Getting Gemini to the school


My current school offers free Wi-Fi (and laptops) while I study there. However, the network doesn't allow Gemini (or any protocol that isn't HTTP or doesn't go through port 443).

So, in order to be able to continue taking care of my plant and following gemlogs while at school, I decided to make Lagrange work with this restrictive network.


🌱 My plant

Lagrange


A (normal) HTTPS request works in the following way through the proxy:


1. The user asks (kindly) its browser to fetch a page (we'll take https://gemini.circumlunar.space as an example).

2. The browser sees that a proxy is needed, and that it is a HTTP proxy at address 192.168.228.254, port 3128.

3. The browser opens a TCP connection to the proxy, and sends a CONNECT request.


CONNECT gemini.circumlunar.space:443 HTTP/1.0

4. The proxy, if it wants, opens a TCP connection to the requested server (in this case gemini.circumlunar.space:443), and connects both of those connections together.

5. The browser and the server complete the TLS handshake, and does the normal HTTP request/response happens, all without the proxy being able to see/interact with the exchange, except closing the connection.


However, this only works when the software is designed to be able to use this kind of proxy, and the specific proxy that I must use only accepts CONNECT requests to port 443.

I rent a server at Linode, this allows me to have a SSH server listening at port 443, and once I connect to this SSH server, I have full access to the Internet!


First problem solved, I am able to get access to other ports than 443.


The second problem, is getting Lagrange (my Gemini browser) to pass through this SSH tunnel.


The first thing I thought of is using the SOCKS proxy features of most (all) SSH clients, which Windows' supports. However, the Lagrange doesn't support this.


The second thing I thought of was using a Gemini-to-Gemini proxy that would run on my Linode, and have only a single port tunnel from my computer to my Linode, but the problem was that I didn't find a Gemini-to-Gemini proxy that could also forward client certificates, despite this being supported by Lagrange.


Being on Windows, most of the solutions that I found to get the "raw" data to go through a SSH connection (or SOCKS) without the software needing special treatment didn't work. I finally setteled on using a Python solution named sshuttle, but it only works on Unix-like systems.

WSL to the rescue! I was able to get WSL (a kind of lightweight VM that also has integrations with Windows) to install and run sshuttle, and then reroute most of the traffic to WSL that takes care of encapsulating the packets and sending them through a SSH tunnel to my Linode and decapsulate the packets there and send them to the final server.

I set up a public key for my Linode, but I didn't want to duplicate it between the Windows ssh client and WSL's. One great feature of WSL is that you can run .exe programs, and it just works.

sshuttle has an option to use another ssh client, and setting it to ssh.exe makes it so that Windows' ssh.exe run, in the Windows environment, with the key in the Windows side.

Another benefit is that the WSL firewall rules (that redirect all traffic to sshuttle) doesn't affect the ssh connection, it is only affected by Windows configuration!

Rerouting the traffic is a matter of changing the routes in Windows, and Done!


So to recap the path taken by my Gemini request:

1. Lagrange asks Windows to open a TCP connection to gemini.circumlunar.space, port 1965

2. Windows sees that it is not on the local network, so it looks for the gateway that corresponds, and finds WSL's IP, so it forwards to it.

3. sshuttle receives this connection, and transmits it through SSH through the proxy through Windows' TCP stack.

4. The Linode forwards the connection to the server

5. The normal Gemini protocol follows (TLS handshake, Request, Status, Body, Close).


If you got there and still have questions, or you just want to give feedback, send an email at albertlarsan@unbon.cafe, and I will add precisions down here.


Here is a first comment:


Hi Albert,

I just read your article about "circumventing" the proxy restrictions at your school. Nice and hacky solution. I don't have much experience with Windows but I know that many institutions have such restrictions in place. Personally I deal with this by using the hotspot feature of my smartphone using my own ISP, but I guess this has some other implications for you.

Have fun,

-fab-


Hello Fab,

Thanks for your comment.

I know that some of my colleagues use their smartphones' hotspot, but I don't have data in my mobile plan. I like finding my own ways, but I admit it would all be way simpler if I had this solution. Also, why not use something that is free (paid by the taxes, but free for me).


/gemlog/

Proxy Proxied from the original at gemini://albertlarsan68.flounder.online/gemlog/2023-04-04-gemini-at-school.gmi
About Gemini
Hosted on flounder