Web browsing over an SSH tunnel

This is how I set up my SSH

server so that I can connect securely over an encrypted connection whenever I want to browse in private. A powerful tool when combined with a U3 memory stick or the portable apps suite.

The first step is to set up ssh/openssh on your server. Your server needs to be permanently switched on and connected to the internet. You should also aim to have a firewall between your computer and the internet, and leave as few open ports as possible. I have successfully set up openssh on windows XP but it I feel safer running an ssh server on a Linux server. I’ve run (and am still running) ssh servers on both Ubuntu server and on my ‘unslung’ Linksys NSLU2. If you are looking for a low-power web server and ssh server you can’t go far wrong with the NSLU2. I’ll say no more about this clever little device apart from saying that it has its own website dealing with how to unlock the extra functionality and set up the various servers – http://www.nslu2-linux.org/

You will need to forward a port from the router to your server – in the past I’ve given my server a static IP address on the internal network. This means the router will always be able to connect to it on the same IP address. Under ubuntu you can give your server a static IP address by editing /etc/network/interfaces (type sudo nano /etc/network/interfaces ).
It should look like:
auto eth0
iface eth0 inet dhcp

and you need to change it to something like this (assuming your router is

auto eth0
iface eth0 inet static

then you can restart the networking components by typing sudo /etc/init.d/networking restart

Setting port forwarding for your router is outside the scope of this guide – searching Google should help you if your manual doesn’t give you any help.

If you are running ubuntu server you get the option to install an ssh server as part of the installation process. You can always install it later if required using the (sudo) apt-get install ssh command.
Once you have a working ssh server you will need to edit the config file and set up a key to log on. Using a simple password is not very secure and not recommended. Also changing the default port from 22 to a higher number prevents many intrusion attempts – port 443 is often open from work networks (recommended if you are wanting to use this technique to surf undetected from work).
You need to edit /etc/ssh/sshd_config (sudo nano /etc/ssh/sshd_config) and check these lines
Port – change from 22 to something like 443
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
Once you have a working setup that you can use with a public key you will have to change
PasswordAuthentication to no to prevent anyone logging in by guessing a password.

The next stage is to make a key – use puttygen for this (it’s easiest to do this on the remote pc) http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Generate a random key and save the private key onto your computer. You will need to copy and paste the public key so don’t quit yet. Connect to your server using Putty – it should ask for a user name and password at this stage.

Where to save the file public key depends on the user name you wish to log in with.
Change to that directory – cd /home/user
See if you have a .ssh folder by trying to cd .ssh (if you haven’t you can mkdir .ssh)
Inside the .ssh folder you create a key file by typing echo ssh-rsa

= rsa-key-20080210 > authorized_keys
(Right clicking on the putty window pastes the clipboard into the screen).
Set file permissions by typing chmod 644 authorized_keys

Logout with putty and try again using a key. To do this go in the ssh section of the putty config and look for the auth section – this is where you enter the location of the private key you saved earlier.

You also need to set up the tunnel – look in putty under SSH/tunnels and type 8181 into the source port box, click the dynamic button and then add. You should see D8181 appear in the window.
In firefox or internet explorer you need to find the proxy settings and set them for port 8181 (socks 5 proxy). I’d recommend using Firefox since you can also send your DNS requests over your ssh tunnel and no one in the office can tell what you are browsing. Type about:config in the firefox address bar and look for network.proxy.socks_remote_dns = true
If you use firefox in different environments I’d recommend looking for a proxy switching app (eg foxyproxy).

I realise these instructions are pretty brief and require a little technical knowledge – if you require more detailed help, fill in the contact me form on my website and I may be able to help you. Alternatively you could try searching google using some of the terms from this guide. Happy surfing.