Private web browsing using SSH tunnel and SOCKS v5 proxy (Mac or Windows)
Post a comment or leave a trackback: Trackback URL.
It’s not that I’m doing anything I shouldn’t be doing, but sometimes I just feel more comfortable knowing my employer or the local coffee shop can’t see what web sites I’m going to on my laptop. Also, I really love sending traffic through SSH tunnels.
If you’re a user that has a desktop computer always on at home (Mac or Windows) and you carry a laptop around, this post can help set yourself up with some private web browsing.
I’m going to cover all the different Mac & Windows options here, because I know not everyone uses the same set of computers. I hope the post doesn’t get too cluttered…
Home Computer Setup
To get your home computer setup you’ll need a few things.
- A Dynamic DNS account configured using your high speed internet account.
- An SSH server running (this is the tricky part)
- A properly configured home firewall
1. Dynamic DNS
There are lots of Dynamic DNS services out there, but my favorite is DynDNS.com. I’ve had an account with them for over 10 years and I don’t think they’ve ever been offline. I use their paid Custom DNS service because it gives me a lot of flexibility and control.
I’m going to leave the setup process for Dynamic DNS on your home account out of this post. Your firewall may already have integrated support and there are lots of other pages out there to set this up. Here are a few:
For reference, I set my custom DNS name to, home.mydomain.com. This is the hostname I’ll use when configuring the remote SSH tunnel.
2a. An SSH Server using Mac OS X
With Mac OS X as your home computer, you’re in luck, this is easy to setup. First, I recommend creating a user account used only for SSH connections. Open System Preferences – Accounts, click the + icon to create a new account, and name it whatever you want, something cryptic maybe, I’ll call my new user, goodbadtechremote2009, and I recommend picking a very strong password, 15+ characters, letters, numbers, symbols, etc.
Next, enable remote access by opening System Preferences -> Sharing. Then click the checkbox next to “Remote Login”. In the “Allow Access” section, change the selection to “Only these users”, and add the user you just created.
Last, configure your Mac to use a static IP address. This can be done under System Preferences -> Network. Make note of the address you use, I’ll refer to it later as SSHIP. Take a look at this link for additional help: http://answers.vt.edu/kb/entry/1867/
That’s it on the Mac side, you’re ready to go.
2b. An SSH Server using Microsoft Windows
Running Windows, it’s definitely more of a challenge to get an SSH server online. I know some people have used Cygwin, but I think using the free VMWare Server product is a better way to go. It makes the whole process much faster, is more reliable and VMWare is just cool.
- So, step one, download and install VMWare Server. VMWare provides a lot of great documentation regarding how to get the product downloaded and installs, but typically you just need to download and run the installer with all the default options.
- Reference my post regarding installing CentOS 5 as a VMWare guest. Complete the steps in the section, CentOS 5. Make sure you choose Bridged for the type of network connection. There are also many other places that detail installing Linux operating systems in VMWare, feel free to use a different resource if you have one you prefer.
- Login to your new Linux operating system as root
- Add a new user for SSH connections and set a very strong password, let’s call the user goodbadtechremote2009
- I recommend you edit /etc/ssh/sshd_config to lock access down. Here is a sample config that I like to use.
12345678910111213141516171819202122Port 22Protocol 2ListenAddress 0.0.0.0AllowUsers goodbadtechremote2009SyslogFacility AUTHLogLevel INFOPermitRootLogin noStrictModes yesRSAAuthentication yesPubkeyAuthentication yesPasswordAuthentication yesPermitEmptyPasswords noKerberosAuthentication noX11Forwarding noPrintMotd yesPrintLastLog yesKeepAlive yesUseLogin noUsePrivilegeSeparation noSubsystem sftp /usr/libexec/openssh/sftp-serverBanner /etc/issueUseDNS no
- I also like to edit the /etc/issue file to include a simple “keep away” statement.
123456789101112131415161718192021NOTICE TO USERSThis computer system is the private property, whether individual,corporate or government. It is for authorized use only. Users(authorized or unauthorized) have no explicit or implicitexpectation of privacy.Any or all uses of this system and all files on this system may beintercepted, monitored, recorded, copied, audited, inspected, anddisclosed to your employer, to authorized site, government, and lawenforcement personnel, as well as authorized officials of governmentagencies, both domestic and foreign.By using this system, the user consents to such interception, monitoring,recording, copying, auditing, inspection, and disclosure at thediscretion of such personnel or officials. Unauthorized or improper useof this system may result in civil and criminal penalties andadministrative or disciplinary action, as appropriate. By continuing touse this system you indicate your awareness of and consent to these termsand conditions of use. LOG OFF IMMEDIATELY if you do not agree to theconditions stated in this warning.
- Configure a static IP address
- run /sbin/ifconfig and note your current IP address and Network.
- In CentOS, edit /etc/sysconfig/network-scripts/ifcfg-eth0, so it looks something like the text below. Make sure to replace the IP address and Gateway with a valid address in your network. I’ll later referece the IP address you set here as SSHIP
- Restart the SSH server
- Restart your networking
- That’s it, your Linux setup in Windows should be ready to go.
- Add a new user for SSH connections and set a very strong password, let’s call the user goodbadtechremote2009
3. Your home firewall
Disclaimer: Open remote access to an SSH server in your home network at your own risk. I can’t cover all the details of this setup process here and there are several security concerns to consider. Also, your internet provider may NOT allow home servers running over the Internet.
In order to access your own computer over the Internet, you’ll need to allow remote access through your home firewall/router (you are using a firewall on your high speed connection right?).
I use a LinkSys WRT300N wireless router. Most of the LinkSys, Belkin, NetGear, etc routers operate pretty much the same. For me, I logged into the router, went into the Applications & Gaming section and setup single port forwarding.
A little trick I use is to set the external port to 443 instead of 22 (which is the default for SSH connections) because some networks control outbound traffic and port 443 is more likely to be allowed outbound then port 22 is. Also, if anyone were to glance at the actual traffic it would look like the HTTPS encrypted traffic they’d expect to see.
Make sure to set the internal port to 22, set the protocol to TCP, and enter the SSHIP address you recorded in earlier and save your settings.
You’re ready to setup your laptop to open the SSH tunnel.
On to your laptop configuration. We’ll do Windows first this time.
Windows SSH Tunnels
- Download putty.exe and save it to your hard drive. I usually place the executable in my Program Files directory.
- Run PuTTY
- We need to create a saved session for easily opening an SSH connection with all the right settings in the future
- Expand the Connection section and click Data and enter goodbadtechremote2009 in teh Auto-Login username field.
- Expand Connection->SSH and click on Tunnels
- In the Source Port field type 1080
- Leave the Destination field empty
- Change the Local radio button to Dynamic
- Click on the Session category
- Type in the hostname you configured when setting up Dynamic DNS, home.mydomain.com, in my example
- Make sure the connection type is SSH
- The default port will be 22, change this to 443 if you set your home firewall up the way I did in this example.
- In the Saved Sessions text box, type in a name for the session. I like to use the remote hostname I’m connecting to, home.mydomain.com.
- Click Save
- Test the new PuTTY session by clicking open. If all goes right you’ll get a terminal session window that opens and it will prompt you for a password. On your first connection attempt you may be asked to verify that you are connecting to a valid host, you can type yes to authorize the connection.
- Shortcut tip: Create a shortcut on your desktop to the putty.exe application. Edit the properties of the shortcut and add some information to the target line. Mine looks like this:
Windows Web Browser changes
This is the last step, configuring the browser. There are a number of different ways to set this up. I’m going to keep it simple here. I use Internet Explorer 8 for my primary web browsing, and I downloaded and installed Firefox to use when I want use my private browsing SSH tunnel. So here is the process for this approach:
- Download and install Firefox if it’s not installed already. http://www.mozilla.com/en-US/firefox/personal.html
- Open Firefox and click on Tools -> Options
- Click the Advanced Icon at the top of the Options Window
- Click the Network Tab
- Click the Settings button
- Select “Manual Proxy Configuration”
- Under SOCKS Host, type in, 127.0.0.1
- Set the port for SOCKS Host to 1080
- Select the SOCKS v5 radio button
- Click OK
- Click OK again to close the Options window
If your SSH connection is still open, you should be able to visit web pages just like you normally would, go ahead and try to visit spanders.com and see if it works.
Now this is the real test, close your SSH tunnel by closing your PuTTY session window. Try to go to http://www.spanders.com again. This time the connection should fail. If it does, your private web browsing configuration is READY TO GO!
In the future, to use private browsing, open the PuTTY shortcut you configured on your desktop, then open Firefox and no body at your office or in the coffee shop or where ever will be able to detect or restrict what web sites your visiting.
Mac OS SSH Tunnels
This is a pretty quick process, here goes…
- Open your Applications folder -> Utilities -> Terminal
- scroll down to the very bottom of the file
- Add this line
alias homessh=”/usr/bin/sshtunnel -D 1080 -f -C -q N -p 443 email@example.com”
- Type Ctrl+x to exit the Pico editor, type Y, to indicate you want to save the changes
- Now at your command prompt type,
homessh, this should connect to your home SSH server and prompt you for your password. Type in your password and your tunnel will be ready to go. \
Mac OS Web Browser changes
On my MacBook Pro, I find it works best to use the location functionality. Note: This will only effect the Safari browser. Firefox will ignore these location settings.
- I go into the Apple Menu, Select Location, then select “Network Preferences”
- In the Location drop-down menu select “Edit Locations…”
- Click the + icon at the bottom of the Locations menu that pops up and name your new location, “Home SSH Proxy”, click Done.
- Back in the Network system preference, select the new “Home SSH Proxy” location
- Click on the Ethernet icon
- Click on the Advanced button
- Click on the proxies tab
- Click the check box next to Web Proxy (HTTP)
- In the Web Proxy Server enter, 127.0.0.1, into the first text field and enter, 1080, into the second field.
- Now click the check box next to Secure Web Proxy (HTTPS)
- In the Secure Web Proxy Server enter, 127.0.0.1, into the first text field and enter, 1080, into the second field.
- Click OK
- Repeat steps 6-12 for your AirPort connection
That should be everything. Just as in the Windows setup, if your SSH connection is still open and your location is set to Home SSH Tunnel, you should be able to visit web pages just like you normally would, go ahead and try to visit spanders.com and see if it works.
Now this is the real test, close your SSH tunnel by typing exit in your terminal window. Try to go to http://www.spanders.com again. This time the connection should fail. If it does, your private web browsing configuration is READY TO GO!
In the future, to use private browsing, open a terminal window and type homessh, enter your ssh password, then switch your location to “Home SSH Tunnel”. Make sure to switch back to your normal network location when you’re done.
Everything in this post may seem elaborate and confusing, and I admit, it kind of is. But once everything is setup, it’s very easy to open a connection and start your private web browsing. Going through this whole setup process will also help your general network understanding a lot, so it’s a good exercise for anyone looking to increase their networking skills.
As always, feel free to post any questions in the comments below.