The Mysterious SSH Proxy (and the people who love them.)
Nothing raises eyebrows more than personal security. Setup your own ssh Tunnel and be the curiosity on the block...
Recently the company I work for has decided that I will be traveling. They provide me with a wonderful laptop. (I have named Lappy386 in honor of Strong Bad.) They also provide me with a wonderful VPN connection, that helps protect all of our company data. (A very important thing.) But I don't necessarily want my personal email passing through the work VPN as I travel... nor do I want my passwords being send via insecure wireless networks for any kid running Wireshark to capture and use... SSH to the rescue.
I have spent the better part of 6 hours looking around at how to setup an ssh proxy (or tunnel) to secure my communications. I have found TONS of garbage, lots of half spoken mumbles, about how some guy did it... and lots of laughter from others. The concept is very simple. The details of setup are a bit more tricky. Here is the jist of what I'm shooting for.
I want to create a SECURE TUNNEL between my laptop and a computer that I know (or in reality "think") is secure. And then make all of my connections to the internet from there. Thereby protecting all of my information from prying eyes between my laptop and my "home" system. (Beyond that my communications are only as secure as the underlying protocol I am using... So if you use telnet.. your password is still sent in plain text from your "home" system to the rest of the world.)
Please understand this does not provide anonymity, this does not provide filtering (unless you set it up separately), this ONLY provides security between your location and your "base" (or in my case "home") computer. I primarily do this for "wireless" networks, because you never know who is listening, or why.
So, to start things off Here is what we need.
1. A "base" computer. This will be the computer we consider secure. It will need to be running an sshd server. You need to make sure that it allows incoming Tunnel connections.
2. A "mobile" computer with some way to connect to the internet.
Setting up the "base". I assume you are running a version of Linux or BSD in this case, and that you already have an SSHD server configured. (it is a trivial setup, there are hundreds of guides on how to setup sshd servers for various platforms. Do your homework here, You however want to make sure in your /etc/ssh/sshd_config file you have the following entry:
This allows the ssh server to forward requests for other machines.
Make sure your Router/Gateway is setup to allow forwarding of your port (usually 22, but can be anything) to your "base" machine. This allows it to accept incoming transmissions. (Read your router guide to figure this one out. Usually it is called "port forwarding", because you are forwarding information from your router to a computer in your network.)
Have a drink you are about half way there! (Bottoms up)
Setting up your Laptop:
When you are ready to give your system a test, you will want to open a terminal and enter the following command:
ssh -C2qTfnN -D [local:port] [user]@[hostname_or_ipaddress][:optional_port]
- C Enable compression, this helps reduce bandwidth used, although for "small" requests increase time.
- 2 Enforce ssh protocol 2 only (more secure)
- q Quite Mode (ignore most errors and warning messages)
- T Disable pseudo-tty Allocation
- f force SSH to the background
- n Redirects standard input (your keyboard) to /dev/null (aka the no where)
- N Do not execute any remote commands (this is used for tunneling and packet forwarding to prevent from triggering commands.)
- D Dynamic port forwarding all traffic can be sent to the server and it will try to figure out the port it needs to get sent out on depending on the type of traffic.
Configure your applications. If you are using a system like Linux, BSD, or Mac you can configure your entire system to use the proxy, then all traffic that uses your system proxy will automatically connect with it. For example I just setup GNOME's system proxy to my ssh tunnel. Every application that uses GNOME's settings is now being send via my proxy. So Aol Instant Messenger, Firefox, and all of them are using my proxy. But if you are not in a system that allows for a system wide proxy configuration, you can configure your individual programs to use the proxy properly.
You want to use SOCKS5, and make sure to specify the same port you used in your ssh command above.
You have setup an ssh SOCKS5 proxy. In reality the hardest part is configuring all the applications to use the proxy. I took me about 3 hrs to configure and setup, although now that I've done it, I think it would only take a little bit of time once. Enjoy a more secure internet?
- Tags: ssh, tunnel, proxy, SOCKS5
- Description: In the quest to have a secure interent even in the most remote places..