Proxify your traffic through an SSH tunnel

01 Mar 2012

Sometimes it may be necessary to proxify your connections, for privacy reasons or because of a restrictive network. In this guide I'll explain you how you can do this over a so called SSH tunnel. It's a covert channel that allows you to send all your traffic over an encrypted tunnel to a server under your control. This will prevent eavesdroppers to see all your traffic.

Proxifying your traffic

Most of the time we use a SOCKS 5 tunnel. SOCKS is an Internet protocol that routes network packets between a client and server through a proxy server.

Encryption

This means that all your traffic is encrypted with RSA before being sent over the network and subsequently means no-one can see what you are doing. However one would still be able to see the endpoint of the SSH tunnel where traffic is forwarded to and the amount of traffic you use.

Why SSH Tunneling might be interesting for you

SSH Tunneling might be interesting for several reasons beyond just an encrypted tunnel. On many networks SSH traffic is prioritized. Should a network be flooded with traffic, there would still be an option to access servers and other network devices through SSH, even when the network is congested. By using SSH Tunneling, your own traffic might be prioritized and you can monopolize the network. As a system administrator I see to it that SSH traffic is prioritized but also limited in bandwidth. If you are only going to use pure SSH, a 30 KB/s connection should be sufficient to administer your servers. Another reason you might use SSH tunneling in benefit of a network is to lower the amounts of ports you use on the local network. If NAT is enabled on a network and you want to use a protocol that uses a lot of ports (example: torrent), it might be better to use a SSH tunnel to your own server. You will use only one port on the local network and more on your own server. This is better for the network, as more ports are available for other users.

Windows: Proxifier

A program I came across a few years ago was Proxifier, it is a nifty program that allows you to easily tunnel all your traffic or just certain programs. I use it together with PuTTy to set up the tunnel. First in PuTTy set up a profile for a certain host :
  1. fill in the hostname with ip and port (destination server)
  2. go to SSH
  3. go to tunnels
  4. select dynamic source port 9999 and destination port 1234
  5. open the session and log in
Now we have our proxy open and one could set up a connection with Firefox as discussed in the section (Linux: openSSH). Suggest we want to proxy every single connection we can use proxifier. After installing proxifier :  
  1. open Proxifier
  2. click Proxy Servers
  3. click add and you'll get to the second image
  4. fill in localhost as address
  5. fill 9999 as destination port
After this use the check option to see if it works. When you click ok, all your connections will be sent through the proxy.

Linux: openSSH

When using openSSH it is very easy to set up a proxy. Say you want to set up a connection to foo.bar:

 ssh [email protected] -D 9999 -C

This would set up an SSH connection to foo.bar for user bob. The -D option allocates a socket to listen on the port specified after this option (in this example it would be 9999). Connections made to this port are forwarded over the secure channel. The -C options sets a compression rate, this might be handy for some slower networks. Or if you just want to proxy your Firefox http traffic, you access the network control panel :

  1. go to edit -> preferences -> network -> settings
  2. enable Manual proxy configuration
  3. SOCKS Host: localhost
  4. Port: 9999
You can check this by asking Google "what is my ip"? If it is the one of server you are connecting to, then you have been successful. There are a lot more options for openSSH so I suggest that if you want to know more, you can read the extensive manual on the subject. To proxyfie all your connections on Linux/UNIX you can use a program called Proxychains, they have an in depth guide over here.

But...

When I said that it tunnels every single connection, I wasn't completely truthful, it tunnels all TCP traffic. This means UDP does not get tunneled. Why you may ask? Because UDP is a connectionless protocol, and the way our SSH tunnel works is with connection oriented protocols (TCP). So you have three options here :

1) Doesn't matter to me

I don't mind that people see UDP packets (DNS, VOIP) so I don't want to tunnel them. This means that they can still deliver you wrong information. When you do a DNS request, the network firewall may intercept the message, and respond to it with a wrong ip.

2) I have a VPN somewhere

If you have a VPN somewhere you can use that tunnels this traffic through the tunnel. (or just use VPN all together if it is not blocked on the network).VPN will tunnel UDP packets, however it needs to be configured to use TCP and not UDP when you send it through your tunnel. (if you can just set up an encrypted VPN, then you don't even need to bother with the SOCKS5 tunnel)

3) I can use netcat

You can use netcat as described here.

Conclusion

There are many different ways to proxyfie your connections, a SOCKS5 tunnel offers some very nice advantages even though it does not support UDP (not in a native way).