Wednesday, 2 December 2015

How to Tunnel Web Traffic with SSH Secure Shell

If you are a Linux or UNIX user, you probably use SSH (Secure Shell) to access the command line on your machines remotely. In addition to providing secure access to shell accounts, SSH can also securely transport other kinds of web traffic as well. In a sense, it can provide you with a quick and easy VPN (Virtual Private Network) into the remote network where your SSH server resides.

First of all, you will of course need an SSH server running somewhere. Linux and OS X come with SSH servers, but there are also SSH servers available for Windows. freeSSHd is a nice free SSH server for Windows. It is a quick and easy installation and relatively easy to configure as well. You will of course need administrator privileges on the machine you install it onto.

Since you will be accessing your SSH server remotely, if it is behind a firewall or router you will have to make sure that port 22 (the default SSH port) is properly forwarded to it. Most routers have the ability to forward ports to individual machines on the local network. You’ll have to refer to the instructions for your router/firewall on how to do this.

Once you have your SSH server configured so that you can connect to it from any Internet connection, you’ll of course need a client to connect to it. Linux and OS X both have SSH clients built-in.  If you’re on Windows, the client of choice is PuTTY. I will provide instructions on tunneling with PuTTY, but you can certainly use other clients as well.

First, specify the address of your SSH server in the Session section. Select SSH for the Connection type and enter 22 for the Port (or whatever external internet port you are using to connect to your SSH server).

Next, go to Connection > SSH > Tunnels. There are three types of tunnels you can set up:

  • Dynamic – This acts as a SOCKS proxy that can be used to tunnel traffic through the network where the SSH server resides.  You can then configure applications that support SOCKS proxies (such as a web browser) to take advantage of it. I’ll demonstrate how to set up Firefox to work through a dynamic tunnel.
  • Local – A local tunnel will allow you to connect to the specified port on a machine residing on the same network as the SSH server.  One useful example that I will show you is how to connect to a Windows computer running Remote Desktop.
  • Remote – As the name somewhat implies, this is the reverse of a local tunnel.  You are probably less likely to use this, but it would allow machines on the SSH server network to access a machine and port on the network where your SSH client resides.  I won’t go through any examples on setting up a remote port in this article.

So in the example I’m going to provide, we will say the home network has two computers. One is a Linux box running the SSH server and the other is a Windows box with Remote Desktop enabled. We want to set up two tunnels: a dynamic tunnel and a local tunnel to connect to the Windows machine via Remote desktop.

Let’s first set up a dynamic tunnel for port 1080. The port you use for a dynamic tunnel is actually arbitrary, but since port 1080 is often used for SOCKS proxies that’s what we’ll use. Type 1080 in the Source port field, select Dynamic as the port type, and then click the Add button.

Next, let’s set up the local tunnel for the computer on the network running Windows Remote Desktop.  Let’s say the local IP addresses on the LAN where the SSH server resides are addresses.  The Windows machine has a local IP of Enter 3390 for the Source port, for the Destination, select Local for the port type, and then click the Add button. You’ll see later why I’ve configured the source port to be different than the destination.

Once you have everything configured for the connection, go back to the Session section and save your connection. Then click Open and log into your Linux box with your credentials as you normally would.

Now you have to configure your applications to use the tunnels you have set up.  Let’s say you want to do your web browsing through the dynamic tunnel we set up. This is actually an extremely useful way to take advantage of SSH.

You may be on a network with some sort of firewall or content filtering that you wish to bypass. If you are able to get out on port 22 (or any other port, you’ll just have to set up your SSH server accordingly), then you’ll be able to surf wherever you want without issue through the dynamic tunnel.

It is also useful if you are surfing on a network where you may be concerned about others observing your traffic. Perhaps you are connecting from a hotel, a client site, or from work (you didn’t learn that from me) and you do not want others monitoring your traffic.

The best choice is to use Firefox, because Firefox allows you to configure the browser to also send DNS requests through the proxy. If you use Internet Explorer, your DNS requests are still made via the local network you connect from and thus can still be monitored. So Firefox would be the preferred browser if you wish to maintain privacy on the network you are connecting from.

To set up Firefox to use the dynamic tunnel as a SOCKS proxy, go to the Firefox Options > Advanced > Network and click the Settings button.  In the settings page, click Manual proxy configuration, enter localhost for the SOCKS Host, and 1080 for the Port.

We’re not quite done. We still need to configure Firefox to send DNS requests to the SOCKS proxy as well.  To do this, enter about:config in the navigation bar in Firefox. You may get a prompt asking you if you know what you’re doing. Assure Firefox that you know what you’re doing and proceed.

Enter socks_remote_dns for the Filter and press enter. You should see a single option that says network.proxy.socks_remote_dns. If it says false for the Value, double-click on it so that it says true. You’re now all set. You should be able to surf the web through your new secure dynamic tunnel!

Fortunately, connecting to our Windows Remote Desktop machine is much easier. You just launch the Remote Desktop Client and enter localhost:3390 for the machine address. That’s all there is to it!

The reason we set up the source port to 3390 is because the Remote Desktop Client will not allow you to connect to the default remote desktop port (3389) on the local machine. So that’s why we used 3390 instead (we could have used any port, I just use 3390 because it’s easy for me to remember).

The source port you use for setting up the tunnels is arbitrary. We could have used 1234 instead of 3390 if we wanted to, as long as nothing is running on the local machine at port 1234. What is not arbitrary is what you use on the destination IP and port. For that you will need to use the proper IP address and port for the service you wish to connect to.

You can set up tunnel for any service on any IP anywhere. You’ll just need to set up the program to connect to localhost on the source port you set up for the tunnel. It’s a pretty nifty way to connect to stuff you may not be able to otherwise, due firewall issues you may encounter. All you need is a single port to get to your SSH server, and it of course has to be running on that port.

No comments:

Post a Comment