Secure, flexible networking on a public or restricted connection
June 16th, 2004As an independent consultant and programmer, I often connect my laptop to networks other than my own. Sometimes they are the corporate networks of my clients, and more frequently of late they are wireless networks, either at clients or publicly accessible hotspots. A couple of problems arise from this.
One is security/privacy (maybe that’s 2 – hmm…) – email passwords and surfing details are monitored or easily sniffed either on the wire or in the air.
Another is restrictions – corporate and ISP policies that limit my ability to reach the services I want – instant messaging, certain content, etc.
I’ve come up with a solution to all of these problems that is easily implemented by anyone who doesn’t mind becoming familiar with SSH and port redirection. All you need from any location is the capability to connect to one port on a remote machine.
Okay, so not everyone will be nerdy enough to follow these directions. Believe me, you’ll thank yourself if you decide to take the plunge and learn this stuff.
Server:
First, you will need a Windows or *nix (Linux, BSD, Mac OS/X, etc) machine somewhere on the net that you can reach via TCP/IP, either by static address or dynamic dns. You only need to get to one port on it, so it can be behind a NAT firewall as long as that port is mapped back to the box.
I have two such boxes – one at home behind my cable router using Zoneedit for dynamic dns, and another which is a virtual private server (a Linux virtual machine with root access) from www.velocityserver.com. For $14.95 a month, I have a complete RedHat server at my disposal with root access, a static IP, 500MB of space, and 10G per month bandwidth – highly recommended.
Second, on that box, you will need the SSH server running. On a Windows box, you can load up the free Cygwin sshd, and on any *nix you’ll have sshd. Expose the SSH listening port to the internet via your firewall or DSL/Cable router if necessary.
Third, you will want to run a proxy server on that machine. Squid is great on *nix, and there’s a free Windows proxy at AnalogX that works well too. Set it up to only accept connections from localhost.
Fourth, you may or may not want to run an smtp server – sendmail on *nix or Microsoft’s SMTP server that comes with IIS on Windows, set up to relay only from localhost.
Ok, so you have this box running now, with sshd, web proxy, smtp.
Client:
First, on your laptop or office machine, install an SSH client. *nix comes with one, and you can get PuTTY for Windows. By default it will run on port 22, which is not often blocked by firewalls. If it is, you may want to choose another port, for instance, port 80, which is usually used for http.
Second, set up a connection profile to your server with the following port redirections:
Local 110 -> mail.your_isp.com:110 (pop3)
Local 25 -> localhost:25 (if using smtp on server)
Local 25 -> smtp.your_isp.com:25 (if using your isp’s smtp)
Local 3128 -> localhost:3128 (if using squid proxy)
Local 3128 -> localhost:6588 (if using analogX proxy)
Third, set up your programs to use redirected ports:
Pop3 email program – set pop server to localhost, smtp server to localhost
Browser – set proxy to localhost:3128
Instant Messaging – set proxy to localhost:3128 (I use Trillian)
This will all be a big hairy deal to set up if you haven’t done it before, but once you get it going, you’ll think of lots of reasons to use port redirection.
Here is an ssh commandline that does it all:
ssh -p 22 myserver.mydomain.com -L110:mail.myisp.com:110 -L25:localhost:25 -L3128:localhost:3128
Now, wherever you are – even at home – the first program you run is your ssh client. Connect using your profile, then start up your email, IM and browser, and all of them will be talking directly to localhost and through the SSH tunnel out to your own network, never exposing your data to the network you’re connected to, and allowing you to browse wherever your own policy dictates.
I’ve been using this for a couple of months now and I can’t imagine doing it any other way.
Thanks Brent.
by Adam June 20th, 2004 at 10:03 pmOne more trick: use ssh’s “-C” option to compress data if your connection is slow/unreliable and your CPU is fast.
by Dan March 14th, 2005 at 7:59 pmThere are also plenty of free php proxies online to use.
by Dan Anderson April 7th, 2007 at 1:24 pm