Monday, August 13, 2012

SSH tunneling on a mac in 5 minutes

This blog post is brought to you by the SEA-TAC Airport's free public wifi -- and all of the potential snoops who could be listening over the wire. This technique also defeats internet censorship at your school or oppressive country.

Here's a quick guide for tunneling all of your traffic over SSH when you're on public wifi or behind a firewall that has port 22 open. All of your traffic will be encrypted with SSH between you and your web server, which will make the requests on your behalf.

What you'll need:

1. SSH access to a machine connected to the outside internet. If you don't have an SSH web server, now is a good time to recommend the free shell access provider Silence is Defeat.
2. Some sort of SSH client. In this case we'll use the default provided with mac. If you're using windows then stop reading and go here.
Open up your terminal and pick a non-privileged port, in this case we'll use 8888.

Here's the command that allows the tunnel. It's very simple:

$ ssh -D 8888 -vv

Make the obvious repalcements. The "-D" says to SSH to use this port for application level port forwarding. Here's a snippet from the SSH man page explaining the relevant magic:
Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine.  Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server.  Only root can forward privileged ports.  Dynamic port forwardings can also be specified in the configuration file.
And the "-vv" argument tells SSH to use extra verbose output. This basically just affirms that things are working, but it is fun to watch.

Once it's connected, you'll need to set up a web browser to use the socks5 proxy. I keep Firefox on my mac just for this.

1. Go to preferences, and select the "Advanced" tab.
2. Select "Network" button and choose "Settings"
3. Select "Manual proxy configuration" and under "SOCKS Host", you're going to put your local loopback address ( and the port you selected when you opened up the proxy
Settings for mac SSH tunneling.

Then click OK. The rest of the settings you can leave at default. To verify the tunnel is working, I like to use IP Geolocation and see where it says my request server is located before and after the tunnel.

Before using the SOCKS5 tunnel

After. Please note: that's the other Washington.
Look at that, the internet thinks I'm located in a datacenter in Washington, DC! Any traffic firefox uses will go back to your local tunnel to your webserver and out into the world, coming back in the same way it went out. Go ahead and browse facebook at work now, or become a Chinese dissident blogger.

I like to leave these settings as the default settings in Firefox. Then, when I want to start a tunnel, I just run that command in terminal and switch to using Firefox for awhile.  The instructions should work for Chrome or Internet Explorer as well.

No comments:

Post a Comment