Evading Firewalls With OnionCat

You operate your own server running some web services, a mail submission service, an IMAP service, of course ssh for maintenance and several other services? But unfortunately you cannot reach any ports except 80 and 443 as soon as you are somewhere in a public Wifi because of firewall restrictions? Then OnionCat is your friend 🙂

This article explains how to evade a firewall to access your own services in the Internet.

Public Wifis typically have at least port 80 and 443 open otherwise they would be useless. And this is actually a requirement for this setup.

Kmail Sample Config.

Kmail Sample Config.

Let’s assume that you run your own server (my.server.org) somewhere in the Internet running IMAP on tcp port 143 and a mail submission service on tcp port 587. On your notebook you have your favorite email client which is already configured to access these services directly (on my.server.org).

Now you are somewhere connected to a public Wifi but unfortunately you neither can check nor send mails because 143 and 587 are closed.

The Setup

On your server (my.server.org) setup Tor and OnionCat as well as on your notebook. As a result your server1 has an OnionCat IPv6 address on the tunnel device. The address is something like fd87:d87e:eb43:1234:5678:9abc:def0:1234.

You are now already able to access your server from your client, e.g. with ssh.

winnie:~% ssh fd87:d87e:eb43:xxxx:xxxx:xxxx:xxxx:xxxx
X11 forwarding request failed on channel 0
Last login: Tue Dec 15 09:12:05 2015 from forzand
FreeBSD 10.1-RELEASE-p   (GENERIC) #0: Mon Nov  2 12:17:28 UTC 2015

Welcome to FreeBSD!


Now make an entry into your /etc/hosts file as shown below. With this you don’t have to reconfigure your email client (and other clients accessing your server at its hostname). The system automatically looks up the hostname within the hosts file before it makes a DNS lookup.

fd87:d87e:eb43:1234:5678:9abc:def0:1234 my.server.org

That’s all. It will be a little bit slower as usual but nevertheless you can access your services 🙂

  1. Of course, your notebook also has an IPv6 address on its tunnel device but this is not really relevant within this context.


1 ping

Skip to comment form

  1. On your notebook you have your favorite email client which is configured to access these services directly (on my. Where is this information?

  2. I mean that your email client is already configured, i.e. it works in an open network. I added a config screenshot of Kmail to the article.

  3. I don’t get it. If you are using a public network, which only permits the ports 443 and 80.. why should it be possible to access your external web services and configure OnionCat, which uses the Tor network (and its specific non-443/80 ports)?

    I assume that the connection to the Tor network will be blocked. Therefore, no connection to your external services

    1. Nevermind, brain afk.

    2. Of course, OnionCat works only if Tor has network access. But typically ports 80 and 443 are open, thus, Tor usually works as well. This is because there are enough entry nodes run by intention on ports 80 and 443.

    • Anonymous on February 13, 2018 at 2:37 am
    • Reply

    What if I only want to expose certain services to the onioncat tunnel? E.g. If I have a HTTPS service running on the server, the certificate will identify my server via the tunnel!
    What if I only wanted to expose SSH via the tunnel (and *only* the tunnel), for example?

    1. Yes, you have to install a firewall.
      OnionCat connects through a TUN/TAP device to the kernel. This is like a regular Ethernet device but just virtual. Hence, all rules of security apply as they do for regular network interfaces.

    • Anonymous on February 13, 2018 at 12:22 pm
    • Reply

    Presumably you need to configure a IPv6 firewall to expose only the services you want to be accessible via the OC tunnel? Shorewall6 might help.

  1. […] the case. I use Onioncat on my server at home just to be able to connect to it from everywhere (see Evading Firewalls). […]

Leave a Reply

Your email address will not be published.