SSH, Proxies (Proxy’s?), Tor and Web Browsing

For quite some time I’ve been making use of a dd-wrt modified linksys box on my home network as an openvpn endpoint so that when I’m out and about in the world, I connect the vpn, switch firefox to route through a squid proxy server on the home network and I’ve got a nice fairly secure web browsing setup. But, as they say there’s more than one way to skin a cat. And, that’s what I’ve played around with the last couple days. First off, I guess I should describe the concept. 1) Let’s say that you’re browsing the web at an open wireless access point and you don’t trust the network or 2) let’s say you need to be able to access an intranet web server that is not accessible from the internet side of a network or scenario 3) let’s say a web site is blocking access based on ip address (for instance say you’re behind the great firewall of xyz business/company)…. how can you still manage to access the web pages you want to 3,2) at all or 1) securely with as little snooping as possible.

All in all, this will make it possible to look as though you’re browsing the web from a different location than you really are and is also one way how to get around blocked websites. Now, it’s up to you to accept the responsibility for your actions if you use this to get around blocked sites

There are several ways you can do this. The first IS via openvpn and a web proxy like squid, but that’s a fair amount of setup for you on your home network to maintain browsing from outside – besides what if you’re home connection is down and you want a quick plan b?

Here’s one approach….

SSH – secure shell to the rescue…. from a console window make a secure connection to a secure shell server you have access to, with dynamic port forwarding enabled.

ssh -D 1080

go ahead and authenticate and then in your firefox settings, instruct firefox to browse through a SOCKS 5 server at localhost port 1080. (frankly, you could probably pick any higher port number if you like.)

(BTW if you want to get fancier with ssh you can pass any of the following:
-q :- be quiet – don’t output more information than necessary.
-T :- Do not allocate a pseudo tty – i.e. no login shell.
-f :- move the ssh process to background, as we don’t want to interact with this ssh session directly.
-N :- Do not execute remote command.
-n :- redirect standard input to /dev/null.

In addition on a slow line you can gain performance by enabling compression with the -C option.

I like to pull up my ip check page to verify which public internet address I’m browsing from. SO, now it’s as if you’re browsing the internet from your ssh server machine.

Now, if you needed to access an intranet page within the network that your secure shell server is hosted, you should be able to. It should behave actually just as though you were on the destination lan for everything within the web browser. If you wanted to get really fancy, you could probably set it as a system wide proxy and not have to manually configure your applications to tunnel through it.

It should be noted that your web traffic will only be encrypted between you and the remote ssh server. After that it leaves the pipe and will only be encrypted if you’re visiting encrypted sites.

Now, for reasons of very restrictive firewalls it might be nice if you knew of a ssh server listening on port 443 so that it would bypass even the most draconian restrictions. (BTW, that’s how I’ve previously setup openvpn connections – ports 53 udp or 80/443 tcp are good candidates – 53 udp because it’s dns and shouldn’t be blocked if they expect domain lookups to work, however… it’s typically unencrypted and might look suspicious – besides they may do internal dns so it’s not my first choice. Port 80 is a good candidate because if they allow outside world web access then you should be able to pass data, still port 80 is typically unencrypted and it might look a bit suspect. My preference then is port 443. It’s necessary for https: sites and is expected to be encrypted, so it makes a nice openvpn (or ssh) alternate port.

It’s also possible to tunnel your web traffic through something called tor to enhance your privacy on the internet and essentially make it appear as though you’re browsing the web from a location where you aren’t physically. So, if a forum is only allowing connections from ip address in Poland and you really want to connect you can configure tor to only use endpoints that are in Poland and all your web browsing bits will ping pong through several machines in an encrypted tunnel until they exit a machine in Poland and connect to the forum your trying to connect to. To use tor, you need to also install a proxy server like privoxy.

By the way, tor can be a slow network – they are typically fairly oversaturated, but there are some ways to get a faster link going by tweaking your torrc file. I should point out that it’s somewhat abusive of the tor network resources to try to suck down giant bittorrents through tor….

I should also mention that there is a great firefox plugin for managing your proxy settings. (It got to be a pain manually switching them, so you might look at foxyproxy. It let’s you configure multiple proxys and switch between them for all traffic, OR more interestingly using text matching it could allow you to use a proxy only for certain sites.

Also – Set your proxy server to resolve DNS requests instead of your computer; in Firefox’s about:config area, set network.proxy.socks_remote_dns = true.

(From what I see that is the default – either that or I’ve already been there and done that.)

Other links that may be interesting are :a site to check if you are using tor and an ip locator.

And if you’re command-line phobic on linux you might take a look at gnomes ssh tunnel manager (GSTM I think in packages.) Really whether you are comfortable at the command line or not, this looks like a neat, quick interface.

   Send article as PDF   

Similar Posts