Wednesday, April 29, 2009

SSH Tunnels & Proxy Tinkering

A couple months after hacking my Linksys router and upgrading it to use DD-WRT firmware I was reading on the DD-WRT site about SSH tunneling.

In the following post I will document why anybody would want to do this and how I went about doing it (mainly so that I can do it again should the need arise). I used several sources to guide me through the process one step at a time, and unfortunately I don't remember most of the sources so I can't give credit where credit is due. I am not knowledgeable enough to take all the credit for the methods employed in this post. Consider this a consolidation of all the information out there, filtered through my own needs and uses.


SSH allows for secure communication from one computer to another. It's an especially simple way to administer to a linux machine remotely...if you are familiar with the linux shell and commands. When connecting to a remote machine over SSH you can open or assign ports to communicate using this SSH connection. Any communication on these ports is then sent through SSH and is also secure.


Why the need for security and why use SSH? Because when networked, computers share information like people share air. Anyone with a little know-how can sniff your network traffic and steal all kinds of personal information. Especially when this traffic is wireless. The data is quite literally flying through the air riding on radio waves, available for anybody to intercept. SSH doesn't prevent people from intercepting it, but because it's encrypted it can't be read.

Even if you're not doing this for security, the things that can be done over SSH can add all kinds of convenience. You can basically extend your home or work network to any machine anywhere in the world.


"This all sounds so hard!"

Not at all. After some initial setup it's really quite easy.

Assuming DD-WRT is already installed on the router, enable SSHd and assign a port. I recommend not using the default port 22. Pick something else, but remember what you picked. You'll need that number later when you connect to the router. For simplicity here I'll just use 22.

I set up my router to require public key authentication instead of a password. I did this so that the router can't be cracked by a password attack. An intruder would have to have my private key in order to gain access. The downside is that if I lose my key I lose remote access. I'd still have local access though so I can always create another if necessary. There are many methods for creating a public/private key pair. I used PuTTYgen.

If you don't want to install DD-WRT on your router, but your router is capable of SSH connections then do whatever you need to do to get it setup. Check your router's documentation on how to do this.

Since it's likely that the WAN IP address of the router will change from time to time it's a good idea to setup a dynamic DNS. I covered this at the bottom of my post on DD-WRT tinkering. This makes it easier to SSH to the router without having to know or remember the IP address.

I'm using PuTTY in Windows for SSH sessions. Linux has SSH capabilities built in. If you're using a Mac you're on your own. Nothing against them personally, I just don't own any and don't know how. The following instructions are for Windows (PuTTY) only.

Open PuTTY and start a new session.

Host Name (or IP address):
username@ip address

The username should be whatever username you're going to login as (ie root).
The IP address is the IP address of the router. If you're physically located on a remote network (ie you're at a wireless hotspot) you'll need the WAN IP address of your router, or if you're using dynamic DNS you enter the URL.

22 (or whatever you set it to above)

Connection type:

If using private/public key authentication then open Connection -> SSH -> Auth and enter the path to the private key file for authentication.

Save the session and click Open. If using password authentication you'll be prompted to enter your password.

By this time you should be in. The first time connecting you'll be prompted to verify the host key.

We're in but we don't have any tunnels so all you can do at this point is administer the router from the shell. Not entirely useless, but we can do so much more.

Proxy Tunneling

If you have an open SSH session, close it and go back to the saved session (click on the session name and click Load). Go to Connection -> SSH -> Tunnels.

Source port: 5555 (or anything you want)
Select Dynamic and Auto.
Click Add.

"D5555" should appear in the Forwarded ports.
Save the session and Open.

In Firefox install FoxyProxy

In FoxyProxy Options click Add New Proxy.
Proxy Details -> select Manual Proxy Configuration
Host or IP Address: localhost
Port: 5555 (or whatever you picked above)
Select SOCKS proxy, SOCKS v5
Click OK

Under Global Settings check "Use SOCKS proxy for DNS lookups."

Now when you open an SSH connection and forward port 5555 (leave the SSH window open in the background) you can use FoxyProxy to route all Firefox traffic through your router over the SSH connection. Just activate FoxyProxy: usually middle-click the status bar in the lower right corner of the Firefox window until the status reads "FoxyProxy: Default."

Check that it's working by going to Disable FoxyProxy and load the page. You should see an IP address at the top. Make a note of the address, enable FoxyProxy again and refresh the page. The IP address should change. It will be your router's IP address.

When the network traffic is being tunneled through SSH you can surf the web securely no matter how insecure the network might be. You can use free wireless hotspots without fear of a someone snooping on all your internet usage and stealing passwords. But do keep in mind that this proxy type is only good for Firefox. If you switch over to IE or anything else (iTunes, Outlook, etc.) that traffic is not being tunneled and is limited to whatever built-in security there is...if any.

I've heard it's possible to change the Windows internet connection settings to use the forwarded port as a proxy and secure all internet traffic, but I haven't had any success doing so. If any reader has, please feel free to post how you did it in the comments.

With this proxy setup you're essentially browsing the web through your own router. Your IP address will appear as your router's IP. There are many advantages to this, but there is one disadvantage. You're limited to the speed of the remote network and if your ISP has limited bandwidth caps (or more accurately: data transfer caps) this traffic counts too. So keep that in mind. You can even admin the router through the web interface as if on a local network without the need to setup remote administration.

Remote Desktop Tunneling

Back in the Tunnels settings in PuTTY.

Source port: 3390
Select Local and Auto
Click Add = the local IP address of the computer you want to Remote Desktop (ie

Save the session and Open. Leave the SSH session open in the background and open Remote Desktop Connection.

Computer: localhost:3390

Click Connect and you'll be able to remote into the computer from anywhere! No need for complicated VPN or opening ports on the router.

Music sharing with iTunes

You can share your music with iTunes over a local network. You can either let iTunes do the sharing (Edit -> Preferences -> Sharing -> select Share my library on my local network) or you can install an mt-daapd server like Firefly Media Server on a linux machine.

Back when I hacked my router I also hacked a NSLU2 device and installed Firefly Media Server to share music on my network. When I open iTunes on any networked computer I can get access to the library of music being shared on the NSLU2 ("slug"). With SSH, port tunneling, and an application called RendezvousProxy you can be listening to your music collection from anywhere.

Back to the Tunnels in PuTTY

Source port: 3689
Select Local and Auto
Click Add = the local IP address of the computer sharing the iTunes library (ie

Save the session and Open. Leave the SSH session open in the background and install RendezvousProxy.

Add a new host.

IP Address:
Port: 3689
Host Label: (whatever name you want)
Service Text: daap
Service Type: _daap._tcp. (iTunes Host)

Click Add and leave RendezvousProxy running.

Open iTunes. You should see the name of the host (the name you gave it above) available under "SHARED" with the entire library at your disposal.

If anybody has other cool and useful uses for SSH port tunneling please share here in comments.

No comments:

Post a Comment