the fast, reliable localhost tunneling solution

Skip to navigation

Tunneling SSH over PageKite

By Bjarni R. Einarsson 2024-12-20, 22:47

SSH can be tunneled over PageKite, allowing your SSH server to be reachable from anywhere, even if behind NAT or a strict firewall. This is very handy for remote administration, automated backups or simply copying files back and forth.

Contents:

Configuring the SSH server

If you have installed PageKite with the DebianPackage or RpmPackage, follow the instructions on ConfigureYourSystem.

Assuming you already have an SSH server running on port 22 on your local machine, and the machine has an active PageKite connection named user.pagekite.me, run the following command to add it to your configuration file:

$ pagekite.py --add 22 ssh:user.pagekite.me

Alternately, you can edit the configuration file yourself, adding a line like so:

service_on=raw/22:user.pagekite.me:localhost:22:SECRET

Restart pagekite.py, and the SSH server should be accessible.

Making sure you connect to the right server

If you want to verify later that you are indeed connecting to the correct server, you can display the server's public SSH key fingerprints using commands like so:

ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub

Exactly which of the above commands apply on your system may vary (and you may need to tweak the paths slightly), but one of the listed fingerprints should be displayed by your ssh client the first time you connect.

Configuring the SSH client

If your SSH client supports it, simply configure it to use user.pagekite.me:443 as the HTTP proxy and connect to user.pagekite.me on the standard port, 22.

Note: The Windows SSHAndTunnels page describes in more detail how to configure PuTTY for use with PageKite.

Configuring openssh for HTTP Proxying

The popular OpenSSH client allows you to permanently configure specific options on a host-by-host basis, by adding sections to the file ~/.ssh/config. Note: On some systems, including OSX, ~/.ssh/config might not exist and you will have to create it.

Assuming you have the OpenBSD version of netcat installed (openssh will use it to handle the HTTP proxy connection), you can add the following three lines to your SSH configuration to permanently enable SSH-over-PageKite for the host named user.pagekite.me:

Host *.pagekite.me
  CheckHostIP no
  ProxyCommand /bin/nc -X connect -x %h:443 %h %p

(Watch out for fake line-breaks, the above should be exactly 3 lines.)

Note for OSX users: netcat is located at /usr/bin/nc instead of /bin/nc -- change the above lines accordingly

Note for Android Termux users: The OpenBSD netcat package is named "netcat-openbsd" and is located at /data/data/com.termux/files/usr/bin/nc instead of /bin/nc -- change the above lines accordingly

After making this change, you should be able to use ssh, scp and any other ssh-based commands to connect to user.pagekite.me without any special arguments:

ssh user.pagekite.me  # That's all folks!

Note: Outdated instructions have been moved: HttpBeforeSsh

Configuring ConnectBot for HTTP Proxying (Android)

The official ConnectBot Android SSH client does not support HTTP proxying. However, we have submitted a patch to the developers, which will hopefully be included in a future release.

In the meantime, our patched .apk can be downloaded from:

This adds a "Use HTTP Proxy" to the "Edit host" settings. To connect over PageKite, change this setting to: user.pagekite.me:443

Troubleshooting

Here are a few common error messages you may encounter, along with the explanations and solutions we are aware of at the moment.

/bin/nc: invalid option -- 'X'

If you see the error above, or a similar one, then you are using the wrong version of netcat - you need the OpenBSD version, or some other version which has support for HTTP proxies. Another alternative which is known to work instead of netcat, is corkscrew. Then the SSH configuration is:

Host *.pagekite.me
  CheckHostIP no
  ProxyCommand corkscrew %h 443 %h %p

ssh_exchange_identification: Connection closed by remote host

This error can mean many things - but it usually does not mean there is a problem with passwords or ssh keys!

One possible cause of this, is if you have not configured netcat or an alternative correctly for the domain name you are connecting to. Check for typos in your configuration file.

In other cases, this error may be preceded by an error from netcat or your connection tool, which will give hints about what the real problem is.

nc: getaddrinfo: nodename nor servname provided

This error means netcat was unable to look up the requested host in DNS. Usually this means you either have a typo somewhere, or your the pagekite.py connector on the SSH server side is not running properly.

nc: Proxy error: "HTTP/1.0 503 Unavailable"

This error generally means pagekite.py is not running on the SSH server or has failed to connect to the front-end relay server.

Comments

  1. zellda said on 2011-12-20, 16:19
    No luck with that.
    Get:
    /bin/nc: invalid option -- 'X'
    when I try to connect.

    nc -h shows no x-option!
    Permalink
  2. Bjarni Rúnar Einarsson said on 2011-12-20, 16:24
    You need the OpenBSD version of netcat for these examples to work. There are other tools which can accomplish the same thing, for example corkscrew (ex. http://wiki.kartbuilding.net/index.ph...).

    Basically anything which will let you connect via. an HTTP proxy will work, you simply treat your PageKite hostname as the name of an HTTP proxy on port 443.
    Permalink
  3. Frédéric Gobry said on 2012-01-30, 19:12
    corkscrew worked quite nicely for me:

    ProxyCommand /usr/bin/corkscrew %h 443 %h %p
    Permalink
  4. Amit said on 2012-02-20, 02:40
    And it works like a charm. Beauty!
    Permalink
  5. Thiago Jung Bauermann said on 2012-02-23, 03:08
    Just FYI: I asked pagekite to listen for SSH connections on a different port than the standard one (22), and when trying to connect I got:

    nc: Proxy error: "HTTP/1.1 400 Bad request"

    When I changed pagekite to listen on port 22, it worked.
    Permalink
  6. Bjarni Rúnar Einarsson said on 2012-02-23, 09:20
    Hi Thiago!

    Note that there are two port settings that matter. One is the port setting on your local computer, where the ssh daemon is listening. Usually that is 22, but sometimes people move it. The other is the "virtual port" which is sent in the HTTP CONNECT request to PageKite - that can be anything.

    For example:

    # If sshd listens on port 23 instead of 22
    # SSH clients connect to foo.pagekite.me:22
    pagekite localhost:23 raw://foo.pagekite.me
    # config file: backend=raw-22:foo.pagekite.me:localhost:23:SECRET

    # If sshd listens on the standard port 22
    # SSH clients connect to foo.pagekite.me:23
    pagekite localhost:22 raw://foo.pagekite.me:23
    # config file: backend=raw-23:foo.pagekite.me:localhost:22:SECRET

    Hope this helps!
    Permalink
  7. Thiago Jung Bauermann said on 2012-02-23, 17:32
    Hello Bjarni!

    Indeed it worked now, using your examples as references. I must have screwed up somewhere.

    Thanks for your help!
    Permalink
  8. n00bboy said on 2012-10-20, 10:43
    I have my own sub domain SSH.example.com how would I set this up to use it instead of pagekite.me tried the tutorial on public front end but i must have messed up somewhere
    Permalink
  9. John Brisbin said on 2012-12-11, 21:07
    I seem to be able to login via ssh only using the public key authentication, no password option is offered.

    I see no mention of this limitation, how can I avoid it?

    I have seen this when pagekite is installed on a Linux host as well as a Mac host.
    Permalink
  10. Bob Solomon said on 2013-01-29, 23:47
    this works for me on port 22 but does not work on an alternative port. I have sshd configured and working to connect on that port. If I change 22 to my alternative port in .pagekite.rc I get:
    ssh_exchange_identification: Connection closed by remote host

    Permalink
  11. Bob Solomon said on 2013-01-30, 00:03
    Never mind. Read #6 above and got it.
    Permalink
  12. Lukas Zapletal said on 2013-01-30, 20:38
    FYI if you tried to get this working with ncat (non-OpenBSD nc), don't bother - it does not work.

    ProxyCommand /bin/nc --proxy-type http --proxy %h:443 %h %p
    Permalink
  13. zellda said on 2013-02-26, 09:27
    Simple!
    When I follow the guide and do a:
    $ pagekite.py --add 22 ssh:user.pagekite.me
    on the server, I can connect with:
    $ ssh user.pagekite.me
    from my Linux client. Nothing more necessary. No port or anything on the client to specify.

    Don't know if it is mentioned here. Couldn't gather that from the guide so I wrote it down for anybody having trouble to connect.
    Permalink
  14. Luke Timothy said on 2013-03-13, 22:10
    Can anyone help me configure cygwin SSH?
    Permalink
  15. Alan Brenner said on 2013-03-24, 14:44
    Under Mac OS 10.7, use /usr/bin/nc on the ProxyCommand line instead of /bin/nc, and it works fine.
    Permalink
  16. Rafal said on 2013-05-07, 15:57
    One other thing to check when you have trouble getting your .pagekite.rc read correctly -- the command line config overrides what's in the .pagekite.rc, so beware! Also, the command-line config seems not to accept the whole syntax of what can be done in the .pagekite.rc (e.g. I can't do "ssh-2222://foo.pagekite.me" or "raw-2222://foo.pagekite.me").
    Permalink
  17. Rafal said on 2013-05-07, 16:01
    Oh, to follow up to the last:

    ssh://foo.pagekite.me:2222

    does seem to do what I need when specified on the command line.
    Permalink
  18. Guillermo said on 2013-08-02, 16:51
    Couldnt get it work on my mac, followed the guide, checked for typos on the config file, i did:
    $ pagekite.py --add 22 ssh:user.pagekite.me
    $ pagekite.py user.pagekite.me
    >>> Hello! This is pagekite.py v0.5.6a. [CTRL+C = Stop]
    Connecting to front-end 173.230.155.164:443 ...
    - Protocols: http http2 http3 https websocket irc finger httpfinger raw
    - Protocols: minecraft
    - Ports: 79 80 443 843 2222 3000 4545 5222 5223 5269 5670 6667 8000 8080
    - Ports: 8081 9292 25565
    - Raw ports: 22 virtual
    Quota: You have 17458.23 MB, 13 days and 6 connections left.
    ~<> Flying localhost:22 as ssh://user.pagekite.me:22/ (HTTP proxied)
    << pagekite.py [flying] Kites are flying and all is well.
    $ ssh user.pagekite.me
    ssh_exchange_identification: Connection closed by remote host

    Of course i changed the user.pagekite.me with my own kite.
    Permalink
  19. Bob Solomon said on 2014-09-29, 19:36
    I have ssh/pagekit working.

    Question is how to connect with the client behind a (squid) proxy server..

    ssh to a normal host through squid is also working (with corkscrew).

    I can connect to the pagekite host from the proxy server, but can't figure out how to chain the PorxyCommand. Aslo tried tunneling with nc with no success.

    thanks,

    Bob
    Permalink
  20. Davíð James said on 2014-12-05, 07:40
    Trying to connect to my pi via ssh on adroid. I can connect locally and I'm using your version of connectbot.

    What am I doing wrong?

    Connecting to foo.pagekite.me:22 via ssh
    Connecting via proxy: foo.pagekite.me:443

    Connection Lost
    Failed to connect to HTTP Proxy.
    Permalink
  21. Sasha said on 2014-12-11, 13:09
    Hi,
    Could you explain to me where I should set up a password(and user?) for kite when I connecting via ssh?
    Can't figure out this.

    Thank you in advance !
    -----
    Sashas-MacBook-Pro:~ Swift$ ssh foo.pagekite.me
    Swift@foo.pagekite.me's password: "What is the password?"
    Permission denied, please try again.
    Permalink
  22. mathew said on 2015-07-17, 22:13
    Hi!
    SSH worked flawlessly the first time, but we restarted the system and consistently get:

    nc: Proxy error: "HTTP/1.0 503 Unavailable"
    ssh_exchange_identification: Connection closed by remote host

    the system claims to connect successfully to the front-end at 173.230.155.164:443

    We can't figure out why it won't connect. any assistance would be great!

    thanks,
    Mathew
    Permalink
  23. Michael Breidenbach said on 2021-10-05, 18:01
    If i try to connect via ConnectBot/Android to my PageKite-Freedombox journalctl -f shows:

    sshd[27863]: Unable to negotiate with 127.0.0.1 port 54484: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]

    is there any solution on the way?
    Thanks, Michael
    Permalink
  24. Ali Raza said on 2021-11-04, 14:37
    Ali Raza
    Permalink
  25. Silas said on 2021-11-26, 01:40
    How do I create open tunnel file and configure for internet pls help me
    Permalink
  26. Tobias said on 2021-11-27, 18:21
    La aplicación más facil
    Permalink
  27. Eoin said on 2023-12-31, 00:43
    I've got pagekite installed on my raspberry pi but cannot figure out how to actually connect to it using my Android phone.

    Looks like the ConnectBot solution doesn't work anymore.
    Can't install it on Android 14 (Samsung Galaxy S23) because it's built for an older version of Android.
    The patch submitted on gcode is gone, and that solution is 11 years old by now.

    Is there a way to use the mosy recent version of ConnectBot?
    Or does anyone have an alternative solution to SSH into pagekite using an Android phone?
    Permalink

Leave a comment

( (Please leave these blank: )

We use Gravatar for commenter's photos. Get your own, it's free!

Wiki

Links

Pagekite.net - main pages:

  • Home
  • Blog
  • Pricing
  • Support
  • Wiki

The Beanstalks Project ehf.

Service

Resources

Open Source

Find us on:

Contact Us

Email: