Engineering, Technology, and DIY
Tunnel Your Way to Secure Freedom with SSH & SOCKS5
Sometimes the normal method of connecting to the internet simply isn’t enough. Firewalls, bandwidth limits, and insecurity really rain on one’s parade. There is hope, however, for addressing all of these issues with one simple technique:
A SSH & SOCKS5 Tunnel
The nitty gritty details of these two protocols is beyond the scope of this blog post, and so only the general concept of each will be given. SSH, or Secure Shell, is a way of connecting two devices with an encrypted connection. It’s quite a useful little protocol, allowing one to run programs remotely, transfer files securely, and more. SOCKS5 is the protocol that will allow network traffic to be sent through the SSH tunnel. Unlike a standard HTTP proxy that one may find on the net, SOCKS5 can handle more than just browser traffic.
Preparations to set this up are minimal. Unix and linux systems already have built in SSH clients in the terminal and software to run as a server, but Windows lacks these capabilities built in. If a Windows box is to function as the server, one is going to need something like OpenSSH installed. To SSH into another server from Windows, one should get PuTTY. One will also need an account on the server to log in with. On OSX, one should also look into the program Proxifier, which will be explained later.
Once the ingredients are gathered and installed, the actual creation of the tunnel is quite easy. On the client computer, open up a command line or PuTTY, and type something in this form:
ssh -D port -N username@serverlocation
- ssh is pretty self explanatory
- -D port specifies which local port to create the tunnel on. Pick something high, like
60009500, to avoid conflicts with other programs.
- -N prevents the remote command line from running since this is just being used to forward traffic.
- username is whatever username of the account one wishes to log in to on the server
- serverlocation is the location (ip or domain name) of the server to SSH in to
One will be prompted to enter a password. If all went well, it will appear that nothing happened after this. For now, go to IP Chicken and record the current IP.
Now that the tunnel is up, it’s time to tell the system about it. You can do this in particular programs or system wide. Firefox’s configuration is under the the network tab in advanced settings, for example. The SOCKS host will be “localhost” (without quotes), the port will be what was specified earlier, and the protocol will be SOCKS5. This can be done system wide through the OS’s network settings as well. Once this is done, go back to IP Chicken to verify that the IP is now that of the server.
It is important to note that the system wide settings may not be truly system wide and some programs don’t have SOCKS5 support built in. On OSX, for example, setting the proxy in the network settings doesn’t tunnel Flash. That’s where Proxifier comes in. It grabs all outgoing network traffic and forces it through the tunnel. Linux’s network manager doesn’t have this problem from what I’m told, and I’m unsure on Windows. The best policy would be to test it with some small, insensitive data before using it.
Using the tunnel together provides a secure path for data. Rather than going directly from the user to the server over whatever unsecured standard connection is in place, the traffic will be routed through the encrypted tunnel to the server one is connected to via SSH, where it can then go to the website’s server or whatever final destination is intended, and vice versa. For example, consider one is at Starbucks, using their WiFi, and wants to do some online banking. HTTPS may be used from their router to the bank site, but the insecure wireless is ripe for man-in-the-middle attacks. By setting up an ssh tunnel to one’s home computer, or another secure server, and tunneling traffic through that, the entire connection to the bank server becomes secure.
Remember, using such methods may be against the Terms of Service of your business, school, or provider. Make sure to check that sort of thing beforehand.
Have a different way you tunnel your traffic, get around firewalls, etc? Share it in the comments.