2020/03/04 How to get ssh working everywhere or http2tcp on steroids

Sometimes you are in a network, where ssh is blocked. And sometimes it is even worth you are behind a transparent store-and-forward proxy, which allows only http GET requests. To come around this, there is a nice program called http2tcp written by Klaus Aehlig and Helmut Grohne, which allows to tunnel tcp connections via syntactically correct http GET requests.

However I don’t want to think about this when it is needed, it should just work. Another requirement for me is that connections to other servers should also work without additional thinking.

Fortunately the ssh config file is very flexible and allows to do this automatically. It provides a hoot to the shell and the return value is used to decide whether a section is used. If we assume, that when we are able to open a connection to port 22 of the server we use for http2tcp we can connect via normal ssh everywhere this can be used to decide whether the workaround is necessary. Otherwise if we want to connect to the http2tcp server a proxy command is used. If we want to connect to another server, we can use the proxy jump feature of openssh which connects to the target host by first making a ssh connection to the jump host and then establish TCP forwarding to the target host from there. It might be a bit of overkill but it allows one to use ssh as normal (just slower) as long as there is something like an internet connection left.

Here is the snippet from my ssh config, it should come near to the end, just before defaults that apply to every host.

Match host lkamp.de !Exec "nc -w 2 -z lkamp.de 22"
    ProxyCommand http2tcp-client -r 3:0,3:0.1,5:1,10:3,oo:7 -f ~/.http2tcp http://lkamp.de/cgi-bin/myapp.cgi/
    ControlPersist no

Match !Exec "nc -w 2 -z lkamp.de 22" !host lkamp.de
    ProxyJump volans
    ControlPersist no