SSH Tunnelling with Firefox & PuTTY
With two free pieces of software for Windows (Firefox & PuTTY) and a little bit of basic TCP/IP knowledge, you can create an SSH tunnel to your Mac at home (or almost any Unix/BSD/Linux based machine you have an account on), and encrypt your browsing session from another location.
This diagram shows the fundamental difference between how an unmodified Internet Explorer and a correctly configured Firefox would fetch a webpage under this system.
While it is possible to set Internet Explorer to use the SSH tunnel (via a local SOCKS proxy), it does not support remote DNS requests and is therefore not recommended.
These instructions assume the use of a Mac running OS X 10.4, Firefox 2.0.0.3 and PuTTYTray 0.59. Instructions may need to be adjusted slightly for different versions. PuTTYTray is used, over PuTTY, because it allows the window to be minimized to the system tray. If you actually intend to use the shell while you’re connected, go with PuTTY instead. They also assume both computers are behind straightforward NAT routers/firewalls.
So, lets begin. There are just a few simple steps to achieving this. We’ll assume that you want to implement this at work, connecting to your Mac at home.
- Enable SSH on your Mac.
- Configure port forwarding on your home router.
- Configure PuTTYTray to create an SSH tunnel, and a local SOCKS proxy.
- Configure Firefox to use the SOCKS proxy and send remote DNS requests.
- Test to ensure all is working.
Enable SSH on your Mac (at home)
- Open System Preferences
- Open the Sharing preferences pane
- Tick Remote Login
Configure port forwarding on your router (at home)
This step is only necessary if you have a NAT router between your computer and the Internet. If you don’t, you really should consider getting one. It’s much safer than connecting directly via a USB cable/DSL modem.
In most instances, you can simply enter the private IP of your router into a web browser, then enter the default username and password. From this control panel, you should be able to forward port 22 to the internal/private IP of your Mac. If you’re not sure what you are doing at this point, it’s time to brush up on private networks, network address translation, and TCP/IP.
Configure PuTTYTray on XP (at work)
- Under Connection -> SSH -> Tunnels , enter 7070 in the Source Port box, then make sure Dynamic and Auto are checked at the bottom, before clicking Add.
- Under Connection, enter 360 in the Seconds between keepalives.
- Under Window -> Behaviour , click on Minimize to tray: Always
- Under Session, enter the public IP address of your home router into Hostname, set the Port to 22, and Connection type to SSH. Finally enter an identifying name in Saved Sessions and click Save.
- Now simply choose that session name in the list and click Open.
- You should now get a login screen on your Mac at home. Enter your Mac username & password, and then minimize the window.
Configuring Firefox on XP (at work)
- Visit http://www.whatismyip.org and note the IP address.
- Open Tools -> Options -> Advanced -> Network -> Connection -> Settings
- Choose Manual proxy configuration
- Set the SOCKS Host: to 127.0.0.1, and the Port: to 7070. Choose SOCKS v5 and set No Proxy for: to localhost, 127.0.0.1
- Click OK, then OK again.
- In the URL box of Firefox, enter about:config
- In the Filter box, enter network.proxy.socks_remote_dns
- Ensure the value in the pane below is set to true. You can double click the entry to toggle it on and off.
- Restart Firefox
That’s it. It should all now be working.
Testing
- Visit http://www.whatismyip.org again. It should now show your home IP address rather than that of the computer/network you are working from. If it does, this means that the Proxy is working. Now you need to check if DNS requests are being serviced by the Mac too.
- Enter the private IP address of your router at home (eg. http://192.168.0.1). If DNS requests are being sent remotely, you should see your home router control panel.*
Precautions & Other Notes
- If you have Little Snitch on your Mac at home, you may have to configure it to allow SSHD to communicate with the internet, otherwise it will not let traffic through.
- Be aware that although the HTTP traffic is now encrypted, the remote router may still log the fact that an SSH session took place.
- *On the final step of testing, when you connect to your private router IP address, for gods sake make sure actually it is your home router. The network you are on may be using the same router, with the same username and password. Unlikely? You’d be surprised how many people don’t change those settings.
- Apparently, you can also tunnel Pidgin and Thunderbird through the tunnel in a similar way. I prefer to keep things simple and just use Meebo and Gmail instead.
- Thanks to Thinkhole Labs for the idea. I just tweaked the instructions to work better for me.
- Finally, although these instructions worked for me, I acccept no responsibility whatsoever for any consequences that might arise as a result of you using them.
Good luck!