For quite some time I’ve been making use of a dd-wrt modified linksys box on my home network as an openvpn endpoint so that when I’m out and about in the world, I connect the vpn, switch firefox to route through a squid proxy server on the home network and I’ve got a nice fairly secure web browsing setup. But, as they say there’s more than one way to skin a cat. And, that’s what I’ve played around with the last couple days. First off, I guess I should describe the concept. 1) Let’s say that you’re browsing the web at an open wireless access point and you don’t trust the network or 2) let’s say you need to be able to access an intranet web server that is not accessible from the internet side of a network or scenario 3) let’s say a web site is blocking access based on ip address (for instance say you’re behind the great firewall of xyz business/company)…. how can you still manage to access the web pages you want to 3,2) at all or 1) securely with as little snooping as possible.
All in all, this will make it possible to look as though you’re browsing the web from a different location than you really are and is also one way how to get around blocked websites. Now, it’s up to you to accept the responsibility for your actions if you use this to get around blocked sites
There are several ways you can do this. The first IS via openvpn and a web proxy like squid, but that’s a fair amount of setup for you on your home network to maintain browsing from outside – besides what if you’re home connection is down and you want a quick plan b?
Here’s one approach….
SSH – secure shell to the rescue…. from a console window make a secure connection to a secure shell server you have access to, with dynamic port forwarding enabled.
ssh -D 1080 firstname.lastname@example.org
go ahead and authenticate and then in your firefox settings, instruct firefox to browse through a SOCKS 5 server at localhost port 1080. (frankly, you could probably pick any higher port number if you like.)
(BTW if you want to get fancier with ssh you can pass any of the following:
-q :- be quiet – don’t output more information than necessary.
-T :- Do not allocate a pseudo tty – i.e. no login shell.
-f :- move the ssh process to background, as we don’t want to interact with this ssh session directly.
-N :- Do not execute remote command.
-n :- redirect standard input to /dev/null.
In addition on a slow line you can gain performance by enabling compression with the -C option.
I like to pull up my ip check page to verify which public internet address I’m browsing from. SO, now it’s as if you’re browsing the internet from your ssh server machine.
Now, if you needed to access an intranet page within the network that your secure shell server is hosted, you should be able to. It should behave actually just as though you were on the destination lan for everything within the web browser. If you wanted to get really fancy, you could probably set it as a system wide proxy and not have to manually configure your applications to tunnel through it.
It should be noted that your web traffic will only be encrypted between you and the remote ssh server. After that it leaves the pipe and will only be encrypted if you’re visiting encrypted sites.
Now, for reasons of very restrictive firewalls it might be nice if you knew of a ssh server listening on port 443 so that it would bypass even the most draconian restrictions. (BTW, that’s how I’ve previously setup openvpn connections – ports 53 udp or 80/443 tcp are good candidates – 53 udp because it’s dns and shouldn’t be blocked if they expect domain lookups to work, however… it’s typically unencrypted and might look suspicious – besides they may do internal dns so it’s not my first choice. Port 80 is a good candidate because if they allow outside world web access then you should be able to pass data, still port 80 is typically unencrypted and it might look a bit suspect. My preference then is port 443. It’s necessary for https: sites and is expected to be encrypted, so it makes a nice openvpn (or ssh) alternate port.
It’s also possible to tunnel your web traffic through something called tor to enhance your privacy on the internet and essentially make it appear as though you’re browsing the web from a location where you aren’t physically. So, if a forum is only allowing connections from ip address in Poland and you really want to connect you can configure tor to only use endpoints that are in Poland and all your web browsing bits will ping pong through several machines in an encrypted tunnel until they exit a machine in Poland and connect to the forum your trying to connect to. To use tor, you need to also install a proxy server like privoxy.
By the way, tor can be a slow network – they are typically fairly oversaturated, but there are some ways to get a faster link going by tweaking your torrc file. I should point out that it’s somewhat abusive of the tor network resources to try to suck down giant bittorrents through tor….
I should also mention that there is a great firefox plugin for managing your proxy settings. (It got to be a pain manually switching them, so you might look at foxyproxy. It let’s you configure multiple proxys and switch between them for all traffic, OR more interestingly using text matching it could allow you to use a proxy only for certain sites.
Also – Set your proxy server to resolve DNS requests instead of your computer; in Firefox’s about:config area, set network.proxy.socks_remote_dns = true.
(From what I see that is the default – either that or I’ve already been there and done that.)
And if you’re command-line phobic on linux you might take a look at gnomes ssh tunnel manager (GSTM I think in packages.) Really whether you are comfortable at the command line or not, this looks like a neat, quick interface.
Related PostsRelated Posts
- Torbutton - firefox anonymity browser extension I don't know if anonymity is exactly acheived, but.... anyway not too long ago I explored/setup tor on my system to play around with, no real reason I suppose, but doing what I do it pays to be aware of many different kinds of software. Tor proxies web requests from......
- Denyhosts as an added defence to ssh server A couple days ago I had a brief article on the vandals banging away at the door of my ssh server. Like I said, I've, at times, been fairly smug abou the futility of their actions, but.... the persistance concerns me. Let me be more specific, I keep a fairly......
- Network Security guide for the home or small business network - Part 15 - Security Through obscurity I remember many years ago watching a Dr. Who episode where a very important key was "hidden" in a display of many other keys. Kind of like hiding a tree in a forest. This concept is "security by obscurity". Generally this is considered a bad approach to security. It is......
- Swom Review: First Let's Start With The Bad Stuff Swom Review: I have been a gold member of Swom For about 2 months now. So I feel this is a good time to share with you what my opinion of this site is. First let's start with the bad stuff Swom is a very basic social network , you......
- What Is A Cloud Virtual Server Solution And How Will It Work? In recent years, cloud computing has seen more and more use. It offers new options for storing files and using the web and serves the base for many a social networking site. Internet use and communication have become much easier with the use of a cloud virtual server. The name......
- Reputation Management For Hotels Is Available To Boost Your Hotel Business Reputation management for hotels online involves numerous techniques and processes that need to be structured into a logical Online Marketing plan or strategy. Promoting your hotel effectively online requires nothing less. One word about website design: it is just as important as your advertising campaign and the material you present.......
- Using ssh to protect web browsing over wireless or other hostile networks
- Network Security guide for the home or small business network – Part 19 – What about when you’re not on your home network?
- SSH tips and tricks.
- Common Networking Ports