***I do not endorse using this for anything that would break your company’s internet use policy. This is for users with legitimate business needs and/or like having secure connections while using public internet(Starbucks, airport, hotels, etc.)***
Our office recently made some firewall/proxy modifications and I could no longer do a few things. I couldn’t access my gmail via Outlook, couldn’t download torrents, and some other things I’, sure I could list if i wanted to take the time. These may not seem work related, but I do use gmail to test applications and use uTorrent to download utilities I use here at work. I had to find a fix.
I have a couple linux servers with ssh access and I can still get out via ssh, so I thought it was a good time to delve into learning about ssh tunnels. It is incredibly easy. This is for tunneling from a Windows client(although it is easy from linux, as well, I am not including in this post) to a server running the OpenBSD SSH daemon. Here is a quick guide:
First, you’ll need to install ssh, this is most likely already installed on any linux box, so I won’t go too far into it. If you are just now installing, I can at least say in Ubuntu, the command is:
sudo apt-get install openssh-server openssh-client
Nothing else really to it for starting out, although you may want to google some guides for securing/restricting access.
OK, so once ssh is installed, you will need to modify the configuration file (/etc/ssh/sshd_config). You will need to change/add the following lines:
PermitRootLogin forced-commands-only
PermitTunnel yes
Alternately, you could use “PermitTunnel point-to-point”, but I think going with “yes” is more flexible for future modifications. Alright, the server-side is done. Simple enough, right.
Now, go ahead and download the putty ssh client.
Open up putty and type in the IP/hostname of your server, and select SSH.
Expand Connection>SSH on the left and select “Tunnels”
For Internet browsing and some other applications, normally a dynamic tunnel is best. Type in a port that is normally unused(I used 7070, but most people advise using something above 10000) and select Dynamic then hit “Add”.
This is all you will need for internet browsing and torrents, but for now we’ll continue with outlook requirements. Since Outlook does not allow proxy server configuration, you will have to simply forward your ports on your machine to the ports on the server you are connecting to.
Open up Outlook and goto Tools>Account Settings.
Select the account you want to go over the tunnel and hit change.
First, note your incoming and outgoing mail server names(mine are already changed to the final setting in the screenshot)
Then click “More Settings…” and go to the “Advanced” tab.
Now take down the incoming and outgoing server port numbers.
OK, go back to your putty configurations and put the port number for incoming server in Source port and the incoming server name:port number in the destination.
Click Add.
Do the same for the outgoing server.
Once you have done this, go back to the “Session” section of putty on the left and hit Save. Now, to connect your tunnel, hit Open.
To enable your applications to use the new tunnels, we will need to make a couple more small changes.
FIREFOX:
Goto: Tools>Options
Click the Advanced tab, and the Network tab within that.
Select Settings…
Choose Manual proxy configuration:
Fill in SOCKS Host: line with localhost, and the Port to whichever port you chose for the dynamic port in the tunnel(mine was 7070). Select SOCKS v5 and hit OK.
Now, your Firefox will browse via your home internet connection.
INTERNET EXPLORER
almost identical to Firefox configuration.
Goto Tools>Internet Options
Click the Connections Tab, then click LAN Settings
Fill in the proxy data:
(My layout may look different, I am using IE 9 beta, but they all have the same options with a slightly different look)
UTORRENT
Goto Options>Preferences
Select Connection.
Under Proxy server, change the Type to Socks5 and put 127.0.0.1 in the Proxy: line and the port into the port line.
Make sure to check “Use proxy server for peer-to-peer connections”.
Click OK.
OUTLOOK
OK, the one I’m sure most of you are the most interested in, Outlook.
All we have to do here is go back to the account settings where you viewed your incoming/outgoing server before, and change the server name to “localhost”(without the quotes).
You should be all set. The only thing to note is, these applications will only work with those settings when your tunnel is connected. If you close putty or are back at home and don’t need the tunnel, just uncheck to use proxy and everything(except outlook) will save your settings and work, where you only have to go back and say use proxy and it will use the tunnel you created before. For Outlook, you would have to put the incoming/outgoing servers back in.
Let me know if you have questions about other apps, ideas for improvement, or any problems.
« Cisco PIX VPN Setup for Windows 7 & Vista x64 Installing SharePoint 2007 on Server 2008 R2 »
Hey, I can’t view your site properly within Opera, I actually hope you look into fixing this.
I have no issues with Opera 10.63 on Windows 7, Opera 9(unsure of minor) on OS X 10.5, or Opera Mini 5.1.21052 on Blackberry Bold. What verion & OS are you using?
One thing I forgot to mention is this doesn’t block DNS queries, which shouldn’t be much of an issue, but if you really want to change this, you’ll have to change your DNS servers manually(I’m not sure yet how to move them over the tunnel). Try using some from 4.2.2.1-4.2.2.6. These are free public DNS servers and will work for any internet browsing/torrents/etc, but they won’t allow you to access local resources wherever you are.
Hi,
Is there any decrease in bandwidth while connecting from the client to the server in terms of browsing or downloading files while connected through the tunnel. The internet speed at my client side is much faster than the connection at home. So based on that environment, what do you think?
Great article btw.
Well, yes, considering your traffic is now being encrypted between the client and the server, that will add some overhead. On the default settings for openssh server, though, that throughput loss is minimal. I honestly don’t even notice it, but was interested and found that I get about 4% of my bandwidth(that I’m using) going to encryption overhead. For example: send 50MB through tunnel, there is no bandwidth drop, but after encryption, I am actually sending 52MB accross the pipe.
Now, as for your client side being faster, when you use the vpn, your maximum possible bandwidth is the bandwidth at the slowest location (+4% extra data sent from encryption). Technically, your home computer or tunnel endpoint is where you are browsing from, so that is the maximum bandwidth you would get.
Really, though, there aren’t many free options out there to allow you to tunnel out like this, and this could also be used as a vpn to connect to file shares and use rdp/vns/w.e on machines at another location. OpenSSH is really the ideal free vpn, for business or personal use, in my opinion. Hopefully this helps, let me know if you have any other questions
This might be out of scope, but just curious if you may know anything on it. I have set up my SSH server on my windows box at home using CopSSH. Now while at school(where everything is blocked) this article works well being on another computer using PuTTY.
I use my iphone 4 most of the time at school to browse sites, chat etc. Any idea how to set up SOCKS proxy on an iphone 4 to connect to my SSH server at home and achieve the same thing written in this article.
Unfortunately, I don’t really have a lot of experience with iPhones, but this seems like a fairly good option. Just use the app below. Tunnel address is public address of home computer, wifi address is 127.0.0.1, put in your port(22 by default) and password to connect. Then on the main menu of the app, it gives you the option to browse over the tunnel.
http://iphone-tunnel-suite.software.informer.com/
Excellent post, thanks
thanks !! very helpful post!
This works well for apps that you can configure to tunnel but what about those that you cannot? How do I make a connection to the ssh server where ALL traffic will rout. So in other words I can make a new connection on my windows machine and it will be a dedicated VPN connection to the ssh server such that I don’t need to change any setting in outlook or Firefox etc…
Well, for a full VPN and not just port forwarding/tunnellin, it is possible via OpenSSH but not with Windows clients at this time (at least not to my knowledge). Really, if you’re wanting something more robust, I would recommend OpenVPN. I have used it for a couple of my clients in the past. I did hae it for my home network but really SSH is all I need and it is already running on all of my servers anyway. OpenVPN work with Windows, Mac, & Linux, it’s free, and fairly simple to set up. There are plenty of how-to’s out there, but I may write something up on it in the near future anyway.
Hope this helps