By the time most people read this post I will have stayed in three different hotels in New York, New Jersey and Maryland while trekking along with Challenge X teams for their final competition. That means I have had a chance to glance through several terms of service agreements for various hotel internet connections. They usually include some clause stating that they retain the right to monitor your online activities and so on – Orwellian Big Brother stuff. The same generally goes for places that have free or for-pay Internet connections. Although, with unsecured Wi-Fi Internet connections it’s more an issue of other users sniffing your data with network analyzer tools like Wireshark.
If you’re paranoid about those types of privacy and security issues and you happen to have access to a server with SSH, you can securely send your Internet data through your server in an encrypted network tunnel. SSH tunnels are nothing new and there are many ways of setting them up, even standalone applications that can do it for you. You can even setup specific tunnels for different ports, such as for securing your email. For now, I’m just going to deal with securing HTTP traffic.
Tools
I’m doing this on my Mac, but you essentially just need terminal access. (However, configuring your browser to work with the SSH tunnel will vary.) If you’re on Windows, there is always PuTTY.
Fire up a terminal session and enter in the long SSH command below. Naturally, change out the username and domain info for the server you’re using.
ssh -D 8080 -f -C -q -N myuser@myserver.com
If you want to find out the specifics of those flags, the ssh man page gives a good rundown. The 8080 number is the port that I will be sending traffic through instead of the regular HTTP port 80. You can pretty much use any port number, but port 8080 is the standard HTTP alternate as defined by the IANA (interesting link nonetheless).
Config
If prompted for a password, enter it. The SSH tunnel is now active, barring any errors. Now you just need to get your browser to use it. For Safari this is a very simple process. Head over to System Preferences » Network » Advanced » Proxies. Click the checkbox next to SOCKS Proxy, supply “localhost” with port 8080 for the server and click OK, then Apply.
The changes should be automatic in Safari. You can check by visiting a site like What’s My IP. You’re good to go if it displays the IP address of your server, not your computer.
How often do you use networks you don’t trust? How do you deal with them?
Okay, just to clarify. The -D 8080 forwards local port 8080 to port 8080 on your remote server, right?
So localhost:8080 would be forwarded to remoteserver:8080?
Timothy,
The -D option is a dynamic forward, which means ssh acts as a SOCKS proxy and takes things directed at localhost:8080 and forwards them through to the server, where the ssh server will make and handle the request and return it to your machine.
If you want to forward just a single local port to the remote server, you would use “-L localport:127.0.0.1:serverport”.
Sounds great! Never thought of this…thanks for sharing… :)
I’d never considered trying this before because I thought it’d be too difficult and may not work anyway. I’m in Australia and now I’m using it to watch Hulu videos which is amazing but even better I can watch NHL games live on Yahoo Live Sports and CBC online. This has completely changed my world! Thank you thank you thank you!
On Mac OS X, network location support is handy for streamlining the SOCKS configuration process. I typically set up a network location for SSH forwarding that has proxy port information configured, that way switching to it is a breeze.
In System Preferences &rlquo; Network, select “Edit Locations…” from the location dropdown at the top of the preference pane. Add a new location with whatever name you please, click “Done,” and then select the new location. From there, follow Stammy’s instructions.
Once you have multiple network locations configured, a new Apple Menu submenu appears listing them. Just select the location you want from there. For Quicksilver and LaunchBar users, they can also be used to change network locations.
The only applications I’ve run into that don’t obey Mac OS X’s built-in proxy settings are Mozilla applications and Unix ports (most anything installed from Fink or MacPorts, for instance). These have to be configured manually, regardless of whether you’re using a separate network location or not.
cue nosebleed.
Here is an article I wrote explaining how to do this with Portable Apps (Also Windows). http://www.blakebrannon.com/2007/07/22/securely-surf-the-internet-on-a-remote-network-via-ssh/
Douglas Bowman published an excellent guide to using ssh to secure email transmitted over a wireless connection. I’ve been using his method for the past three years without fail and without any issues.
http://www.stopdesign.com/log/2005/02/07/secure-email.html
I’ve been using ssh tunnels to a squid http proxy I run at home. Then using http://foxyproxy.mozdev.org/ I can selectively pick what content I want run through there.
Nice post paul! Are you using it with MediaTemple?
I’m using Firefox to do this but make sure that Safari or whatever browser your using can use your remote SSH server as remote DNS. If you don’t then whoever is monitoring your connection will know exactly where you are browsing based on the local DNS requests. I thought I was completely safe until I fired up ethereal and saw my DNS requests going to the local server.
For Firefox:
1. Browse to “about:config”
2. Type “dns” in the filter field
3. Look for “network.proxy.socks_remote_dns” and set the value to “true”
4. Restart Firefox just to be safe and surf away!
Hey, Paul, I think your site had some downtime earlier. Well, it could’ve been my connection, but…
I do this all the time, though for different reasons. For some reason, my university blocks outgoing SMTP, so I just tunnel through with SSH. It works pretty well.
Great resource. After fumbling with free SOCKS this works great. For some reason ftp would stall to my MT server, something the MT techs could never fix nor really work out why it would be happening.
After trying this, Transmit is no longer stalling.
You may also test privacy of internal IP address this way:
open -a Safari http://www.auditmypc.com/software_audit.asp
( http://codesnippets.joyent.com/posts/show/1326 )
Hi, please note that this is not completely secure. Check http://www.auditmypc.com/anonymous-surfing.asp, which will still be able to see your true IP number. If I understand this correctly, one can only be safe if one disables all Javascript/Java ability and thus loose the respective functionality. With those enabled, however, scripts telling a true identity can be run on your local computer. Beware.
Thanks for this information anyway, because in many cases this is enough to get access to local systems etc.
All the best,
Thomas
Hi, sorry, I found a mistake in my setup, now it seems to work. The checking routines of the website provided in my previous message is happy now. Sorry to have bothered you unfoundedly, but maybe that address is useful. Thomas
This is simply awesome. Now I can actually make use of the 99.5% unused bandwidth my server has each month and finally use Pandora/Hulu/Netflix etc!
Just a note that if you’ve changed the SSH port (for security reasons), you’ll need to add that in. Like this
ssh -D 8080 -f -C -q -N -p XXXXX myuser@myserver.com
Does this last until you restart your mac?
As long as you are keeping the SSH session open.
Has anyone done this on a PC with Putty via MediaTemple and Firefox?
Randy, yes, me
Daniel… Figured it out. Man its sweet to be able to do this from…work. ;)
is this something that could be against our host ToS?
I’ve been using this trick and proxifier to access US restricted sites like hulu.
:)
It also might be useful for OSX users to set up a shell alias to save you having to type out the terminal command every time. Check out here for a good howto: http://hayne.net/MacDev/Notes/unixFAQ.html#shellAliases
Your tips just worked like a charm. Thanks! I set the dynamic port in tunnels, and then logged via SSH as usual. No need to enter such command as
ssh -D 8080 -f -C -q -N myuser@myserver.com
You can use ssh tunnel easy do it, only need 1 minute, get it from google
Hi,
I am trying to learn about setting up an SSL tunnel so that I can browse the internet securely when using public wifi. I currently use Hot spot VPN but not sure how secure it really is. My question is reference this line:
Fire up a terminal session and enter in the long SSH command below. Naturally, change out the username and domain info for the server you’re using.
how do I find out my username and domain info and will this change from wifi to wifi.
Thanks
John