On occasion, you may find yourself needing to use AOL/AIM, but are stuck behind a firewall that doesn't let you connect directly. That said, most AIM clients, such as AOL's official client, iChat, Gaim, and others, support connecting to the AOL servers via a proxy server. However, there are a handful of cases in when connecting isn't straightforward.
If, for example, you are behind a corporate firewall, or any other sort of firewall beyond your control (such as the firewalls in many hotels), you may not have easy access to an HTTP or SOCKS proxy. And even if you do have access to one, the AOL servers may be blocked at the firewall to prevent the use of instant messaging.
However, in many of those situations your desktop machine can still make outgoing SSH connections to arbitrary hosts. And if you have a UNIX machine that you can control outside of the firewall, you may be able to route AIM over SSH.
Unfortunately, you can't simply SSH forward individual ports, as login.oscar.aol.com dynamically returns the hostname for the chat server you will be connecting to, and you would need to reactively forward packets based on the initial authorization response. Fortunately, many IM clients support proxy servers, and can redirect all trafic through the appropriate server. However, this requires something more than a simple SSH forward. Thus...
To run AIM over SSH you will need the following:
- A desktop or laptop machine inside the firewall. This is the client.
- An instant messaging application that supports both the AIM protocol and SOCKS 5 proxies. (I recommend Gaim on Linux or Windows, and iChat on Mac OS X.)
- A UNIX machine outside the firewall that you can SSH into and install an application on. This is the server.
We'll configure each part one by one.
First, check to see if your client machine can connect to your server via ssh. If your server is behind a firewall (as it should be), you will need to ensure that SSH packets (port 22) are correctly routed to the server and that the server itself is not blocking those packets. Since this differs depending on how the network is configured, it is difficult to say in general how to allow incoming SSH packets.
Verify that you can connect to your server from your client:
- 10000 - my.client.com - me - ~ - 09/08/04 - 15:53 - % ssh me@my.server.com me@my.server.com's password: Last login: Wed Sep 8 18:52:29 2004 from my.client.com - 10000 - my.server.com - me - ~ - 09/08/04 - 15:53 - % exit
Second, you will need to install the SOCKS proxy on the server. (I read an article on how to do this with an HTTP proxy, but recommend SOCKS instead, as SOCKS was designed for this type of application.)
A good, free, and open-source SOCKS 5 proxy is Dante. You can download the source here or download RPMS for most versions of RedHat Linux from Dag Wieers' site. If you download the RPMS, please be sure to get both the dante and the dante-server RPMS.
Note that this setup presumes you have root access on the server machine, and are installing dante as an init.d service, but there is nothing that would prevent it from being run as a normal user.
After installing Dante, you will need to make the following changes to /etc/sockd.conf. We're going to only allow connections over the loopback interface, so we can drop the password authentication on the server side. (When we tunnel with SSH, it will appear to be a connection from localhost.)
Change these lines:
And add the following lines:internal: 127.0.0.1 port = 1080 external: [your server's eth0 IP address here, e.g., 192.168.1.1] clientmethod: none method: none
client pass { from: 127.0.0.1/1 port 1-65535 to: 0.0.0.0/0 } pass { from: 127.0.0.1/1 to: 0.0.0.0/0 protocol: tcp udp }
Now, restart sockd with a command like:
% sudo service sockd restart
Verify that you can connect to the socks proxy locally (i.e., from the server) with:
- 10000 - my.server.com - me - ~ - 09/08/04 - 15:55 - % telnet localhost 1080 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
Third, you will need to establish an SSH forward between your client machine and the server machine. Try running:
- 10000 - my.client.com - me - ~ - 09/08/04 - 15:56 - % ssh -g -L 1080:localhost:1080 -N me@my.server.com me@my.server.com's password: [leave the connection running in the background...]
Fourth, you will need to configure your IM client to connect via a proxy. On Gaim, you can configure this IM account via Accounts->Modify. The configuration will look like this:
You can also set this for all Gaim connections under Preferences->Network.
And for other clients that support SOCKS proxies, set the proxy type to "SOCKS 5", the proxy host "127.0.0.1", and the proxy port to "1080". The username and password can be left blank.
Now, with any luck you should be able to connect and use your IM client as if it were connected directly to the network.
And...
Note that this technique should work equally well for Yahoo! Messenger or MSN Messenger. (I've confirmed that it works for AOL and Yahoo.) In fact, it should work for any SOCKS 5 aware application that needs to bypass a firewall.
Please let me know if there are any problems that you see with this approach.
[Be sure to read the follow up, AIM over SSH for Windows, if that's what you need.]