X2Go on a Plane! - x2go-project

30 Sep 2019


      Hi List,
Our "X2Go: The Gathering 2019" participant Martti Pitkanen tried
something out that I sadly couldn't try on my last flight with Finnair,
due to some technical difficulties with the satellite uplink:
Starting an X2Go Desktop Session with a server on the ground while in
mid-flight!
And he even managed to record a video of it!
Watch this: <https://www.youtube.com/watch?v=TlqVS60DNgQ&feature=youtu.be>
The really impressive feat is that Martti is using the "browsing"
internet package Finnair offers - which is marketed as "only good for
Web browsing and E-Mail", rather than the more expensive "streaming"
package.
Finnair says they block streaming and VPN access on the "browsing"
package, but - SSH works, and thus X2Go works as well.  As you can see
in Martti's video, the speed with which the screen gets updated is
totally okay, too (especially considering that he is using Chrome
Browser in the remote session, which isn't exactly fast over X2Go, even
on a wired connection).
This is a big advantage for Linux and X2Go compared to an RDP connection
to a Windows machine - we don't need a separate VPN connection to make
things safe (we can simply use 2FA via PAM, or an SSH keyfile +
passphrase), so we're - allow me the pun - flying under Finnair's radar
for VPN connections, and the small internet package is sufficient for X2Go.
By the way, should Finnair choose to block SSH in the future, there are
probably some ways around that as well.
The easiest one is to switch the SSH port from 22 to 443 - if they're
only blacklisting/whitelisting ports. 443 is https, and cheap
firewall/proxy settings usually allow direct connections to that port
without further inspection or MitM-proxying.
The more complicated one would be running a web proxy on your remote
machine that listens to outside connections on Port 443, but only allows
CONNECT type requests to localhost on port 22 (and blocks everything
else).  Then you'd set up X2GoClient to use that web proxy in the
session configuration.  That way, the traffic should look like
http/https traffic to any packet-inspecting firewall.
Kind Regards,
Stefan Baur
--
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243