There are a number of very good reasons you might want to route your internet traffic thru an encrypted tunnel – be it for security reasons (all traffic between you and the server you’re proxying thru would be well encrypted), privacy reasons (hiding your real IP address, and thus location), technical reasons (getting around IP-based authentication restrictions, creating a poor-man’s VPN), or simply because you can. Below, I’ll show you how to do it, easily, reliably, and securely.
What is described here is the “tunneling” of applications’ traffic thru an encrypted SSH connection. To do this, obviously, you need a shell account. If you have your own server, you can certainly use that; if not, you can mooch one from a friend with a server somewhere, pay for one, or try to get a free one from somewhere. Any which way you get one, it’s a requisite.
Also required is the ability to create a SSH connection. If you run linux or a UNIX-based OS, you’re set. If you’re running Windows, you’ll probably find PuTTY quite useful. There are other SSH clients out there, but PuTTY is (probably) the best of the bunch, and certainly the most popular.
Having acquired PuTTY (or the smartcard-enabled version, if you use cryptographic tokens for authentication), load it up; you should get a screen something like this:
In the address box, put the hostname or IP address of the server you have an SSH account on; here we’re using example.tld . Make sure the SSH radio button or check-box is ticked, and be sure you’re using port 22. In the menu, click on “SSH”, and you should see a screen similar to this:
Here, select “enable compression”; this will compress the traffic thru your SSH tunnel, which not only provides a modest improvement in transfer rates, but has some minor security benefits as well. Set your preferred protocol to “2″, or “2 only”, and click on the “tunnels” menu under SSH:
At the bottom, select the “dynamic” button, and enter a source port. In the example, we’re using 4567, but any port not otherwise in use on your machine will work just as well. Click the “add” button, and you should see something like this:
That out of the way, go back to the “session” tab in the menu, enter in a title for this proxy, and click save.
The hard part’s out of the way, now; all that’s left is to try out our new SSH tunnel. Fire up PuTTY, select the connection we just saved, and login as normal to the account you’re using. Now, open whatever SOCKS-compatible application you’d like to tunnel; in the example below, we’re using everyone’s favorite web browser, FireFox. Regardless of the application, you need to get to the proxy settings. In FireFox under Windows, it’s under Tools -> Options -> General -> Connection Settings.
Once there, put in “127.0.0.1″ for the proxy address (Windows doesn’t know “localhost” from Adam), and the local port you chose earlier; in our example it’s 4567:
Socks5 is preferable to version four, and supported by our SSH tunnel, so select it. Click OK, and you should now be proxying thru the server with the SSH account; a quick check of one or more “What’s my IP?” websites should confirm this.
Unix and Linux users don’t need PuTTY; you geeks can simply type:
ssh -2 -C -D 4567 email@example.com
…and go from there. The options select the SSH2 protocol (-2), to use compression (-C), and the local port you want to use (-D 4567).
With the advent of portable applications that can run off flash drives, including Firefox Portable, it’s possible to take relatively secure, reasonably private internet access with you wherever you go; PuTTY runs fine off removable media, like thumb drives. You can tunnel web and email traffic easily, some instant-messenger traffic, some P2P applications, and probably most other things with a little effort. One thing you absolutely, positively cannot tunnel thru a connection like this is FTP traffic, for purely (and unavoidably) technical reasons.
What you’re doing is creating a secure connection between your computer and a remote computer. Everything passing between these two computers is encrypted (and compressed, if the server supports it). Your browser requests, as an example, then come “out” the remote server and to their destination; the response comes to the server, then gets encrypted and sent back to you thru the secure tunnel. This is a great way to secure traffic thru wireless connections, among other things. Under normal circumstances, the traffic to and from the tunnel won’t be logged, though packet sniffers running on the remote connection could, of course, see the unencrypted half of all traffic.
An interesting little note about SSH is that you can create a tunnel thru an SSH account even if you’re not logged in, or incapable of getting an actual shell. A good discussion of the phenomenon is here. In PuTTY, go to the SSH screen, and tick “Don’t start a shell or command at all”; for the CLI geeks, just add “-N” to your ssh command.