Advanced OS X: Surf a Secure Tunnel via SSH
So there you are in your cubicle at work utilizing your employer’s expensive internet connection for everything except something that can actually justify your pay check. This is a good enough time to do some power ebaying, youtubing, or hell even some chatty chat with that sexy new bit on the side. It doesn’t get any better than this right? To actually get paid to surf the internet whilst firing off a reply to the occasional email, to keep up the guise of you actually being alert and attentive to the various happenings at work. Imagine if your poor sap of a boss actually knew what you were up to!
Guess what, chances are he does. Or is about to.
There’s always some little weasel of a sys-admin just waiting to inform “the man” of just how much time you, his star employee, is actually NOT spending justifying that paycheck. Just imagine when the schmuck presents ream after ream of printed logs of your questionable online antics. IRC, MSN Messenger, AOL Messenger, YouTube, pr0n, and the list goes on. You get the picture. Now before you fire up Monster.com on your soon to be former employer’s dime, there is thankfully an answer.
SSH Tunneling
The concept is simple. All your activities are sent through an encrypted SSH tunnel to some remote server which in turn does all the dirty work (so to speak). The beauty of course is that all that nuisance of a sys admin can ever see is a bunch of encrypted traffic.
Now here’s what you need:
- openSSH client. (thankfully OS X has this built in!)
- access to an openSSH server
For item 2 we are going to assume you have access to an offsite server somewhere that you can log in to via SSH. Perhaps you have a dedicated server at a hosting company? Maybe a Linux or FreeBSD box at home. You could even run an openSSH server on a Windows machine. Of course you could also use the Mac you have at home too! If you really don’t have access to a fast box to surf via, Google will likely lead to some free solutions. The only caveat to whatever box you use as a server is that it has to be configured to allow you to login via ssh. That’s it, that’s all.
Now in case you aren’t grasping this. The “client” is your computer at work. The “server” is the other machine we will tunnel to.
Getting Started
First you will need to create the tunnel. We need to know the name or IP address of the server you will be tunneling to, as well as your login name and password on that server. For this example we will assume your login name is william and the server name is www.myserver.com.
Now enter the following into your terminal window.
ssh -D 8080 -f -C -q -N william@www.myserver.com
You will then be prompted for your password, which you should enter. That’s it! Your ssh tunnel is in place!
A quick synopsis of what those switches mean is as follows:
-D 8080 : This basically does a lot of dynamic stuff and makes it behave as a SOCKS server. Of course you could use any non privileged port here (above 1023).
-f : This will fork the process into the background after you type your password.
-C : Turns on compression.
-q : Quiet mode. Since this is just a tunnel we can make it quiet.
-N : Tells it no commands will be sent. (the -f will complain if we don’t specify this).
So now that the tunnel is made we will need to configure Firefox to use this tunnel. Since we are cool we will dispense with the GUI config tool and just configure it directly. To do this open Firefox and type the following into the address bar:
about:config
You will see a LOT of config options so you will need to filter it a bit. Type “proxy” into the filter bar.
You will see something like this.
We are interested in these 6 items set to the following values:
network.proxy.no_proxies_on : localhost, 127.0.0.1, 192.168.0.0/24, .yourcompany.com
network.proxy.socks : 127.0.0.1
network.proxy.socks_port : 8080
network.proxy.socks.remote_dns : true
network.proxy.socks_version : 5
network.proxy.type : 1
network.proxy.no_proxies_on
This specifies which addresses etc. to NOT use the proxy (tunnel) with. At a bare minimum it should have “localhost, 127.0.0.1″. I added 192.168.0.0/24 as an example of the subnet address range I have at work. I obviously wouldn’t want to go through the tunnel if I am trying to get to a local address! That just wouldn’t work at all. The same would hold true if your company used a local DNS server to resolve host names of computers on your local subnet. In that case you would also want to add something like “.mycompany.com” which would NOT use the tunnel for any address in the “mycomnpany.com” domain.
network.proxy.socks
The IP Address of your SOCKS proxy (tunnel). In this case your local machine (127.0.0.1)
network.proxy.socks_port
The port number you assigned to the tunnel. 8080 in our example.
network.proxy.socks.remote_dns
This part is important because even though your traffic would be encrypted through the tunnel, that pesky sysadmin could still see you were doing DNS lookups for GirlsGoneWild.com! Setting this to “true” will send all your DNS traffic through the tunnel too. This feature is only supported on SOCKS5 so if your remote server only supports SOCKS4 then you’re out of luck with this feature.
network.proxy.socks_version
Self explanatory. Try to use version 5 if you can. If for some reason your remote server doesn’t support this version then use version 4 instead.
network.proxy.type
This basically turns all this stuff on or off. 1 = on. 0 = off. If for some reason you need to stop using a proxy then just set this to “0″. You can still leave all the other stuff set as it will just be ignored until you set this to “1″ again.
Well that’s it! Open Firefox and go to whatismyip. If you see the IP of your remote server then hallelujah THE MAN is finally off your back! If you see the address you usually get (the address of your company firewall) then something went wrong. Go back and double check that you did everything correctly. Also in a terminal check that your tunnel is still up.
ps -aux | grep ssh
If you don’t see the command you used to open the tunnel then it has closed and you will need to re-open it again.
Now back to the bit on the side. You can also configure MSN, Yahoo, AOL, Thunderbird etc. to use the same tunnel (no need for opening any more). Just go and configure their particular connection settings to use a SOCKS proxy too!
There’s a lot more that can be done from here like configuring things on the server for keeping the connection alive, as there are some cases where your network will cause things to time out. You could also setup your server to allow a key based login so you could have your tunnel open when you start up your computer. For now we have covered just enough to get you going without overloading on too many superfluous concepts.
Happy secure tunneling!
The is one thing to keep in mind if you are trying to avoid the snooping eyes of your boss.
Apple Remote Desktop allows someone to view your desktop at all times to see what you’re doing. There are also a number of programs on the windows side that allow this as well. If your work has one of these programs installed, surfing through a tunnel won’t protect you.
Just what the Doctor ordered. I tried this all just now, took me about 5 mins, and it has solved my YouTube problems. This is way better than some busy anonymous proxy server, and my speed watching youtube is actually pretty much the same as it was before. Awesome info.
Editing the about:config options seems rather time consuming. If you’re looking for a quick on-and-off method that will work with firefox I highly recommend using the QuickProxy extension.
https://addons.mozilla.org/firefox/1557/
This has been one of my favorite secure browsing methods, and also a great way for a quick-n-easy VPN to a work machine if your employer allows SSH access.
I type in sshtunnel in the terminal and its runs my ssh tunnel command, then just open Firefox and click on the proxybutton extension. Boom! encryption. BTW glad to see you used the -D for dynamic, thats the easiest way, seems like people online always want to map the ports.
[...] MacApper So there you are in your cubicle at work utilizing your employer’s expensive internet connection [...]
[...] OS X: Surf a Secure Tunnel via SSH Advanced OS X: Surf a Secure Tunnel via SSH Now before you fire up Monster.com on your soon to be former employer’s dime, there is thankfully [...]
I peronally prefer http://www.ip-adress.com to check the ip address.
@purist: I fail to see how that matters.
@Doc Logic: Killer article. It’s essentially an instruction manual for building a personal proxy server. I tried this at my office, which uses some aggressive firewalling to keep staff ‘on the job’. Firefox is now designated my safe browser, and all of my questionable surfing happens through it now. Thanks!
[...] MacApper: Advanced OS X: Surf a Secure Tunnel via SSH [...]
When the system administrator sees all the SSH packets (in Ethereal) going to and from your machine, he is probably going to call the FBI instead of your boss… thinking something bad is going on … you’ll still have a lot of explaining to do. Besides, tunnelling through your home upload-crippled ISP connection kind of defeats the purpose of using a company broadband connection, doesn’t it?
Why not just set up a VPN? You don’t have to mess around with settings, you just fire it up and if you’re connecting to your home machine, you get access to everything on your home network.
As the “poor sap of a boss” at my company, I think the author takes some liberty in assuming that the “downtrodden worker” should be allowed to play around on the job. Of course, if the boss has performance goals and a job description with expectation, perhaps the lock down of the company network would not be needed.
At our workplace, we have an open network going out, but since the employees are motivated (for the most part) to perform in their jobs and enjoy the amenities of the Internet, things work in our company.
The person doing this should be fired and prosecuted, not only are they violating the security policy of their employer, they are also opening their internal network possible exploits. On top of this they are using the bandwidth of their company for things not related to work.
They might as well put a modem on their computer or order a DSL line to their cubicle to bridge the intranet to internet.
There’s also FoxyProxy , which allows you to set patterns that you want to go through your proxy.
For extra credit, why not go all the way and get a static IP via DynDNS or some such service. This way you won’t have to depend on some other public server out there.
Henkis – no, not necessarily. You don’t know about the security policy of every company, and this isn’t even a breach of it, as the traffic can only flow from the client machine to the server, not the other way round, as it would be if they had their own DSL modem on their desk
[...] read more | digg story [...]
So I followed all the directions and I can’t bring up any webpages once the proxy is enabled. I’ve even tried different ports. The tunnel is up, though I am using a free shell account but I can’t seem to pass web traffic though it, any ideas?
[...] a Secure Tunnel via SSH Published May 23rd, 2007 Computer , Technology I found this interesting article, over at macapper.com which I’ve quoted for your convenience! Please go check out the [...]
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper [...]
I have the same problem as warwick. I registered free shell account, set firefox about:config but webpages wont open. I even tried few different shell account providers and all open ssh tunnel. Help?
@brokent: http://www.no-ip.com/services/managed_dns/free_dynamic_dns.html
warwick, mikko,
I guess the server needs to run a proxy-server to get it working while maybe not all free ssh accounts will have a proxy running.
I once set it up myself, and had to configure tinyproxy (or something similar) to connect to, through the tunnel.
Can all this be done automatically, say at boot up so that I always surf through an ssh tunnel by default? Even better, can all my network traffic be sent through an ssh tunnel?
It would be cool not to have to enter in the password to my server.
[...] this over at MacApper.com. Describes how you can securly surf the web from remote sites, like for example at work, you can [...]
Just use a VPN. It’s muuuch better than SSH tunnelling, as it doesn’t rely on networked applications understanding the SOCKSv4 protocol – it works at the TCP/IP layer instead, so networked applications don’t need to know anything, and they still work. Plus, you can decide to not use the default gateway and just use it to access your home machine, and still allow normal internet/work use to go through the regular channels (if web monitoring isn’t a problem, and you just want to get your home files/services from work). I don’t know if OS X has a built-in VPN server, but Windows does. (stands back for flaming to start
)
If you don’t have a server to SSH to these commands work with Anonymizer’s TNS product (since it’s just SSH tunneling).
http://www.google.com/search?q=total+net+shield
[...] (Click Here) [...]
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper (tags: apple howto mac networking proxy security ssh) [...]
Don’t know why people can’t get this working. Worked a TREAT for me, even though I did it in Safari (actually, a WebKit nightly build).
I tested on two different connections, one being an ssh server in my office, from home. The other was with my free shell account from http://rootshell.be I highly recommend them for this task, and also as a good, free way to test things from outside your normal network (I’m one of those evil sysadmins the author seems to hate so much. That’s OK. We eat (L)user hatred for breakfast
).
Thanks for the tip on the -D. I actually had no idea that ssh could act as a socks proxy. I’m continually amazed at the beautiful things that a simple sshd server can provide.
cheers
[...] Link to Advanced OS X: Surf a Secure Tunnel via SSH [...]
This has been published for quite a while now, and certainly bears repeating for those who do not have this handy trick in their toolbox.
However, the author mentioned that this could be a method to avoid an employer monitoring which websites are being visited. It will NOT do that, as all DNS requests will still show the websites visited and the workstation originating the request. You will need to use Privoxy or some other DNS proxy in addition to this. Granted, not too many people log DNS traffic, but it could show up in other systems if it is suspicious (intrusion detection / prevention devices).
However, it is still a great way to get past firewall / web filtering controls.
@SSH
Yeah, if someone uses encryption he must be doing something criminal. Just as if someone is locking his door…
4fthawaiian:
i got an account on the rootshell.be and now it works great. thanks!
@bahamat: … or you may use NetShade for the Mac or even roll you own like shown here: http://dresstosurvive.wordpress.com/2007/04/01/anonymizing-proxy-for-os-x/
[...] read more | digg story [...]
Yeah … this would be ubercool … make a sequel on using SSH as SOCKS Proxy, http://www.dribin.org/dave/blog/archives/2004/11/22/ssh_socks
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper (tags: ssh osx security tunnel) [...]
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper A quick synopsis of what those switches mean is as follows: -D 8080 : This basically does a lot of dynamic stuff and makes it behave as a SOCKS server. Of course you could use any non privileged port here (above 1023). -f : This will fork the process into (tags: ssh Security tunnel socks privacy proxy) [...]
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper (tags: OSX privacy Security toRead toDo Tutorial VPN HowTo Networking ssh Software) [...]
[...] OS X: Surf a Secure Tunnel via SSH Filed under: Uncategorized — recar @ 2:08 pm Advanced OS X: Surf a Secure Tunnel via SSH Now before you fire up Monster.com on your soon to be former employer’s dime, there is thankfully [...]
Great to hear it Mikko! It’s a fantastic great service. Spread the word
Fantastic FREE service I meant to say. Exhaustion = bad. Heh.
[...] Tunnel surf Filed under: OSX — 0ddn1x @ 2007-05-26 16:39:50 +0000 http://macapper.com/2007/05/22/advanced-os-x-secure-tunneling-via-ssh/ [...]
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper meg jol johet… (tags: ssh osx security tunnel howto mac apple) [...]
I wonder if this system can be used for doubling up on using services that limit downloads to one IP at a time. IOW, on the client, use Firefox+ssh and Safari without?
Would be nice if I could utilize SSH through our firewall but it only allows IP ranges on our Intranet, so no love from our Network Admins.
This is fairly common security practice in large corporations.
Thank you dude!
I can access Wikipedia from China now!
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper – Quick howto/example of tunneling traffic on your Mac over SSH to a remote system. Tags: ssh macosx howto proxy tunnel [...]
http://www.anonymity.ws – more useful links to tools and articles related to anonymity.
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper [...]
[...] GOJeff wrote an interesting post today onHere’s a quick excerpt So there you are in your cubicle at work utilizing your employer’s expensive internet connection for everything except something that can actually justify your pay check. This is a good enough time to do some … Saved By: dthorp | View Details | Give Thanks Tags: security, ssh, tunnel, socks [...]
can you tell me how to tunnel SAMBA and vnc over ssh, I want to control a headless ubuntu box from a 10.4 Tiger laptop?
[...] read more | digg story [...]
Hi
I followed these instructions, and i can get a tunnel up, however, i cant get access to a webpage across it. Do i need to run a proxy at the end of the tunnel to fetch page i request? if so how do i get the output from the server end of the SSH tunnel to connect to the proxy?
Any help would be appriciated
Thanks
the tunnel is in effect a SOCKS proxy. make sure your web browser is set up correctly to use the proxy (on localhost).
Best tool to check your IP address is: Ip address lookup . Gives you exact location and map.
term life insurance traffic…
Hello,…
I have installed Leopard to my PS, can use described configuration…
Anybody knows this command what means?
ssh -l xRaid xxx.xxx.xxx.xxx
Hi, I am successfully using this, but it’s not working with multiple connections, so if I’m downloading a file via http, I can’t navigate on any other webpages before the download is complete. Is this a configuration somewhere?
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper. [...]
[...] the exact steps I took to do it, Click Here Share and [...]
It simply isn’t working for me.
I am using in the school the putty,windows ssh client. The home Mac is ready to accept ssh requests. I am able to login via ssh port 80 to the home machine, but i cant use the school browser if I change the proxy to localhost:port, when I redirect.
The article (and the others as well) doesnt desribe what kind of proxy runs on the mac. is it squid? why is it 8080 or why 1080? some site states 1080.
thanks.
It’s not squid but SOCKS V5 (if Leopard).
The port you pick for -D doesn’t matter so long as it’s unused. 8080 is commonly for a user (not computer) level http server so I’d not use that. Whatever number you pick here must be set in the port number used by Network prefs or the browser. The reason it doesn’t matter (provided you don’t try to use a port already in use) is it’s all contained within the client computer.
The outbound port from client to server is not specified in the above. That’s done with -p switch and can be used to pick a port that a firewall does permit. 443 is likely open as that’s used for https: (secure web). The server setup has to be configured to listen there. Some routers support port forwarding with remapping so you could take the -p port into port 22 where the SSH server defaults to. Otherwise, you’ll have to reset the Mac sshd to use the -p specified. If you’re using a free/paid service, you’ll need to configure it based on what they say (and trust them with the data you’re sending)
I just wanted to point out Meerkat, a product I developed for more easier tunneling on the Mac. It will do dynamic (-D) tunnels as well, and in combination with something like NetworkLocation, it could setup your Mac to use it automatically based on physical location.