For quite some time I’ve been making use of a dd-wrt modified linksys box on my home network as an openvpn endpoint so that when I’m out and about in the world, I connect the vpn, switch firefox to route through a squid proxy server on the home network and I’ve got a nice fairly secure web browsing setup. But, as they say there’s more than one way to skin a cat. And, that’s what I’ve played around with the last couple days. First off, I guess I should describe the concept. 1) Let’s say that you’re browsing the web at an open wireless access point and you don’t trust the network or 2) let’s say you need to be able to access an intranet web server that is not accessible from the internet side of a network or scenario 3) let’s say a web site is blocking access based on ip address (for instance say you’re behind the great firewall of xyz business/company)…. how can you still manage to access the web pages you want to 3,2) at all or 1) securely with as little snooping as possible.
All in all, this will make it possible to look as though you’re browsing the web from a different location than you really are and is also one way how to get around blocked websites. Now, it’s up to you to accept the responsibility for your actions if you use this to get around blocked sites
There are several ways you can do this. The first IS via openvpn and a web proxy like squid, but that’s a fair amount of setup for you on your home network to maintain browsing from outside – besides what if you’re home connection is down and you want a quick plan b?
Here’s one approach….
SSH – secure shell to the rescue…. from a console window make a secure connection to a secure shell server you have access to, with dynamic port forwarding enabled.
ssh -D 1080 firstname.lastname@example.org
go ahead and authenticate and then in your firefox settings, instruct firefox to browse through a SOCKS 5 server at localhost port 1080. (frankly, you could probably pick any higher port number if you like.)
(BTW if you want to get fancier with ssh you can pass any of the following:
-q :- be quiet – don’t output more information than necessary.
-T :- Do not allocate a pseudo tty – i.e. no login shell.
-f :- move the ssh process to background, as we don’t want to interact with this ssh session directly.
-N :- Do not execute remote command.
-n :- redirect standard input to /dev/null.
In addition on a slow line you can gain performance by enabling compression with the -C option.
I like to pull up my ip check page to verify which public internet address I’m browsing from. SO, now it’s as if you’re browsing the internet from your ssh server machine.
Now, if you needed to access an intranet page within the network that your secure shell server is hosted, you should be able to. It should behave actually just as though you were on the destination lan for everything within the web browser. If you wanted to get really fancy, you could probably set it as a system wide proxy and not have to manually configure your applications to tunnel through it.
It should be noted that your web traffic will only be encrypted between you and the remote ssh server. After that it leaves the pipe and will only be encrypted if you’re visiting encrypted sites.
Now, for reasons of very restrictive firewalls it might be nice if you knew of a ssh server listening on port 443 so that it would bypass even the most draconian restrictions. (BTW, that’s how I’ve previously setup openvpn connections – ports 53 udp or 80/443 tcp are good candidates – 53 udp because it’s dns and shouldn’t be blocked if they expect domain lookups to work, however… it’s typically unencrypted and might look suspicious – besides they may do internal dns so it’s not my first choice. Port 80 is a good candidate because if they allow outside world web access then you should be able to pass data, still port 80 is typically unencrypted and it might look a bit suspect. My preference then is port 443. It’s necessary for https: sites and is expected to be encrypted, so it makes a nice openvpn (or ssh) alternate port.
It’s also possible to tunnel your web traffic through something called tor to enhance your privacy on the internet and essentially make it appear as though you’re browsing the web from a location where you aren’t physically. So, if a forum is only allowing connections from ip address in Poland and you really want to connect you can configure tor to only use endpoints that are in Poland and all your web browsing bits will ping pong through several machines in an encrypted tunnel until they exit a machine in Poland and connect to the forum your trying to connect to. To use tor, you need to also install a proxy server like privoxy.
By the way, tor can be a slow network – they are typically fairly oversaturated, but there are some ways to get a faster link going by tweaking your torrc file. I should point out that it’s somewhat abusive of the tor network resources to try to suck down giant bittorrents through tor….
I should also mention that there is a great firefox plugin for managing your proxy settings. (It got to be a pain manually switching them, so you might look at foxyproxy. It let’s you configure multiple proxys and switch between them for all traffic, OR more interestingly using text matching it could allow you to use a proxy only for certain sites.
Also – Set your proxy server to resolve DNS requests instead of your computer; in Firefox’s about:config area, set network.proxy.socks_remote_dns = true.
(From what I see that is the default – either that or I’ve already been there and done that.)
And if you’re command-line phobic on linux you might take a look at gnomes ssh tunnel manager (GSTM I think in packages.) Really whether you are comfortable at the command line or not, this looks like a neat, quick interface.
Related PostsRelated Posts
- Network Security guide for the home or small business network - Part 1 - A Hardware firewall Computers can communicate over networks. (Surprise!) That's how you're reading this post. The machine that this site is hosted on is listening for requests for connection. When it receives a request it answers back with a web page. In fact, computers can listen for a great many different kinds of......
- Network Security guide for the home or small business network - Part 9 - Know your network Once more into the breech... Ok you've taken account of the software and services on your pc. The next thing we need to talk about is knowing your network. Do you have any wireless access points? Not sure? Print servers? How many pcs? Are any of them portables? Public access?......
- Network Security guide for the home or small business network - Part 2 - A Software Firewall Do I really need a hardware firewall? I'm running XP Service Pack 2 with the built in firewall? (or norton, or zonealarm?) Well, personal firewalls (the name that software firewalls go by) are good for a great many things that hardware firewalls AREN'T. They do have their limitations though and......
- Swom Review: First Let's Start With The Bad Stuff Swom Review: I have been a gold member of Swom For about 2 months now. So I feel this is a good time to share with you what my opinion of this site is. First let's start with the bad stuff Swom is a very basic social network , you......
- How to Use Blog Networks to Promote Your Corporate Blog One of the biggest problems facing corporate bloggers is finding an audience. If you’re using your blog as a way to promote your company’s products, it is vital to quickly build up a strong readership. This is not an easy task, and even though paid promotion can be helpful, there......
- Discreet Approaches Of Promoting A Video Marketing Internet Site In case you are a proprietor or a manager of a video marketing or social media marketing website which is used for business purposes, odds are that you devote much of your entire day searching for various ways of promoting a website. In case you are only a small time......
- Using ssh to protect web browsing over wireless or other hostile networks
- Network Security guide for the home or small business network – Part 19 – What about when you’re not on your home network?
- SSH tips and tricks.
- Common Networking Ports