Before I get into the mechanics behind what ssh tunneling is, I think it best to explain why you should give a damn. Tired of school/work firewalls blocking you from going places? Tired of using public wifi and knowing that everything you’re doing can be traced by someone who isn’t even tech-savvy? This solves those problems. That’s right, now you can bypass your mean restrictive networks at work or school, and nobody can trace where you’re going.
SSH tunneling is awesome.
Introduction
Alright, so what IS ssh tunneling? Ok, by now, I imagine if you’ve been reading along and following instructions, you have a server running, and are able to connect via PuTTY to it, right? No? Then go look up how to do that, because that’s very important.
SSH tunneling basically is rerouting all your internet traffic through a different port on your pc to communicate with whatever server you’re making the ssh connection to. That server will then go out and get your webpages and send ‘em back through the same port.
What that means in non-geek is that your web browser won’t go through your company’s firewall; it’ll go through the firewall of the server you’re tunneled to. And in my case, my servers at home don’t have any restrictions… I can go where I please.
The best part of all of this is all your requests and responses on the internet are encrypted in that ssh session. Nobody monitoring your company’s internet traffic will be able to detect what sites you’re going to. This is useful if you’re using public wifi somewhere, and you don’t want anyone listening in.
The Tutorial
Alright, learning objective over… you wanna know how the hell to do it, am I right?
First, you’ll need an ssh client, which you should probably already have. Many by now are probably using a client called PuTTY, but I’d like to recommend a newer product called KiTTY. KiTTY is basically PuTTY on steroids. The makers of this application basically took the PuTTY application, and then built a whole bunch of extra stuff on it. If you know and love PuTTY already, then you’ll love KiTTY, as KiTTY is really PuTTY behind the scenes.
So, we got KiTTY, so now what? Type in your server’s hostname and port number you’ll use to connect via ssh to. Next, in the left menu, go to SSH >> Tunnels. Click the radio button for “Dynamic” and then type ‘8888’ for the source port. Click add.
Now, back in the left menu, click Session. You can save this information if you like by typing a name and clicking save. Once/if that’s done, click open.
It’ll prompt you for your username and password as always, so go ahead and type ‘em in. You now successfully have a tunnel established.
Now comes the annoying part. That last part wasn’t annoying at all… you only entered data into 4 fields and clicked connect.
You have 2 paths here you can now follow…
- Firefox –
- Pros: easy to set up proxy browsing, don’t need admin privileges,
- Cons: can only browse internet through firefox.
- Global –
- Pros: works on every application that connects to the internet, full security
- Cons: less easy to set up proxy browsing, need admin privileges.
Let’s do it the firefox way, just to test it and see if it’s working. Download and install firefox, if you haven’t already. Click firefox’s start menu in the top left, and click options. Under advanced, click the Network Tab. There should be a category called Connection with a button that says “Settings”. Click this button.
Click the radio button for Manual proxy configuration. This will make the text fields active. Only enter data for SOCKS Host, so if any of the other fields have data in them, clear ‘em out. In the SOCKS Host field, enter: 127.0.0.1 and port 8888. Click the radio button for SOCKS 5, and click OK. Congratulations, you are now done. To test it, you can go to WhatIsMyIPAddress and see what area it thinks you’re coming from.
This is why network admins hate firefox so much: this is the one thing they can’t control about it.
Well, now I’m sure you’ll want to know about the global way to connect to this proxy, right? I mean it’s great that firefox can connect and all, but what if you want to talk to people on aim, or play minecraft, or lord knows what else? Well, the caveat here is that you need admin privileges, and many schools and offices don’t give you that luxury.
Assuming you do, follow along. Go to the start menu, and type in ‘Internet Options’. It’ll be the first link returned at the top. Click the Connections tab. Click the button on this screen that says LAN settings. On this screen, check the box that says “Use a proxy server for your LAN…”. Click the other checkbox for Bypass proxy server for local addresses as well. Now click advanced. Make sure all fields are blank. Under Socks, type 127.0.0.1 and port 8888. Click ok, and you are done. Test the connection now as before in firefox.
And that concludes the ssh tunneling tutorial. Some questions I had as I was going through this I also found answers to, so I’ll post ‘em here for you:
Questions
So I can browse as much as I want and my company will never know?
Your company can monitor the volume of traffic. Just because they can’t see what the traffic is doesn’t mean they can’t see that a lot of traffic is happening. For instance, if you look in a sewer, and you see a pipe getting really big, you may not know what’s in that pipe (nor do you want to find out) but you do know whatever it is, there’s a lot. Don’t be an idiot and stream music and videos all day, or they’re going to get wise to what’s going on.
Why do I type in 127.0.0.1 instead of the server I’m connecting to in ssh?
You already made the connection to the server. PuTTY (or KiTTY) will handle all internet traffic for you so you don’t have to worry about it. You established that connection through source port 8888. That means any traffic going through port 8888 will go to the server you connected to rather than out to be judged by the company firewall. The only time you’d want to type in an address besides your localhost address is if you had a separate machine that did the ssh tunneling for you… then you’d type in that machine’s IP address (or dns name) rather than the localhost.
So there’s no way for anyone to track where I’m going or what I’m doing?
Well, that’s not technically true. Nobody monitoring the company network will figure out what you’re doing, but if anyone’s monitoring the server you’re connecting to, they will see what’s going on. I have nothing to worry about since my server is running out of my house, so no one at my office would have any reason to even consider it as an option. I’d be less worried about your company monitoring your traffic and more worried about the FBI monitoring your traffic.
The End
Alrighty, that’s all there is to it. Enjoy freedom and browsing anonymity (at least as far as your school/work/publicWifi is concerned).