Beruflich Dokumente
Kultur Dokumente
tunnel
Have you ever wanted to visit sites during the day from a location that
denied access to those sites? Perhaps the company has denied access due to
bandwidth considerations or you might have decided that the site you want
to go to might not always be work safe depending on the story or pictures?
What you need is the ability to create a secure and encrypted ssh connection
to tunnel your browser traffic through.
Using a ssh tunnel to retrieve the data from websites is significantly faster
than trying to use X forwarding to open a remote copy of Firefox on the
remote machine. If a remote browser is used the connection will be
saturated by the graphical front end of the remote browser window. Use the
tunnel for the web site's data and leave the rendering of the browser to the
local machine. This is the most efficient solution.
If you have access to a remote machine by way of ssh you can set up
Firefox, or any other SOCKS v5 enabled application, to tunnel its connection
through ssh. This way, if you were at work and wanted to browse your
favorite sites like MySpace, Facebook or Maxim that are blocked at the
company firewall you could.
Getting Started
First you must have ssh access to the remote machine you want to proxy to.
Let it be a home machine or a free shell you signed up for on-line. You must
also make sure you can ssh from where your browser is to where you want
to tunnel to. No need to set this up if port 22 is not open to you from your
location to your destination.
You have two(2) options to pick from. You can proxy directly to the remote
machine and then connect directly to web sites. This is the SOCKS5 method
and is the easiest to setup. Or, you could use a Squid web proxy (if
available) on the remote machine to accept the traffic from the ssh tunnel.
Squid would then request the traffic from web sites. Pick one of the options
below.
NOTE: For our example, ssh is going to listen on localhost (127.0.0.1) and
port 8080 of the local machine.
Option 1: ssh and direct connect (SOCKS5) : If you are going to use the
ssh tunnel with the option "-D 8080" then you need to setup the browser to
use a SOCKS5 proxy. Setup the proxy config page with the following entries
and leave the rest of the entries blank.
This method will only take affect if you use the SOCKS5 proxy method. If
you are proxying using the squid method (HTTP/SSL Proxy) you could always
check if you can query another, independent DNS server like OpenDNS.
Option 1: ssh and direct connect (SOCKS5) : The following line will start
the ssh client and connect to username@remote_machine.com. Port 8080 on
localhost (127.0.0.1) will listen for requests and send them to the remote
machine. The remote machine will then send the packets out as if they
originated from itself. The ssh options are in the man page of ssh, but to
summarize them in order: Compression, SSH2 only, Quite, Force pseudo-tty
allocation, Redirect stdin from /dev/null, and Place the ssh client into
"master" mode for connection sharing.
ssh -C2qTnN -D 8080 username@remote_machine.com
Option 2: ssh to squid proxy (HTTP/SSL Proxy) : The following line will
also start the ssh client and connect to username@remote_machine.com.
Port 8080 on localhost (127.0.0.1) on the current machine will listen for
requests and ssh tunnel them to the remote machine. On the remote
machine ssh will forward the packets to localhost port 2020. If squid is
listening on localhost port 2020 on the remote machine then all requests
sent though the ssh tunnel will then be forwarded to squid. You can use
squid to block ads and speed up web access. If you need assistance with
squid, check out the Calomel.org Squid "how to" page.
Make sure Firefox is working by checking the proxy is active and then try to
go to a web page. You can also try a site like WhatIsMyIp.com to verify the
ip you have with the proxy is different than without.
If everything is working then you can be assured that all of your browsing
traffic is being encrypted through the tunnel and no one at your current
location will be able to see your traffic over the network.
Once you are done with the proxy just exit the ssh xterm or kill this instance
of ssh with Ctrl-c. Remember to set Firefox back to "Direct Connection" if
you want to directly browse from your location otherwise you will not be
going anywhere.
Questions?
How can I setup two or more ssh tunnels through two or more
machines ?
At some point you may need to tunnel through multiple ssh tunnels through
multiple machines. This is quite easy to do as long as you have ssh access to
every machine you want to tunnel through. In this example we will be
tunneling from a desktop machine through a machine called host1 and then
to a machine called host2 which will then access the internet. Something like
so:
First, make sure you went through the beginning on this page and know how
to get firefox to proxy through a SOCKS5 proxy on localhost port 8080. Then
run the following ssh command on the desktop running Firefox. This will
setup an encrypted ssh tunnel to host1 from the "Firefox desktop".
Now, you need to ssh to host1 directly. Once you are on host1 run the
following. This will collect any data from the first tunnel originating from the
"Firefox desktop" to host1 and tunnel that data to host2.
So, how does this setup work? Firefox on the desktop will initiate a SOCKS5
connection to localhost port 8080 on the desktop machine. Since a ssh
tunnel is listening on localhost:8080 it will ssh tunnel the traffic to host1
which will forward this traffic to host1's localhost:8080. On host1 the second
ssh command will tunnel all traffic it receives on localhost:8080 from the
desktop machine to host2. On host2 the traffic will then be able to go out to
the internet at large. If you have DNS SOCKS5 resolution on as well then all
web traffic _and_ dns queries will goto host2 through both tunnels. From the
view of the internet all queries originating from the "Firefox desktop" will
look like they come from host2. Nice and anonymous.
What if I need to tunnel through more then two machines? Then just keep
repeating "ssh -C2qTnN username@host1 -L 8080:localhost:8080"
command for each incremental host. Once you decide you very last host you
want the data to access the internet with then use the "ssh -C2qTnN -D
8080 username@host2" command.
To make sure you tunnel is working correctly using a site like ipchicken.com
to see what ip address you are coming from. In the case of our example
above ipchicken should report the ip address of host2.
First, make sure to check out our Firefox Add-on "Calomel SSL Validation".
More open proxy connections: When you use a proxy, Firefox limits the
amount of concurrent open connections to 8. This is too small for most users
as many people open multiple tabs to many sites. When more then 8
connections are made the browser seems to be "stuck" because Firefox will
wait till an open connection is closed before making a new one. To avoid this
problem it is highly suggested to increase the persistent connections value
from 8 to 25.
network.http.max-persistent-connections-per-proxy 25
Turn off pop-up tips: If you are annoyed by pop up text when your mouse
hovers over a web element you can turn that function off.
browser.chrome.toolbar_tips false
No animations: Stop all animated gifs and pictures like ads and annoying
dancing cartoons characters.
image.animation_mode none
No blinking text: Blinking text is annoying. Webmasters should not use it.
In case they do, we will disallow the function in the browser.
browser.blink_allowed false
network.http.max-connections 25
network.http.max-connections-per-server 25
network.http.max-persistent-connections-per-proxy 25
network.http.max-persistent-connections-per-server 25
network.http.pipelining true
network.http.pipelining.maxrequests 8
network.http.pipelining.ssl true
network.http.proxy.pipelining true
TLSv1 with AES256, AES128 and 3DES 168 Only: When connecting to
SSL based servers (https) you only want to use the strongest ciphers
available. Most web server admins can setup their servers to prefer weak
ciphers over strong ciphers for any reason; sometimes they want a less CPU
intensive encryption or perhaps they just configured the server wrong. Even
Google's encrypted pages prefer RC4 instead of AES and this is not our idea
of good security. We want to make sure that our version of Firefox only uses
AES 256 bit, AES 128 bit or 3DES 168 bit ciphers.
Open up a window and type "about:config". Then in the "Filter" bar at the
top search for the following. Double clicking on each line will change the
value.
ssl3 and set every line to false _except_ lines containing the strings
"aes_256" and "aes_128".
Now your browser will _only_ accept the TLSv1 protocol in AES256 bit cipher
encryption no matter what previous weaker ciphers a web server prefers.
This configuration also makes your browser FIPS 120-2 compliant (year
2030 specs).
Is there any way I can switch proxies faster?There are add-ons, also
called extensions, for Firefox called FoxyProxy or SwitchProxyTool you can
use. They offer the ability to setup multiple proxy settings and choose the
one you want, or turn them off, using a drop down menu.