SSH Tunneling on public networks

I’ve been traveling a bit this week, which means I’ve also been accessing the net on untrusted networks. For general web surfing this doesn’t both me, but when it comes to editing my blogs or accessing any web service that doesn’t authenticate over SSL, I’d feel better if I knew my passwords weren’t floating past some coffee shop’s network admin in clear text. Fortunately, there’s an easy solution: SSH tunneling.

There’s plenty of information online that describes how SSH tunneling works and how to set it up, but not surprisingly, you have to do a bit of Googling to actually find concise, step-by-step instructions that actually work. So here we go: Erik’s Three-Step Plan for Looking Like You Know What You’re Doing SSH Tunneling. (For the record, I’m using a PowerBook running OS X, tunneling to a server running Ubuntu Linux.)

[STEP 1] On the remote server I’m running Privoxy (an HTTP proxy.) On a Debian/Ubuntu box, getting Prixovy running is as complicated as typing: sudo apt-get install privoxy

[STEP 2] Assuming you can SSH into your remote server (ie., no firewall blockage), launch Terminal.app and issue something like this: ssh -N -L 8118:127.0.0.1:8118 remoteuser@serveraddress (changing “remoteuser” and “serveraddress” appropriately.) Using the -N flag you’ll still need to authenticate with the server, but you won’t actually get a command prompt — the window will just look like nothing’s happening.

[STEP 3] Tell your browser to use a proxy for HTTP and HTTPS running at 127.0.0.1 on port 8118.

You’re done! You can now hit WhatIsMyIP to see it working.

Of course, just like other three-step programs, there’s a little fine print and few extra details that might help to know:

  1. Privoxy is an HTTP proxy, which translated means that instead of your browser asking a server for a web page, you’ll be asking Privoxy and Prixovy will relay the request and pass the resulting content back your way. Using a proxy is handy when: (1) You want to tunnel your browsing activity, and/or (2) When you’d like to have the proxy do some content manipulation for you (which is what Privoxy was written to do.) This content manipulation can be anything you want, but most of the time it means stripping out advertisements and possibly cleaning up bad HTML before the browser sees it.
  2. If you haven’t used Privoxy before, you might want to read the docs and poke around in the config files to tweak as needed.
  3. By default Privoxy runs on port 8118, hence the 8118 mapping the ssh statement.
  4. Save yourself some time by storing your proxy settings for future toggling. To cover most OS X apps you’ll be creating a new Network Location for this. Go to the Apple Menu / Location / Network Preferences to create a new location profile. Toggling can be done using the Location menu under the Apple menu. For Firefox (which ignores the system-wide proxy settings), you’ll need to enter the settings directly into the Firefox’s Preferences or install the SwitchProxy Firefox plugin to enable a pop-up menu for proxy switching from the Firefox status bar.

Happy Surfing!

2 thoughts on “SSH Tunneling on public networks”

  1. Hello Erik!

    Thanks for your article. Here is some modifications that I made (may be usefull to your readers).

    As I normally run Privoxy on my laptop, I needed to set a different local port than 8118 (because the local privoxy uses the 8118). So I do:
    ssh -N -f -L 8119:127.0.0.1:8118 remoteuser@serveraddress

    (Also added the -f to put the process to background).
    Then, I set in the browser a proxy 127.0.0.1:8119.

    Additionally, as I have have a lot of customized filters, I want the remote computer to filter nothing, and the filtering to be done by the local Privoxy. On the local computer, in /etc/privoxy/config (on GNU/Linux) I set the line
    forward / 127.0.0.1:8119

    and, on the remote server, I edit /etc/privoxy/config and set
    toggle 0

    so that it does not filter anything. Then I set in the browser 127.0.0.1:8118 (the local privoxy).

    Hope this helps someone.

    Cheers,
    Petko

Comments are closed.