Secure surfing with an SSH tunnel and Firefox

I don’t know where I’d be without OpenSSH. I feel at home at the command line, and use ssh daily for remote access to my servers. When I need to transfer files quickly I use scp, or sftp if I need something a little fancier. Since my desktop machine runs Windows, I use PuTTY and FileZilla to get most of my work done.

There are some uses for ssh that go a little bit deeper though, and one of the coolest I’ve come across is making ssh tunnels. These are handy in a number of situations. I typically use a tunnel to surf when I’m on my laptop at some public wifi hotspot or some other untrusted network. You can use a tunnel to anonymize your connection (to a certain degree), or simply to make your requests appear as if coming from another source. Do you use Linux? Windows? On a Mac? It doesn’t matter. Using an SSH client and Firefox, you can set up an encrypted tunnel pretty easily and surf as much as you want, secure in the knowledge that nobody can peek at your traffic within the tunnel.

Here’s what you’ll need:

• An ssh server – This could be a server sitting at home on your network, a colocated machine somewhere else, or just a server that you have access to via SSH. As long as it’s running sshd and you have an account on the box, you should be fine (but you might want to check if this is ok with the owner if it’s not your server)
• An ssh client – I use PuTTY on Windows, or the command-line ssh clients for Linux and Mac OS X
• Firefox – You should be able to use almost any browser to do this, but to keep things brief (and because I happen to like it), I’m going to stick with Firefox for this article

We’re going to use our ssh client to create a tunnel between our computer and the ssh server, and then we’ll configure Firefox to use that tunnel as a proxy. Pretty simple right? All the traffic between your computer and the ssh server will be encrypted (great if you don’t trust your local network i.e. public wifi hotspot) and all of your requests will appear as if they originated from the ssh server machine.

Setting up the tunnel using PuTTY on Windows

1. Open PuTTY
2. In the left-hand window, navigate down to the SSH > Tunnel menu
3. Click the “Dynamic” radio box, then enter 9999 in the Source Port box
4. Click the Add button
5. You should see “D9999″ pop into the box in the middle of that menu
6. In the left-hand window, navigate to the Session menu
7. For hostname, enter the IP or hostname of the ssh server that you’re connecting to
8. In the Saved Sessions box below, name your session and click the Save button
9. Double-click your saved session to connect
10. Login with your username and password

If you’ve logged in successfully, then PuTTY has also created your SSH tunnel in the background.

Setting up the tunnel using the command-line ssh client on linux or Mac OS X

This is even easier than setting it up on Windows:

1. Open a terminal window
2. Run ssh: ssh -D 9999 -N user@host
3. Login with your password

The -N option tells ssh not to execute any remote commands. If the connection is successful and your password was right, you won’t see a prompt – the tunnel is there though.

Configuring Firefox to use your tunnel

We now have our ssh tunnel created using port 9999 on our local machine. Any connections to localhost port 9999 will be forwarded through the tunnel. All that’s left to do now is to configure Firefox to use localhost as a proxy! Before we start, open a tab in Firefox and go to http://whatsmyip.org/. Your IP address is listed at the top. Leave this tab open since we’ll be using it to verify that we’ve configured Firefox correctly after completing the following steps.

1. In Firefox’s Preferences menu, navigate to the Advanced tab
2. Open the Network sub-tab
3. Under the Connection heading, click the Settings button
4. Change the radio box from No Proxy to Manual Proxy Configuration
5. Near the bottom, enter localhost into the SOCKS Host box and 9999 into the corresponding Port box
6. Click Ok to save your settings
7. For an added layer of security, type “about:config” into your address bar. You may be prompted with a warning, click through this since we know what we’re doing ;)
8. Search for the line that says network.proxy.socks_remote_dns and change it’s value to true by double-clicking it. This will cause Firefox to do its DNS lookups through the tunnel as well

And you’re done! Refresh your whatsmyip.org tab and you should notice that your IP address has changed. All of your traffic is now being routed through the secure tunnel between you and the ssh server. Note that your traffic will NOT be encrypted once it comes out at the other end of the tunnel (unless you’re connecting to a site via HTTPS).

As long as your SSH connection is open your tunnel will be functional and you’ll be able to browse normally. Once you close that connection, Firefox won’t work! All you need to do is go back to the Preferences menu outlined above and set the network configuration back to No Proxy.

In addition to encrypting your browsing while connected to an untrusted network, you may also be able to do neat things like getting around IP-address based restrictions. For example, some video sites will only let you view a video if you’re in a certain country. If you’re not in that country but have access to a server located inside it, you can use this method to make your requests appear as if they originate from the right place :).

Happying SSHing!

Be Sociable, Share!

•