SSH tunnel for secure web browsing
From ComputingPlugs
The best service the Sheeva Plug provides is access to a trusted computer that's always on. With it, one can browse the internet securely from anywhere, even over an open access point. An SSH tunnel creates an encrypted channel between your computer and the Sheeva Plug and communication between the two devices will be secure. Once the SSH tunnel is established, you can forward your web traffic (or any traffic, really) over the tunnel.
Here are some examples where this features comes in real handy:
- Secure browsing over an open network where an intruder can sniff all incoming and outgoing traffic. Since all traffic is over an encrypted SSH tunnel, any packets captured by the intruder will be jumbled.
- Hide web access from nosy sys admins. Tunneled traffic will be tagged as SSH traffic instead of web traffic, thus defeating packet analyzers as they can't tell the difference between web and SSH traffic.
- Break out of proxies that censor certain sites.
All of this, of course, depends on a working SSH session to the Sheeva Plug. So first thing to do is to check that you're able to SSH to the Sheeva Plug. If you cannot SSH to the Sheeva Plug, stop and fix that first.
Contents |
Why not use OpenVPN instead?
It is possible to accomplish the same function with OpenVPN instead of SSH tunnel, and for some, it maybe a better choice. However, for the simple purpose of creating a secure browsing environment OpenVPN is overkill. However, if you need your computer to connect to your private network as if it is there locally, then OpenVPN would be a good choice.
Create the SSH tunnel
To create a SSH tunnel from your computer to the Sheeva Plug, type the follow on your computer:
ssh -D localhost:12000 user@ipaddress
If your ssh port is non-standard(ie, not 22), type:
ssh -p port -D localhost:12000 user@ipaddress
Your computer should respond with the request for your password, type that in and you should log into the Sheeva Plug like any other SSH session, only now you've created a tunnel on port 12000 on your computer(localhost)
Setup Firefox to use the SSH tunnel
To setup Firefox so it uses the SSH tunnel, go to:
Edit -> Preferences -> Advanced -> Network -> Settings
You should now be at the Connection Settings screen, select Manual proxy configuration and type localhost into SOCKS Host: and 12000 into Port:. Also make sure that SOCKS v5 is selected. Hit OK and Firefox should now use the SSH tunnel instead of the standard port 80. To be sure of that, use tcpdump or wireshark and sniff the traffic from your computer. You can use the following command:
sudo tcpdump -i eth0 port 80
to dump any traffic that is goes over port 80. Then browse a few websites to check if you see any packets from tcpdump. You can then sniff port 22 with tcpdump to see all your web traffic over that port.
Setup Firefox to send DNS queries over the SSH tunnel
Firefox defaults DNS queries over the normal DNS servers specified by /etc/resolv.conf. This is fine normally because no sensitive data is transmitted by the DNS query. However, an open DNS query means that while they cannot see the content of the traffic, they still would know where you are going. In addition, the DNS query could be attacked and a phish site's IP address returned instead of the real one. So it is best to send the DNS query over the same SSH tunnel.
To do that in Firefox, type:
about:config
in the address bar. Firefox will then open its internal configuration page. Find the entry network.proxy.socks_remote_dns and double click on it to make the value true. After that, all DNS queries will go over the SSH tunnel. You can verify its operation by using tcpdump and look for traffic on port 53. Remember that only Firefox will use the SSH tunnel, any other program will continue to use the default servers for their DNS queries.
Make life easy with FoxyProxy
I use a Firefox addon call FoxyProxy that makes using a proxy easier. Once installed, the FoxyProxy icon sits on the status bar and allows you to quickly switch between different proxy settings or none at all. It helps in an environment where only some of the traffic needs to be over the proxy and others do not. For example, accessing the internet (proxy) vs accessing local servers (no proxy). The FoxyProxy setup is very straight forward. Just remember that the FoxyProxy settings override what is set in Firefox. So be sure to check the Use SOCKS proxy for DNS lookups under the Global Settings tab in the FoxyProxy options page. Otherwise DNS queries will use the default servers instead of the SSH tunnel. Also make sure that you select SOCKS v5 instead of SOCKS v4/4a in the Proxy Settings.
Keep the tunnel alive with autossh
Once you start using the tunnel you may notice that it collapses every so often. There are many reasons why it happens but the bottom line is that it would be nice if the computer reconnects after the collapse. I use a program call autossh that is available in the Ubuntu repository for such a task. Once installed, all you need to do is type:
autossh -M 20000 -D localhost:12000 user@ipaddress
That would create a SSH tunnel to user@ipaddress on the local port 12000. Also, autossh will use local port 20000:20001 to determine the health of the SSH tunnel. If the tunnel fails, autossh will reconnect using the same settings. Obviously for it to do that you'll need to enable SSH automatic login so that it doesn't request a password when autossh tries to reconnect.
Secure messaging with Pidgin
Pidgin is a messaging client that works with a number of popular messaging services. You can make Pidgin communication over the secure SSH tunnel by going to:
Tools -> Preferences -> Network -> Configure Proxy
and type your tunnel information into the Socks host: field. After that, restart Pidgin and it'll use the SSH tunnel for all its communication.
|
|
Click here to leave a comment
 |
 |
|
Did you find this page useful? |
||
 |
 |
May 18 2009 4:06 pm
Please keep comments clean and constructive. Inappropriate comments will be removed. Thank you.