Evading Firewalls With OnionCat

You operate your own server running some web services, a mail submission service, an IMAP service, of course ssh for maintenance and several other services? But unfortunately you cannot reach any ports except 80 and 443 as soon as you are somewhere in a public Wifi because of firewall restrictions? Then OnionCat is your friend 🙂

This article explains how to evade a firewall to access your own services in the Internet.

Public Wifis typically have at least port 80 and 443 open otherwise they would be useless. And this is actually a requirement for this setup.

Kmail Sample Config.

Kmail Sample Config.

Let’s assume that you run your own server (my.server.org) somewhere in the Internet running IMAP on tcp port 143 and a mail submission service on tcp port 587. On your notebook you have your favorite email client which is already configured to access these services directly (on my.server.org).

Now you are somewhere connected to a public Wifi but unfortunately you neither can check nor send mails because 143 and 587 are closed.

The Setup

On your server (my.server.org) setup Tor and OnionCat as well as on your notebook. As a result your server1 has an OnionCat IPv6 address on the tunnel device. The address is something like fd87:d87e:eb43:1234:5678:9abc:def0:1234.

You are now already able to access your server from your client, e.g. with ssh.

winnie:~% ssh fd87:d87e:eb43:xxxx:xxxx:xxxx:xxxx:xxxx
X11 forwarding request failed on channel 0
Last login: Tue Dec 15 09:12:05 2015 from forzand
FreeBSD 10.1-RELEASE-p   (GENERIC) #0: Mon Nov  2 12:17:28 UTC 2015

Welcome to FreeBSD!


Now make an entry into your /etc/hosts file as shown below. With this you don’t have to reconfigure your email client (and other clients accessing your server at its hostname). The system automatically looks up the hostname within the hosts file before it makes a DNS lookup.

fd87:d87e:eb43:1234:5678:9abc:def0:1234 my.server.org

That’s all. It will be a little bit slower as usual but nevertheless you can access your services 🙂

  1. Of course, your notebook also has an IPv6 address on its tunnel device but this is not really relevant within this context.