Setup Service to browse filtered/blocked web-sites on Linux

The problem is while it is possible and it seems you've considered methods to achieve.
Besides PPTP there are other VPN solutions openVPN, etc.

Proxy via the VPN connection. Note that to whom you grant VPN access, will have the access to "attack" your server.

It seems you've considered things such that I am uncertain what you are asking.

- Arnold,

Currently, I setup PPTP VPN and authenticate it through Radius.
For Security i limit access to ports and users by groups.
But PPTP Protocol limited by some ISPs. everythings ok but speed is too low because PPTP filtered. regarding L2TP is completely filtered and it's not possible connection established.

OpenVPN is filtered,too and it's not possible connect to server with OpenVPN.
Even SSH Port is filtered.

Security it's not my concern, and i will scan server and secure it.

I installed Squid and integrate it with Radius for authentication, i can surf internet with server's public IP (when i set proxy with squid port). but i can pass filtering and browse filtered web sites.

What can I do at this situation for pass filtering and browse filtered web site without reduce speed.

are there any ways for encrypting traffic?

I can't pass filtering and browse filtered website with Squid Proxy Server.

What you can think of , those so inclined, have also that is the nature of those governments.

setup secure proxy (listen on port 443)
With user authentication. But port 443 could be filtered as well.
http://www.cyberciti.biz/faq/securing-apache-mod_proxy-serve/

Filtering likely tests for encrypted traffic and 'filters' it.

is it possible transfer squid traffic with encryption?
or what a about other ports?
financial softwares like metatrader is filtered to :) are there any solution for them?

nothing available regarding installing secure proxy on that article which you post in your last reply.

do u know can i configure socks5?

somebody using socks5 can pass this. in addition server configuration they use some 3rd-party applications.

Socks5 deals with an ssh tunnel which you already pointed out as being blocked.

I think in some providers it's possible using socks5,

i installed ss5 (some thing like dante-server)
how can i create tunnel? for test? or tell one of my friends do it for me?

would you mind help me on this issue?

ss5 are you using the GUI or the CLI interface to define the IPSEC tunnel?

No, I just installed and config all of them with SSH Shell Access.
in addition, SS5 is an application which offer socks and don't have any Graphic User Interfaces.

Sorry thought ss5 as in a juniper security appliance.
All ports are filtered so pushing encrypted data back and forth seems to be the only way I.e a crypted request is. Received, the response is then encrypted and so the process goes, but both sides have to have the client/server setup.

Arnold,
ss5 is not for juniper, it's different app -> http://ss5.sourceforge.net/

* Would you mind how can i creat socks5 server on centos? and how users should config their proxifier software?

in addition do you know something regarding this question: https://www.experts-exchange.com/questions/27581976/What's-most-secure-L2TP-software-for-CentOS.html

socks5 is already there, i.e. you have to use ssh with a dynamic tunnel.
Then you would configure the browser with the port and localhost in the socks proxy configuration and you are done.  the SSH filtering will be the issue.

I have looked at the question, have not used openswan, xl2tpd.
will update if I have additional information on suggestions.

I installed Openswan and xl2tpd and rp-l2tpd.

how can i integrate SSH tunneling authentication with Radius?
Is it possible?
I don't wanna users have any shell/access through SSH to server.

SSH can authenticate against LDAP.  Depending on your setup radius either uses mysql, tdbsm, or LDAP as the location where the user/configurations are.

You can deny users the right to establish a shell while being able to establish a tunnel.

shell /bin/true, it also depends on how sophisticated the users are.
ssh -f -D <port_for_use_with_socks> user@remoteserver
Within putty,
under the ssh option, the user will select "Don't start a shell or command at all."
and they will have a tunnel, but without a shell or an ability to access a shell.

but i saw it which some body connect to server through another application like proxify.
do you know what's that?
are there any application which user don't run any command?

are there any other type of tunneling?

proxify is not a secure method, it is only anonymous i.e. the site being visited does not have direct information on the source of the request.  The data between the browser and the remote site is sent in clear text and can be observed.
If you are adapt in java programming, you could setup a webpage to which people could go and the java interface will provide the encrypt/decrypt of data being send to the server side to proxy the requests, but you have to make sure your JAVA app is browser compliant in reallity it will be a "browser" within a browser.

Fortunately, I am not faced with such restrictions.  Trying to get out of an ever enclosing box with the ........ in mind is difficult.

if i limit SSH with "PasswordAuthentication no" and "AllowUsers root" and do authentication with radius, is ssh tunneling possible?

AllowUsers root has nothing to do with it.
they will have to provide you with public keys id_dsa.pub, id_rsa.pub and or identity.pub which you would then store in the .ssh/authorized_keys file in the home dir of the user they will be using to connect.
This way, removing the key will prevent the user from logging in and there is no password to know.

I do not think you can use ssh with radius authentication.  Radius is a specific mechanism i.e. a service is accessed it generates a radius auth-request with data to a radius server etc.
Well, I've not seen it done, but this covers how:
http://www.howtoforge.com/configuring-ssh-to-use-freeradius-and-wikid-for-two-factor-authentication

The question is where the users are listed for radius, mysql, etc.?

It's not important which data transfer in secure mode (with encryption). I just want to break content filtering.

in addition i hearing new method which data transfer in image header, do you know about it?

I know about 2factor authentication, i read this 2 month ago...
i wanna create user in radius and authenticate SSH tunneling with pam_radius_auth module.
i know how i should do it.
just my question is, i don't wanna users be able to have shell access.
if i activate authentication with certificate , they will establishing ssh tunnel?

Authentication with certificate will not allow radius authentication.

You can not escape content filtering unless the data is encrypted or is not being passed within the content. This is why proxyit.com and anyother proxy does not .........

I install and integrate pam_radius_auth with ssh but i can just login through root and it's not possible which i login with my freeradius users.

actually like howtoforge article which you post in your previous reply.

i do step by step till -> Configuring the WiKID Server

are there any thing else which i don't do that?

i can't login with radius users to SSH.

#cat /etc/pam.d/sshd

#%PAM-1.0
auth sufficient /lib/security/pam_radius_auth.so debug client_id=linux
auth sufficient pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so

Select allOpen in new window

Don't worry about the wikid section, you have to make sure that you configure the radius related.
See whether your freeradius log to see whether it sees requests and possibly rejecting it as coming from an unknown client.

The problem is ssh don't talk with freeradius.

i test it with "radiusd -X" and when i try to login with ssh it's doesn't talk with freeradius.

Are you using password authentication or key authentication?

As I said I've not setup ssh to radius, so not sure why your setup if you followed the directions in the link,
sure why you are not setting up LDAP which has the functionality you want.

Presumably you have radiusclient-ng installed for your pptpd/L2TP VPn tests with radius backend.
See if that is interferring.

Use strace -f -p <sshd_pid> and see what it is doing when connecting?
not sure whether the PAM handling is done.
Enable debugging on the sshd server and see what it is reporting.

- Arnold,

Thanks for your helps,
It's working as well, just i made mistake to understanding pam_radius_auth...

Is there a way to set this up so that I do not have to first CREATE the user locally. So I can just add the user to radius and then that user can login system wide?

Radius will authenticate the user, you may need to use oddjob to have the directory created for them, the issue since the users will not actually be establishing a session, not sure whether you need to or where you think you would add them.
Add a user to to radius, you may have to pass arguments such as home/shell/uid, gid etc.
in /etc/pam.d/system-auth add at the end if you do not already have it.
session     required      pam_oddjob_mkhomedir.so skel=/etc/skel,

This process will handle the creation of the home dir for a user.

Then try to establish the tunnel without getting the shell.

Arnold,

I just need this for authenticating for establishing tunnel (as you said).
So it's enough i use session pam_oddjob for accept users just for establishing tunnel nor shell access.

is it right?

oddjob is the winbindd tool that sets up the home directory for users who authenticated through a windows AD i.e. they do not have an entry in /etc/passwd which what I think you meant in the question http:#a37586361
"Is there a way to set this up so that I do not have to first CREATE the user locally. "

I guess the default settings will apply to user function, which is not what you want.
usually default (useradd -D) has a shell defined versus nologin,
you could change the default configuration to
useradd -D -s /bin/true
This way when you create a user that needs access, you have to specify on the command line -s /bin/bash to grant them shell access.

test your setup, try an ssh connection with a user/password from the radius that is not defined in /etc/passwd and see whether you get a shell.
Not sure what the uid of the user will be in the shell, make sure it is not seen as 0 (root level access).

Hi Arnold,

I setup SS5 and integrate it with radius. auth work as well.
just i can't browse internet.

i could connect to server with proxifier with one of radius accounts but can't browse internet....

is there any things which i should set like forwarding rules or etc?

Does your browser settings point to this ss5 host/setup?

Yes,

I using Proxifier.com's product on mac and it's automatically do it.
after i set proxifier's setting and tried to browse website it's doing authentication as well but i can't browse any website.

Unfamiliar with ss5, in the quick view, the ss5 is an unencrypted and might be being blocked.

Do you know what's familiar and popular for centos?

The issue is that your goal is unusual which means common setup is not an option.
Check whether ss5 has debug options. Then check when you are trying to browse whether the request reaches the ss5 and if so whether it is then geeing sent out, get a response,, send a response back.

do you know any other socks server with support ssl and etc. and have a good documentation?

i received following error on ss5 log file...

[18/Feb/2012:08:32:04 GMT] [22569] 10.110.14.69 "" "" ISERROR - - - (-:- -- -:-) (Socks method unknown or bad request)

Select allOpen in new window

Ss5 seems to advertise a newer version that supports ssl.
The goal you seem to be pursuing is to allow an oppressed to bypass their oppressor's restrictions. The difficulty is that the oppressor controls both the means and the manner of access. The only way under these is to use a specially designed client/server where the data is encrypted and sent in a manner that passes port 80. I.e. a java applet that then uses client encryption to send data back and forth. Browser within the browser.

i hearing somethings regarding ss5 have many overflow bugs.

do you know any socks app with support freeradius auth?

Arnold,

I'm not expert would you mind say detailed/complete answers?