Advanced OS X: Surf a Secure Tunnel via SSH
So there you are in your cubicle at work utilizing your employer’s expensive internet connection for everything except something that can actually justify your pay check. This is a good enough time to do some power ebaying, youtubing, or hell even some chatty chat with that sexy new bit on the side. It doesn’t get any better than this right? To actually get paid to surf the internet whilst firing off a reply to the occasional email, to keep up the guise of you actually being alert and attentive to the various happenings at work. Imagine if your poor sap of a boss actually knew what you were up to!
Guess what, chances are he does. Or is about to.
There’s always some little weasel of a sys-admin just waiting to inform “the man” of just how much time you, his star employee, is actually NOT spending justifying that paycheck. Just imagine when the schmuck presents ream after ream of printed logs of your questionable online antics. IRC, MSN Messenger, AOL Messenger, YouTube, pr0n, and the list goes on. You get the picture. Now before you fire up Monster.com on your soon to be former employer’s dime, there is thankfully an answer.
SSH Tunneling
The concept is simple. All your activities are sent through an encrypted SSH tunnel to some remote server which in turn does all the dirty work (so to speak). The beauty of course is that all that nuisance of a sys admin can ever see is a bunch of encrypted traffic.
Now here’s what you need:
- openSSH client. (thankfully OS X has this built in!)
- access to an openSSH server
For item 2 we are going to assume you have access to an offsite server somewhere that you can log in to via SSH. Perhaps you have a dedicated server at a hosting company? Maybe a Linux or FreeBSD box at home. You could even run an openSSH server on a Windows machine. Of course you could also use the Mac you have at home too! If you really don’t have access to a fast box to surf via, Google will likely lead to some free solutions. The only caveat to whatever box you use as a server is that it has to be configured to allow you to login via ssh. That’s it, that’s all.
Now in case you aren’t grasping this. The “client” is your computer at work. The “server” is the other machine we will tunnel to.
Getting Started
First you will need to create the tunnel. We need to know the name or IP address of the server you will be tunneling to, as well as your login name and password on that server. For this example we will assume your login name is william and the server name is www.myserver.com.
Now enter the following into your terminal window.
ssh -D 8080 -f -C -q -N william@www.myserver.com
You will then be prompted for your password, which you should enter. That’s it! Your ssh tunnel is in place!
A quick synopsis of what those switches mean is as follows:
-D 8080 : This basically does a lot of dynamic stuff and makes it behave as a SOCKS server. Of course you could use any non privileged port here (above 1023).
-f : This will fork the process into the background after you type your password.
-C : Turns on compression.
-q : Quiet mode. Since this is just a tunnel we can make it quiet.
-N : Tells it no commands will be sent. (the -f will complain if we don’t specify this).
So now that the tunnel is made we will need to configure Firefox to use this tunnel. Since we are cool we will dispense with the GUI config tool and just configure it directly. To do this open Firefox and type the following into the address bar:
about:config
You will see a LOT of config options so you will need to filter it a bit. Type “proxy” into the filter bar.
You will see something like this.
We are interested in these 6 items set to the following values:
network.proxy.no_proxies_on : localhost, 127.0.0.1, 192.168.0.0/24, .yourcompany.com
network.proxy.socks : 127.0.0.1
network.proxy.socks_port : 8080
network.proxy.socks.remote_dns : true
network.proxy.socks_version : 5
network.proxy.type : 1
network.proxy.no_proxies_on
This specifies which addresses etc. to NOT use the proxy (tunnel) with. At a bare minimum it should have “localhost, 127.0.0.1″. I added 192.168.0.0/24 as an example of the subnet address range I have at work. I obviously wouldn’t want to go through the tunnel if I am trying to get to a local address! That just wouldn’t work at all. The same would hold true if your company used a local DNS server to resolve host names of computers on your local subnet. In that case you would also want to add something like “.mycompany.com” which would NOT use the tunnel for any address in the “mycomnpany.com” domain.
network.proxy.socks
The IP Address of your SOCKS proxy (tunnel). In this case your local machine (127.0.0.1)
network.proxy.socks_port
The port number you assigned to the tunnel. 8080 in our example.
network.proxy.socks.remote_dns
This part is important because even though your traffic would be encrypted through the tunnel, that pesky sysadmin could still see you were doing DNS lookups for GirlsGoneWild.com! Setting this to “true” will send all your DNS traffic through the tunnel too. This feature is only supported on SOCKS5 so if your remote server only supports SOCKS4 then you’re out of luck with this feature.
network.proxy.socks_version
Self explanatory. Try to use version 5 if you can. If for some reason your remote server doesn’t support this version then use version 4 instead.
network.proxy.type
This basically turns all this stuff on or off. 1 = on. 0 = off. If for some reason you need to stop using a proxy then just set this to “0″. You can still leave all the other stuff set as it will just be ignored until you set this to “1″ again.
Well that’s it! Open Firefox and go to whatismyip. If you see the IP of your remote server then hallelujah THE MAN is finally off your back! If you see the address you usually get (the address of your company firewall) then something went wrong. Go back and double check that you did everything correctly. Also in a terminal check that your tunnel is still up.
ps -aux | grep ssh
If you don’t see the command you used to open the tunnel then it has closed and you will need to re-open it again.
Now back to the bit on the side. You can also configure MSN, Yahoo, AOL, Thunderbird etc. to use the same tunnel (no need for opening any more). Just go and configure their particular connection settings to use a SOCKS proxy too!
There’s a lot more that can be done from here like configuring things on the server for keeping the connection alive, as there are some cases where your network will cause things to time out. You could also setup your server to allow a key based login so you could have your tunnel open when you start up your computer. For now we have covered just enough to get you going without overloading on too many superfluous concepts.
Happy secure tunneling!
The is one thing to keep in mind if you are trying to avoid the snooping eyes of your boss.
Apple Remote Desktop allows someone to view your desktop at all times to see what you’re doing. There are also a number of programs on the windows side that allow this as well. If your work has one of these programs installed, surfing through a tunnel won’t protect you.
Just what the Doctor ordered. I tried this all just now, took me about 5 mins, and it has solved my YouTube problems. This is way better than some busy anonymous proxy server, and my speed watching youtube is actually pretty much the same as it was before. Awesome info.
Editing the about:config options seems rather time consuming. If you’re looking for a quick on-and-off method that will work with firefox I highly recommend using the QuickProxy extension.
https://addons.mozilla.org/firefox/1557/
This has been one of my favorite secure browsing methods, and also a great way for a quick-n-easy VPN to a work machine if your employer allows SSH access.
I type in sshtunnel in the terminal and its runs my ssh tunnel command, then just open Firefox and click on the proxybutton extension. Boom! encryption. BTW glad to see you used the -D for dynamic, thats the easiest way, seems like people online always want to map the ports.
[...] MacApper So there you are in your cubicle at work utilizing your employer's expensive internet connection [...]
[...] OS X: Surf a Secure Tunnel via SSH Advanced OS X: Surf a Secure Tunnel via SSH Now before you fire up Monster.com on your soon to be former employer's dime, there is thankfully [...]
I peronally prefer http://www.ip-adress.com to check the ip address.
@purist: I fail to see how that matters.
@Doc Logic: Killer article. It’s essentially an instruction manual for building a personal proxy server. I tried this at my office, which uses some aggressive firewalling to keep staff ‘on the job’. Firefox is now designated my safe browser, and all of my questionable surfing happens through it now. Thanks!
[...] MacApper: Advanced OS X: Surf a Secure Tunnel via SSH [...]
When the system administrator sees all the SSH packets (in Ethereal) going to and from your machine, he is probably going to call the FBI instead of your boss… thinking something bad is going on … you’ll still have a lot of explaining to do. Besides, tunnelling through your home upload-crippled ISP connection kind of defeats the purpose of using a company broadband connection, doesn’t it?
Why not just set up a VPN? You don’t have to mess around with settings, you just fire it up and if you’re connecting to your home machine, you get access to everything on your home network.
As the “poor sap of a boss” at my company, I think the author takes some liberty in assuming that the “downtrodden worker” should be allowed to play around on the job. Of course, if the boss has performance goals and a job description with expectation, perhaps the lock down of the company network would not be needed.
At our workplace, we have an open network going out, but since the employees are motivated (for the most part) to perform in their jobs and enjoy the amenities of the Internet, things work in our company.
The person doing this should be fired and prosecuted, not only are they violating the security policy of their employer, they are also opening their internal network possible exploits. On top of this they are using the bandwidth of their company for things not related to work.
They might as well put a modem on their computer or order a DSL line to their cubicle to bridge the intranet to internet.
There’s also FoxyProxy , which allows you to set patterns that you want to go through your proxy.
For extra credit, why not go all the way and get a static IP via DynDNS or some such service. This way you won’t have to depend on some other public server out there.
Henkis – no, not necessarily. You don’t know about the security policy of every company, and this isn’t even a breach of it, as the traffic can only flow from the client machine to the server, not the other way round, as it would be if they had their own DSL modem on their desk
[...] read more | digg story [...]
So I followed all the directions and I can’t bring up any webpages once the proxy is enabled. I’ve even tried different ports. The tunnel is up, though I am using a free shell account but I can’t seem to pass web traffic though it, any ideas?
[...] a Secure Tunnel via SSH Published May 23rd, 2007 Computer , Technology I found this interesting article, over at macapper.com which I’ve quoted for your convenience! Please go check out the [...]
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper [...]
I have the same problem as warwick. I registered free shell account, set firefox about:config but webpages wont open. I even tried few different shell account providers and all open ssh tunnel. Help?
@brokent: http://www.no-ip.com/services/managed_dns/free_dynamic_dns.html
warwick, mikko,
I guess the server needs to run a proxy-server to get it working while maybe not all free ssh accounts will have a proxy running.
I once set it up myself, and had to configure tinyproxy (or something similar) to connect to, through the tunnel.
Can all this be done automatically, say at boot up so that I always surf through an ssh tunnel by default? Even better, can all my network traffic be sent through an ssh tunnel?
It would be cool not to have to enter in the password to my server.
[...] this over at MacApper.com. Describes how you can securly surf the web from remote sites, like for example at work, you can [...]
Just use a VPN. It’s muuuch better than SSH tunnelling, as it doesn’t rely on networked applications understanding the SOCKSv4 protocol – it works at the TCP/IP layer instead, so networked applications don’t need to know anything, and they still work. Plus, you can decide to not use the default gateway and just use it to access your home machine, and still allow normal internet/work use to go through the regular channels (if web monitoring isn’t a problem, and you just want to get your home files/services from work). I don’t know if OS X has a built-in VPN server, but Windows does. (stands back for flaming to start
)
If you don’t have a server to SSH to these commands work with Anonymizer’s TNS product (since it’s just SSH tunneling).
http://www.google.com/search?q=total+net+shield
[...] (Click Here) [...]
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper (tags: apple howto mac networking proxy security ssh) [...]
Don’t know why people can’t get this working. Worked a TREAT for me, even though I did it in Safari (actually, a WebKit nightly build).
I tested on two different connections, one being an ssh server in my office, from home. The other was with my free shell account from http://rootshell.be I highly recommend them for this task, and also as a good, free way to test things from outside your normal network (I’m one of those evil sysadmins the author seems to hate so much. That’s OK. We eat (L)user hatred for breakfast
).
Thanks for the tip on the -D. I actually had no idea that ssh could act as a socks proxy. I’m continually amazed at the beautiful things that a simple sshd server can provide.
cheers
[...] Link to Advanced OS X: Surf a Secure Tunnel via SSH [...]
This has been published for quite a while now, and certainly bears repeating for those who do not have this handy trick in their toolbox.
However, the author mentioned that this could be a method to avoid an employer monitoring which websites are being visited. It will NOT do that, as all DNS requests will still show the websites visited and the workstation originating the request. You will need to use Privoxy or some other DNS proxy in addition to this. Granted, not too many people log DNS traffic, but it could show up in other systems if it is suspicious (intrusion detection / prevention devices).
However, it is still a great way to get past firewall / web filtering controls.
@SSH
Yeah, if someone uses encryption he must be doing something criminal. Just as if someone is locking his door…
4fthawaiian:
i got an account on the rootshell.be and now it works great. thanks!
@bahamat: … or you may use NetShade for the Mac or even roll you own like shown here: http://dresstosurvive.wordpress.com/2007/04/01/anonymizing-proxy-for-os-x/
[...] read more | digg story [...]
Yeah … this would be ubercool … make a sequel on using SSH as SOCKS Proxy, http://www.dribin.org/dave/blog/archives/2004/11/22/ssh_socks
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper (tags: ssh osx security tunnel) [...]
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper A quick synopsis of what those switches mean is as follows: -D 8080 : This basically does a lot of dynamic stuff and makes it behave as a SOCKS server. Of course you could use any non privileged port here (above 1023). -f : This will fork the process into (tags: ssh Security tunnel socks privacy proxy) [...]
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper (tags: OSX privacy Security toRead toDo Tutorial VPN HowTo Networking ssh Software) [...]
[...] OS X: Surf a Secure Tunnel via SSH Filed under: Uncategorized — recar @ 2:08 pm Advanced OS X: Surf a Secure Tunnel via SSH Now before you fire up Monster.com on your soon to be former employer's dime, there is thankfully [...]
Great to hear it Mikko! It’s a fantastic great service. Spread the word
Fantastic FREE service I meant to say. Exhaustion = bad. Heh.
[...] Tunnel surf Filed under: OSX — 0ddn1x @ 2007-05-26 16:39:50 +0000 http://macapper.com/2007/05/22/advanced-os-x-secure-tunneling-via-ssh/ [...]
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper meg jol johet… (tags: ssh osx security tunnel howto mac apple) [...]
I wonder if this system can be used for doubling up on using services that limit downloads to one IP at a time. IOW, on the client, use Firefox+ssh and Safari without?
Would be nice if I could utilize SSH through our firewall but it only allows IP ranges on our Intranet, so no love from our Network Admins.
This is fairly common security practice in large corporations.
Thank you dude!
I can access Wikipedia from China now!
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper – Quick howto/example of tunneling traffic on your Mac over SSH to a remote system. Tags: ssh macosx howto proxy tunnel [...]
http://www.anonymity.ws – more useful links to tools and articles related to anonymity.
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper [...]
[...] GOJeff wrote an interesting post today onHere’s a quick excerpt So there you are in your cubicle at work utilizing your employer’s expensive internet connection for everything except something that can actually justify your pay check. This is a good enough time to do some … Saved By: dthorp | View Details | Give Thanks Tags: security, ssh, tunnel, socks [...]
can you tell me how to tunnel SAMBA and vnc over ssh, I want to control a headless ubuntu box from a 10.4 Tiger laptop?
[...] read more | digg story [...]
Hi
I followed these instructions, and i can get a tunnel up, however, i cant get access to a webpage across it. Do i need to run a proxy at the end of the tunnel to fetch page i request? if so how do i get the output from the server end of the SSH tunnel to connect to the proxy?
Any help would be appriciated
Thanks
the tunnel is in effect a SOCKS proxy. make sure your web browser is set up correctly to use the proxy (on localhost).
Best tool to check your IP address is: Ip address lookup . Gives you exact location and map.
term life insurance traffic…
Hello,…
I have installed Leopard to my PS, can use described configuration…
Anybody knows this command what means?
ssh -l xRaid xxx.xxx.xxx.xxx
Hi, I am successfully using this, but it’s not working with multiple connections, so if I’m downloading a file via http, I can’t navigate on any other webpages before the download is complete. Is this a configuration somewhere?
[...] Advanced OS X: Surf a Secure Tunnel via SSH | MacApper. [...]
[...] the exact steps I took to do it, Click Here Share and [...]
It simply isn't working for me.
I am using in the school the putty,windows ssh client. The home Mac is ready to accept ssh requests. I am able to login via ssh port 80 to the home machine, but i cant use the school browser if I change the proxy to localhost:port, when I redirect.
The article (and the others as well) doesnt desribe what kind of proxy runs on the mac. is it squid? why is it 8080 or why 1080? some site states 1080.
thanks.
It’s not squid but SOCKS V5 (if Leopard).
The port you pick for -D doesn’t matter so long as it’s unused. 8080 is commonly for a user (not computer) level http server so I’d not use that. Whatever number you pick here must be set in the port number used by Network prefs or the browser. The reason it doesn’t matter (provided you don’t try to use a port already in use) is it’s all contained within the client computer.
The outbound port from client to server is not specified in the above. That’s done with -p switch and can be used to pick a port that a firewall does permit. 443 is likely open as that’s used for https: (secure web). The server setup has to be configured to listen there. Some routers support port forwarding with remapping so you could take the -p port into port 22 where the SSH server defaults to. Otherwise, you’ll have to reset the Mac sshd to use the -p specified. If you’re using a free/paid service, you’ll need to configure it based on what they say (and trust them with the data you’re sending)
I just wanted to point out Meerkat, a product I developed for more easier tunneling on the Mac. It will do dynamic (-D) tunnels as well, and in combination with something like NetworkLocation, it could setup your Mac to use it automatically based on physical location.
This is much better than busy anonymous proxy servers, and my speed watching youtube is actually pretty much the same as it was before. Awesome info thanks.
You can use the software from http://www.interwap.ro . They have free access at 384kbps and low prices for up to 50mbps high speeds.
[...] Advanced OS X: Surf a Secure Tunnel via SSH [...]
[...] Raja, huh? Tunneling to an SSH server seems to be an easy way but I want it to work on Chrome.http://macapper.com/2007/05/22/a…Insert a dynamic date here BIU @ @ ReferenceEdit [...]
[...] link by Doc Logic (MacApper) Similar posts Use Safari to get around your computer [...]
Hi Guys, I just found a pretty nice site for unlock / jailbreak/ iphone 3g 3gs and iphone4 jailbreak.
http://www.anysim.net
Thank u Anysim Team for fast Support.
Did everybody now when the update ios 4.3 for iphone4 comes?
[...] SSH to create a SOCKS proxy; in fact, I’m posting this over the tunnel right now. This page right here gives an excellent tutorial on how. I used my Mac at home as the proxy, so I could SSH to it from [...]
THANKS!!! This allowed me to remotely access the web-based firewall management at my office and route screen sharing to the mac of my choice. Saved me a trip to the office…. owe you a beer -
Just came by to say thanks for this
<a href="http://www.hatsnewera.com/philadelphia-phillies-hats" title="Philadelphia Phillies Hats">Philadelphia Phillies Hats</a>
<a href="http://www.hatsnewera.com/pittsburgh-pirates-hats" title="Pittsburgh Pirates Hats">Pittsburgh Pirates Hats</a>
<a href="http://www.hatsnewera.com/polo-hats" title="Polo Hats">Polo Hats</a>
Hum, this is real nice.This topic interest me and this article has educated more.
thanks for your sharing ,i like it,it’s so intersting
5 . 42Use5 being shy to your benefit – Individuals completely love carrying on about themselves, so provide an ear for them to let unfastened on, and also you’ll make a buddy in the process. Don’t be intimidated by louder, extroverted web workers. They want you, and they know it. Just be your self, be well mannered, listen, and sacrifice your ears over to the extroverts.
fdgdfhghd
Nice post, thank you!
Deference to op , some excellent selective information .
artikel yang sangat bagi saya untuk mencari ilmu tambahan.. thanks bro.. mantep …
Woah! I’m really enjoying the template/theme of this blog. It’s simple, yet effective. A lot of times it’s hard to get that “perfect balance” between usability and appearance. I must say you have done a great job with this. Additionally, the blog loads very fast for me on Chrome. Outstanding Blog!
Thanks for the helpful article, I always forget again and have to look it up, but this time I got it back up in a jiffy AND learned some new tricks :
-f -C -q -N
my question is with:
-q
because now there is a sshd process running on my remote machine, even though i rebooted my client… From what I can find online in a rush it is dangerous to kill a forked process. Other than rebooting, how can i get the sshd process on the host to quit?
PS
instead of -D, I use -L, well detailed in this article: http://manas.tungare.name/blog/ssh-port-forwarding-on-mac-os-x/
a combination of that and yours might make the perfect introduction or refresher on ssh tunneling/port-forwarding! Thanks again!
ahck!
I mean to ask about:
-f
not -q!!!!
basically, after we fork a ssh session, it can’t be closed by typing “logout” on the client… how do we do that? thanks again!
Will
There are actually lots of details like that to take into consideration. That could be a great level to carry up. I offer the ideas above as common inspiration but clearly there are questions just like the one you carry up the place crucial thing will likely be working in sincere good faith. I don?t know if finest practices have emerged around issues like that, but I am positive that your job is clearly identified as a good game. Both boys and girls feel the impact of just a second’s pleasure, for the remainder of their lives.
[...] I tried doing the same on my Macbook, but realised that Putty is not for Mac. Turns out just one darn command will do effectively the same trick. ssh -D 8080 -f -C -q -N william@www.myserver.com via macapper.com [...]
Hello there, I discovered your blog via Google while looking
for a similar matter, your website came up, it seems good.
I’ve bookmarked it in my google bookmarks.
Hello there, simply changed into aware of your weblog through Google, and found that it’s truly informative.
I’m gonna watch out for brussels. I will be grateful in case you continue this in future. Numerous people might be benefited from your writing. Cheers!
This is very interesting, You’re an overly professional blogger. I have joined your feed and stay up for in search of extra of your fantastic post. Also, I have shared your web site in my social networks
c Online Payday Loans Instant Approval Z [url=http://paydayloanshut1a.com/]Payday Loans Online No Faxing[/url] r http://paydayloansonlinehut.com/ k behold, i paul say unto you, that if ye be circumcised, christ. E
I drop a leave a response each time I especially enjoy a post on a website or if I have something to contribute to the discussion. It’s triggered by the passion displayed in the article I read. And on this article Advanced OS X: Surf a Secure Tunnel via SSH | MacApper. I was moved enough to create a thought
I do have a couple of questions for you if you don’t mind. Could it be only me or does it look like some of the comments look as if they are written by brain dead people? 
And, if you are posting at additional sites, I would like to keep up with you. Could you list all of all your community sites like your Facebook page, twitter feed, or linkedin profile?