Skype Tunnel over SSH Howto

Herman Oosthuysen, GPL, 2011

Scope

This guide explains how to tunnel Skype over SSH to a friendly server, so that Skype-out will work properly. Pardon, this howto is a bit of a hasty jumble...

In some coutries, Skype use is discouraged in order to protect the domestic phone company. They usually do this by blocking access to the Skype web sites and by dropping every 10th Skype packet. The result is that PC-to-PC Skype works (though a little fuzzy), but Skype-out to a remote PSTN gateway fails. If you use Skype-out, the remote phone will ring, but as soon as the other party picks up, the call drops. This guide provides a solution using a SSH SOCKS Proxy.

Socks 5

SSH has a SOCKS 5 proxy built in. Using that feature, you can tunnel your web browser and Skype to a friendly server. This works fine with the Firefox browser, but Skype has a bug causing it to ignore its own proxy settings. It requires a little persuation using an iptables firewall rule to beat it into submission.

The trick is to create a special group and run Skype with that groupid, then use the group as a trigger in an iptables rule, to force the Skype packets through the proxy.

On your PC

Create group 'socksgrp' and add yourself to that group. Use your favourite user wizard or read up on addgroup and gpasswd (change joesoap):
# addgroup socksgrp
# gpasswd -a joesoap

On your Server

Configure SSH to listen on port 443, if your host country also filters port 22, in file /etc/ssh/sshd_config. Then restart sshd to make it take effect.

Socks Script

Copy the script below to your PC /usr/local/bin and use it to run Skype.

This script will connect to your remote server via ssh with -D over port 443 to start a socks proxy (change example.com and joesoap):

Note that I run the Static version of Skype installed into my home directory. Change that path if you run the normal version of Skype.

[root@athene bin]# cat /usr/local/bin/skypesocks
#! /bin/bash
# Run Skype over a Socks proxy.
# Etisalat drops about every tenth packet, which makes Skype sound gritty and buggy.
# Skype can use a Socks proxy, but it has a bug and tends to ignore the proxy setting!
# The solution is to drop all other traffic to/from Skype and force it to use the proxy.
# Configure Skype to use a Socks 5 proxy on localhost:1080
# Create a group called socksgrp and add yourself to it, then use this group in iptables
# to drop all other Skype packets on the floor.
# Skype uses about 10 kbs for voice, more for video, but it is remarkably efficient
# if all the packets are allowed to get to the other side.

echo Set up a Socks proxy Virtual Private Network to proxy.example.com on localhost:1080
/usr/bin/gksu "/usr/bin/killall ssh"
/usr/bin/ssh -fND 1080 -p 443 root@proxy.example.com

echo Only allow Skype connections to localhost by filtering on the socksgrp
/usr/bin/gksu "/sbin/iptables -F"
/usr/bin/gksu "/sbin/iptables -A OUTPUT -d 127.0.0.1 -m owner --gid-owner socksgrp -j ACCEPT"
/usr/bin/gksu "/sbin/iptables -A OUTPUT ! -d 127.0.0.1 -m owner --gid-owner socksgrp -j REJECT"

echo Spawn Skype as group socksgrp, to allow the above rules to filter it
sg socksgrp /home/joesoap/skype/skype_static-2.1.0.81/skype

echo Et Voila!

Configure Skype

Run Skype on your PC and change the Options to
Proxy: SOCKS
Host: localhost
Port: 1080

Now run the script to set up the tunnel and off you go automagically.

Chromium Browser Over a Socks Proxy

To be safe, you also need to browse over the tunnel. Here is the trick for the popular Chromium browser:
$ chromium-browser --proxy_server="socks5://localhost:1080"

Chromium is simply the Linux KDE Konqueror browser with a Google theme applied, so when all else fails, read the Konqueror help pages.

Have fun!
Herman