5/5/2017 Setup SSH on Your Router for Secure Web Access from Anywhere

ARTICLES SUBSCRIBE SEARCH 

l
l

l
Setup SSH on Your Router for Secure Web Access
from Anywhere
By Jason Fitzpatrick on July 13th, 2011

Connecting to the internet from Wi-Fi hotspots, at work, or anywhere else away from home, exposes your data to
unnecessary risks. You can easily con韀�gure your router to support a secure tunnel and shield your remote
browser tra韀�c—read on to see how.

What is and Why Set Up a Secure Tunnel?

You might be curious why you would even want to set up a secure tunnel from your devices to your home router
and what bene韀�ts you would reap from such a project. Let’s lay out a couple di韀�erent scenarios that involve you
using the internet to illustrate the bene韀�ts of secure tunneling.

Scenario one: You’re at a co韀�ee shop using your laptop to browse the internet through their free Wi-Fi
connection. Data leaves your Wi-Fi modem, travels through the air unencrypted to the Wi-Fi node in the co韀�ee
shop, and then is passed on to the greater internet. During the transmission from your computer to the greater
internet your data is wide open. Anyone with a Wi-Fi device in the area can sni韀� your data. It’s so painfully easy
that a motivated 12 year old with a laptop and a copy of Firesheep could snatch up your credentials for all
manner of things. It’s as though you’re in a room 韀�lled with English-only speakers, talking into a phone speaking
Mandarin Chinese. The moment somebody who speaks Mandarin Chinese comes in (the Wi-Fi sni韀�er) your
pseudo-privacy is shattered.

Scenario two: You’re at a co韀�ee shop using your laptop to browse the internet through their free Wi-Fi connection
again. This time you’ve established an encrypted tunnel between your laptop and your home router using SSH.
Your tra韀�c is routed through this tunnel directly from your laptop to your home router which is functioning as a
proxy server. This pipeline is impenetrable to Wi-Fi sni韀�ers who would see nothing but a garbled stream of
encrypted data. No matter how shifty the establishment, how insecure the Wi-Fi connection, your data stays in
the encrypted tunnel and only leaves it once it has reached your home internet connection and exits to the
greater internet.

In scenario one you’re sur韀�ng wide open; in scenario two you can login to your bank or other private web sites
with the same con韀�dence you would from your home computer.

Although we used Wi-Fi in our example you could use the SSH tunnel to secure a hardline connection to, say,
launch a browser on a remote network and punch a hole through the 韀�rewall to surf as freely as you would on

https://www.howtogeek.com/68061/setup­ssh­on­your­router­for­secure­web­access­from­anywhere/ 1/7
5/5/2017 Setup SSH on Your Router for Secure Web Access from Anywhere

your home connection.

Sounds good doesn’t it? It’s incredibly easy to set up so there’s no time like the present—you can have your SSH
tunnel up and running within the hour.

What You’ll Need

There are many ways to setup an SSH tunnel to secure your web browsing. For this tutorial we’re focusing on
setting up an SSH tunnel in the easiest possible way with the least amount of fuss for a user with a home router
and Windows-based machines. To follow along with our tutorial you’ll need the following things:

A router running the Tomato or DD-WRT modi韀�ed 韀�rmware.

An SSH client like PuTTY.

A SOCKS-compatible web browser like Firefox.

For our guide we’ll be using Tomato but the instructions are almost identical to the ones you would follow for DD-
WRT so if you’re running DD-WRT feel free to follow along. If you don’t have modi韀�ed 韀�rmware on your router
check out our guide to installing DD-WRT and Tomato before proceeding.

Generating Keys for Our Encrypted Tunnel

Although it might seem odd to jump right to generating the keys before we even con韀�gure the SSH server, if we
have the keys ready we’ll be able to con韀�gure the server in a single pass.

Download the full PuTTY pack and extract it to a folder of your choice. Inside the folder you’ll 韀�nd PUTTYGEN.EXE.
Launch the application and click Key –> Generate key pair. You’ll see a screen much like the one pictured above;
move your mouse around to generate random data for the key creation process. Once the process has 韀�nished
your PuTTY Key Generator  window should look something like this; go ahead and enter a strong password:

https://www.howtogeek.com/68061/setup­ssh­on­your­router­for­secure­web­access­from­anywhere/ 2/7
5/5/2017 Setup SSH on Your Router for Secure Web Access from Anywhere

Once you’ve plugged in a password, go ahead and click Save private key. Stash the resulting .PPK 韀�le somewhere
safe. Copy and paste the contents of the “Public key for pasting…” box into a temporary TXT document for now.

If you plan on using multiple devices with your SSH server (such as a laptop, a netbook, and a smartphone) you
need to generate key pairs for each device. Go ahead and generate, password, and save the additional key pairs
you need now. Make sure you copy and paste each new public key into your temporary document.

Con韀�guring Your Router for SSH

Both Tomato and DD-WRT have built-in SSH servers. This is awesome for two reasons. First, it used to be a huge
pain to telnet into your router to manually install an SSH server and con韀�gure it. Second, because you’re running
your SSH server on your router (which likely consumes less power than a light bulb), you never have to leave your
main computer on just for a lightweight SSH server.

Open a web browser on a machine connected to your local network. Navigate to the web interface of your router,
for our router—a Linksys WRT54G running Tomato—the address is http://192.168.1.1. Login to the web interface
and the navigate to Administration –>SSH Daemon. There you need to check both Enable at Startup and
Remote Access. You can change the remote port if you desire but the only bene韀�t to doing so is that it marginally
obfuscates the reason the port is open if anyone port scans you. Uncheck Allow Password Login. We will not be
using a password login to access the router from afar, we will be using a key pair.

Paste the public key(s) you generated in the last part of the tutorial into the Authorized Keys box. Each key should
be its own entry separated by a line break. The 韀�rst portion of the key ssh-rsa is very important. If you do not
include it with each public key they will appear invalid to the SSH server.

https://www.howtogeek.com/68061/setup­ssh­on­your­router­for­secure­web­access­from­anywhere/ 3/7
5/5/2017 Setup SSH on Your Router for Secure Web Access from Anywhere

Click Start Now and then scroll down to the bottom of the interface and click Save. At this point your SSH server is
up and running.

Con韀�guring Your Remote Computer to Access Your SSH Server

This is where the magic happens. You’ve got a key pair, you’ve got a server up and running, but none of that is of
any value unless you’re able to remotely connect from the 韀�eld and tunnel into your router. Time to bust out our
trusty net book running Windows 7 and set to work.

First, copy that PuTTY folder you created to your other computer (or simply download and extract it again). From
here out all instructions are focused on your remote computer. If you ran the PuTTy Key Generator on your home
computer make sure you’ve switched over to your mobile computer for the rest of the tutorial. Before you settle
you’ll also need to make sure you have a copy of the .PPK 韀�le you created. Once you have PuTTy extracted and
the .PPK in hand, we’re ready to proceed.

Launch PuTTY. The 韀�rst screen you’ll see is the Session screen. Here you’ll need to enter the IP address of your
home internet connection. This is not the IP of your router on the local LAN this is the IP of your modem/router as
seen by the outside world. You can 韀�nd it by looking at the main Status page in your router’s web interface.
Change the Port to 2222 (or whatever you substituted in the SSH Daemon con韀�guration process).  Make sure SSH
is checked. Go ahead and give your session a name so that you can save it for future use. We titled ours Tomato
SSH.

Navigate, via the left-hand pane, down to Connection –> Auth. Here you need to click the Browse button and
select the .PPK 韀�le you saved and brought over to your remote machine.

While in the SSH sub-menu, continue down to SSH –> Tunnels. It is here we are going to con韀�gure PuTTY to
function as proxy server for your mobile computer. Check both boxes under Port Forwarding. Below, in the Add
new forwarded port section, enter 80 for the Source port and the IP address of your router for the Destination.
Check Auto and Dynamic then click Add.

https://www.howtogeek.com/68061/setup­ssh­on­your­router­for­secure­web­access­from­anywhere/ 4/7
5/5/2017 Setup SSH on Your Router for Secure Web Access from Anywhere

Double check that an entry has appeared in the Forwarded Ports box. Navigate back the Sessions section and
click Save again to save all your con韀�guration work. Now click Open. PuTTY will launch a terminal window. You
may get a warning at this point indicating that the server’s host key is not in the registry. Go ahead and con韀�rm
that you trust the host. If you’re worried about it you can compare the 韀�ngerprint string it gives you in the warning
message with the 韀�ngerprint of the key you generated by loading it up in PuTTY Key Generator. Once you’ve
opened PuTTY and clicked through the warning you should see a screen that looks like this:

At the terminal you will only need to do two things. At the login prompt type root. At the passphrase prompt
enter your RSA keyring password—this is the password you created a few minutes ago when you generated your
key and not your router’s password. The router shell will load and you’re done at the command prompt. You’ve
formed a secure connection between PuTTY and your home router. Now we need to instruct your applications
how to access PuTTY.

Note: If you want to simplify the process at the price of slightly decreasing your security you can generate a
keypair without a password and set PuTTY to login to the root account automatically (you can toggle this setting
under Connect –> Data –> Auto Login). This reduces the PuTTY connection process to simply opening the app,
loading the pro韀�le, and clicking Open.

Con韀�guring Your Browser to Connect to PuTTY

https://www.howtogeek.com/68061/setup­ssh­on­your­router­for­secure­web­access­from­anywhere/ 5/7
5/5/2017 Setup SSH on Your Router for Secure Web Access from Anywhere

At this point in the tutorial your server is up and running, your computer is connected to it, and only one step
remains. You need to tell the important applications to use PuTTY as a proxy server. Any application which
supports SOCKS protocol can be linked to PuTTY—such as Firefox, mIRC, Thunderbird, and uTorrent, to name a
few—if you’re unsure if an application supports SOCKS dig around in the options menus or consult the
documentation. This is a critical element that shouldn’t be overlooked: all your tra韀�c isn’t routed through the
PuTTY proxy by default; it must be attached to the SOCKS server. You could, for example, have a web browser
where you turned on SOCKS and a web browser where you didn’t—both on the same machine—and one would
encrypt your tra韀�c and one wouldn’t.

For our purposes we want to secure our web browser, Firefox Portable, which is simple enough. The con韀�guration
process for Firefox translates to practically any application you’ll need to plug in SOCKS information for. Launch
Firefox and navigate to Options –> Advanced –> Settings. From within the Connection Settings menu, select
Manual proxy con韀�guration and under SOCKS Host plug in 127.0.0.1—you’re connecting to the PuTTY application
running on your local computer so you must put the local host IP, not the IP of your router as you’ve been putting
in every slot so far. Set the port to 80, and click OK.

We have one tiny little tweak to apply before we’re all set. Firefox, by default, doesn’t route DNS requests through
the proxy server. This means that your tra韀�c will always be encrypted but somebody snooping the connection
would see all your requests. They’d know you were at Facebook.com or Gmail.com but they wouldn’t be able to
see anything else. If you wan to route your DNS requests through the SOCKS, you’ll need to turn it on.

Type about:con韀�g in the address bar, then click “I’ll be careful, I promise!” if you get a stern warning about how
you can screw up your browser. Paste network.proxy.socks_remote_dns into the Filter: box and then right click
on the entry for network.proxy.socks_remote_dns and Toggle it to True. From here out, both your browsing and
your DNS requests will be sent through the SOCKS tunnel.

Although we’re con韀�guring our browser for SSH-all-the-time, you may wish to easily toggle your settings. Firefox
has a handy extension, FoxyProxy, that makes it super easy to toggle your proxy servers on and o韀�. It supports
tons of con韀�guration options like switching between proxies based on the domain you’re on, the sites you’re
visiting, etc. If you want to be able to easily and automatically turn your proxy service o韀� based on whether you’re
at home or away, for example, FoxyProxy has you covered. Chrome Users will want to check out Proxy Switchy!
for similar functionality.

https://www.howtogeek.com/68061/setup­ssh­on­your­router­for­secure­web­access­from­anywhere/ 6/7
5/5/2017 Setup SSH on Your Router for Secure Web Access from Anywhere

Let’s see if everything worked as planned, shall we? To test things out we opened up two browsers: Chrome (seen
on the left) with no tunnel and Firefox (seen on the right) freshly con韀�gured to use the tunnel.

On the left we see the IP address of the Wi-Fi node we’re connecting to and on the right, courtesy of our SSH
tunnel, we see the IP address of our distant router. All Firefox tra韀�c is being routed through the SSH server.
Success!

Have a tip or trick for securing remote tra韀�c? Use a SOCKS server/SSH with a particular app and love it? Need
help 韀�guring out how to encrypt your tra韀�c? Let’s hear about it in the comments.

JOIN THE DISCUSSION

Like   Tweet

Jason Fitzpatrick is a warranty-voiding DIYer who spends his days cracking Published 07/13/11
opening cases and wrestling with code so you don't have to. If it can be modded,
optimized, repurposed, or torn apart for fun he's interested (and probably
already at the workbench taking it apart). You can follow him on Twitter if you'd
like.

MORE ARTICLES YOU MIGHT LIKE

https://www.howtogeek.com/68061/setup­ssh­on­your­router­for­secure­web­access­from­anywhere/ 7/7