to: lo log: connect }
    
    # allow the rest
    pass { from: 0.0.0.0/0 to: 0.0.0.0/0 }
    
  9. Run sudo sockd -D

Now that we've got the server running, we have to configure our clients to connect to it. Fortunately, this is relatively easy. If you're on linux, run your programs with tsocks. On Windows or Mac, you can try Proxifier (never tried it myself). Remember that the proxy is on port 443.

If you're using PuTTY, you can set your proxy under Connection > Proxy.

This set of steps creates an open proxy that anyone can use to proxy to anywhere. Don't leave it running unless you want really big EC2 bills.

In doing this, I realized that it would be even better to be able to do this via a VPN instead of a SOCKS proxy in order to get better Windows and Mac full capture support. I'm going to play with this idea and post again when I've got something.

Building Natty Narwhal Ubuntu Images for Amazon EC2 (with instructions that actually work)

For my current project, I'm using Amazon's Elastic Compute Cloud (EC2). I've chosen Ubuntu as my OS, and so I started with the Ubuntu EC2 Starters Guide, and the UEC images therein. Those are a good base, but I need my own configuration on first boot of the VM.

Naturally, I looked around to see how Ubuntu built their EC2 images, and found in the EC2 FAQ that they build them using python-vm-builder-ec2. Sweet! That seems easy. Oh wait, the EC2 part of vmbuilder has been broken since Lucid. Oh, there's a patch in that bug report. Darn, that doesn't work either.

Fine, let's look up UEC (Ubuntu Enterprise Cloud) stuff and see if that provides successful information. Oh look! How to make your own UEC image, with different instructions! Maybe that will work? Oh no, the part file provided doesn't work with vmbuilder, and the instructions don't port over to EC2 that well. Grrrrr.

Well, looks like I need to provide my own instructions (and eventually fix the wiki). So here I go:

  1. Start by creating a part file that will work. As per the vmbuilder man page, each line in the part file can have four fields: mountpoint size (device) (filename). In the man page, it says the third and fourth fields are optional. They're not. So a valid part file is: root 400 /dev/sda1 rootfs /mnt/ephemeral 2000 /dev/sda2 instance

  2. Next, build an Ubuntu vm image. This works as long as you don't use any of the ec2 options: $ sudo vmbuilder xen ubuntu --suite=natty \ --firstboot=/usr/share/doc/python-vm-builder-ec2/examples/ec2-firstboot.sh \ --part=./part

  3. Bundle and upload your newly created image: $ mkdir image $ ec2-bundle-image --image ubuntu-xen/rootfs --destination ./image --cert $EC2CERT \ --privatekey $EC2PRIVATEKEY --user $EC2USER --arch i386 $ ec2-upload-bundle --access-key $EC2ACCESSKEY --secret-key $EC2SECRETKEY \ --bucket $EC2IMAGESBUCKET --manifest ./image/roofs.manifest.xml $ ec2-register --cert $EC2CERT --private-key $EC2PRIVATEKEY \ $EC2IMAGES_BUCKET/rootfs.manifest.xml

  4. The last line of that step will return "IMAGE ami-xxxxxxxx" where the "ami-xxxxxxxx" part is your AMI ID to use when launching instances.

Some notes:

  1. You could specify a different --kernel and --ramdisk when you ec2-bundle-image, but the defaults work well. I couldn't find a list of AKIs and ARIs with descriptions. If someone could help me out on that it would be awesome.
  2. You need to set up the environment variables (the things that start with $) to make this work. The names should be self-explanatory.
  3. You may want to customize your first boot script from the ec2 default.
  4. You can use the --addpkg parameter to add packages to your vm in the vmbuilder step (one package name per --addpkg). That's from the old JeOSVMBuilder docs. Lots of "hidden" info about vmbuilder there.