Best way to set up a proxy for someone living in China

Fylke · Mon Oct 21, 2013 12:15 am

Hi,

My girlfriend is working in China and I've had a SOCKS proxy set up for her for a year or so with my old DD-WRT router, which was working rather well. I recently switched to a MikroTik router (the 750GL) and after a lot of tinkering I managed to get the SOCKS set up again, only it doesn't work as well as it used to. Basically it times out a lot when she tries to log in and even if she's logged in, she needs to login again in order to unfreeze pages.

My setup is like this: I have the Socks proxy service running on the MikroTik with default settings, she logs in via the outwards SSH interface using a public key and then just sets her browser to use a Socks proxy on localhost.

Why is she getting such frequent timeouts when trying to log on? Is is just simple lag? The problem is that non-blocked pages (by the Great Firewall of China) are fine, almost snappy. If I ask her to do a ping, above what response times should I start blaming lag?

Also; is there a better way to set up a proxy? I expect to go work in China as well soon, so I'd be very interested in the strengths and weaknesses of different setups.

Interesting side note: When I ask her to do a traceroute to a Swedish page, this is what she gets:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Jen>tracert www.dn.se

Tracing route to a1910.g1.akamai.net [64.145.75.90]
over a maximum of 30 hops:

  1   281 ms   304 ms   198 ms  64.145.75.90

Trace complete.

How is that possible? I get like 8 hops and I'm in Sweden! Are the Chinese routers lying?

Oh right, I should include my firewall settings, maybe I've screwed something up there?

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; default configuration
     chain=input action=accept protocol=icmp

 1   ;;; default configuration
     chain=input action=accept connection-state=established

 2   ;;; default configuration
     chain=input action=accept connection-state=related

 3   ;;; drop ftp brute forcers
     chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21

 4   chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m

 5   chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=3h content=530 Login incorrect

 6   ;;; Allow FTP login
     chain=input action=accept connection-state=new protocol=tcp in-interface=ether1-gateway dst-port=21 port=21

 7   ;;; drop ssh brute forcers
     chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22

 8   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist
     address-list-timeout=1w3d dst-port=22

 9   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m
     dst-port=22

10   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m
     dst-port=22

11   chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22

12   ;;; "Allow remote SSH login"
     chain=input action=accept connection-state=new protocol=tcp in-interface=ether1-gateway dst-port=22 port=22

Fylke · Mon Oct 21, 2013 4:51 pm

Some additional data:

The ability to connect seem not to be related to the ping times. There are times where the ssh connection times out when the ping is 300 ms, and other times when it does connect and the ping is almost 500 ms. The connection also sometimes drops with the error message "client connection closed before completion of protocol"

deejayq · Wed Oct 23, 2013 1:56 pm

afaik you can't use dynamic port forwarding with the ssh server in routeros.
tried it once myself with no success.
but i must be wrong, or...how people in china say: i must be wong

Fylke · Thu Oct 24, 2013 6:27 pm

How does dynamic port forwarding apply to this situation? She logs in to my router using regular SSH, no port forwarding involved.

And please, no one appreciates your casual racism.

deejayq · Fri Oct 25, 2013 6:35 pm

well, no harm intended with that joke
when you said your girlfriend uses localhost (127.0.0.1) as socks proxy ip i assumed she has a tunnel set up in putty or whatever ssh client she uses for connecting via ssh.
and by port forwarding i meant that the tunnel forwards the port of your socks server to her localhost interface via the tunnel.
i know that dynamic port forwarding in ssh means you can use the ssh server itself as a socks server, and that was the case here.
but i still think there is a problem in setting up tunnels over ssh connection in routeros.

Horva · Sun Apr 23, 2017 7:27 pm

Is there any good guide to use OpenVPN/L2TP/...(with an service behind like hide.me) and only route for example facebook/google/youtube throught the VPN. All others access should be untouched.

I already got my L2TP Connection with hide.me up, but when I would like to browse something it does not route over it.

Kind regards

Best way to set up a proxy for someone living in China

Best way to set up a proxy for someone living in China

Re: Best way to set up a proxy for someone living in China

Re: Best way to set up a proxy for someone living in China

Re: Best way to set up a proxy for someone living in China

Re: Best way to set up a proxy for someone living in China

Re: Best way to set up a proxy for someone living in China