Ssh-tunnel internet proxy
Ssh-tunnel internet proxy
Using an SSH-connection to tunnel your internet traffic through a remote server
This is a ‘how to’ with information to use any ssh-enabled server as a gateway to the open internet from a closed network, such as a network behind an unwanted firewall.
By using an ssh-tunnel, any portnumbers that cannot pass due to restriction of the firewall, are now ‘encapsulated’ in a tunnel through a port that is allowed to pass the firewall. By using encryption, any outsider cannot see what kind of traffic you are sending, making it hard to use ‘packet-inspection’ to filter specific applications or content.
This is a ‘how to’ with information to use any ssh-enabled server as a gateway to the open internet from a closed network, such as a network behind an unwanted firewall.
By using an ssh-tunnel, any portnumbers that cannot pass due to restriction of the firewall, are now ‘encapsulated’ in a tunnel through a port that is allowed to pass the firewall. By using encryption, any outsider cannot see what kind of traffic you are sending, making it hard to use ‘packet-inspection’ to filter specific applications or content.
Why?
If you are in a closed network (that filters or blocks some sites or protocols), or you are in a network-environment you don’t trust (for example at an internet cafe with your own laptop) you might want to route all your internettraffic through an encrypted ‘tunnelconnection’ to a trusted server outside your current domain. In this way your internettraffic can pass any firewall that is inbetween. Because the tunnel is encrypted, the content of the tunnel cannot be read, providing an anonymous way to do so.
If you are in a closed network (that filters or blocks some sites or protocols), or you are in a network-environment you don’t trust (for example at an internet cafe with your own laptop) you might want to route all your internettraffic through an encrypted ‘tunnelconnection’ to a trusted server outside your current domain. In this way your internettraffic can pass any firewall that is inbetween. Because the tunnel is encrypted, the content of the tunnel cannot be read, providing an anonymous way to do so.
How?
Setting up such an (SSL-)encrypted connection via an ssh-server consists of 2 parts:
Setting up such an (SSL-)encrypted connection via an ssh-server consists of 2 parts:
Part 1: Create the SSH-tunnel
Part 2 Tell your application to use the tunnel instead of the ‘standard’ internet gateway
Part 2 Tell your application to use the tunnel instead of the ‘standard’ internet gateway
What do you need ?
- You need an ssh account on some server outside of the restricted domain.
- You need an ssh account on some server outside of the restricted domain.
Part 1: Creating an SSH-tunnel from a linux-machine to a remote server
You can use the standard ssh-command to set up a secure connection AND set-up your tunnel using the following command:
(replace USER with your username and IPADDRESS with the IP-address of the SSH-server).
(replace USER with your username and IPADDRESS with the IP-address of the SSH-server).
ssh -D 4040 IPADDRESS -l USER
You will now be prompted for your password.
This command creates a (local) port 4040 that will act as a (local) proxy. All traffic to this port will be forwarded to IP-address.
As long as this connection is active, one can point any application to 127.0.0.1:4040 , and the application will use this tunnel to send its IP-traffic to.
This command creates a (local) port 4040 that will act as a (local) proxy. All traffic to this port will be forwarded to IP-address.
As long as this connection is active, one can point any application to 127.0.0.1:4040 , and the application will use this tunnel to send its IP-traffic to.
Note that:
- You have to remain logged-in to keep the tunnel active.
- 4040 is just a ‘random’ port; You can use any other (unused) port, as long as you also use it in the proxy settings in the next step.
- Make sure the port you choose is not in use by any other application on your computer.
- You have to remain logged-in to keep the tunnel active.
- 4040 is just a ‘random’ port; You can use any other (unused) port, as long as you also use it in the proxy settings in the next step.
- Make sure the port you choose is not in use by any other application on your computer.
Part 2: Make your application use the tunnel via the local proxy at 127.0.0.1:4040
You now need to set-up the application to use the tunnel. This can be achieved by pointing the application to the local proxy as configured in the ssh-connection using the following proxy-settings:
– Choose SOCKSv5 in your proxy-settings
– IP address : 127.0.0.1
– Port 4040
– IP address : 127.0.0.1
– Port 4040
Note that 127.0.0.1 is the ip-address of ‘local-host’, or your own computer. Port 4040 is the port we use in this example. Any other port can be used, as long as it is free on your local machine.
Example 1 : Mozilla Firefox
In firefox (setup is similar in many other browsers):
– Open: ‘Edit’, ‘Preferences’, ‘Advanced’, ‘Network’
– Choose ‘Settings’ to open the settings menu
– Click on ‘Manual Proxy Configuration’
– In ‘Manual Proxy’, enter : SOCKSv4, Socks-host 127.0.0.1, port 4040
– Open: ‘Edit’, ‘Preferences’, ‘Advanced’, ‘Network’
– Choose ‘Settings’ to open the settings menu
– Click on ‘Manual Proxy Configuration’
– In ‘Manual Proxy’, enter : SOCKSv4, Socks-host 127.0.0.1, port 4040
– Make sure the other entries are empty, because they override the SOCKS-settings.
The proxy is now set and should work. Try to open any site in the browser. Check for example myipaddress.com to see from which IP you are entering the internet. It should now show the IP of the proxyserver.
The proxy is now set and should work. Try to open any site in the browser. Check for example myipaddress.com to see from which IP you are entering the internet. It should now show the IP of the proxyserver.
Example 2: Using the Gnome Proxy settings for all Gnome Applications (including the webbrowser)
Gnome has the possibility to set up the proxy for all trafix via the Gnome Network Manager.
Go to:
– ‘System’, ‘Preferences’ on the Gnome-taskbar ( per default on the top of your Desktop).
– Select ‘Network Proxy’.
– Enter the SOCKS5 proxy values 127.0.0.1 , port 4040
– Make sure the other entries are empty, because they override the SOCKS-settings.
Go to:
– ‘System’, ‘Preferences’ on the Gnome-taskbar ( per default on the top of your Desktop).
– Select ‘Network Proxy’.
– Enter the SOCKS5 proxy values 127.0.0.1 , port 4040
– Make sure the other entries are empty, because they override the SOCKS-settings.
Comments