Unprotected Wi-Fi: Encrypt your traffic with an SSH SOCKS Proxy to Browse Securely

Unprotected Wi-Fi: The bastion of coffee shops, airports everywhere. Browsing on these hot spots is basically like having unprotected sex with the Internet. My new solution:

Just kidding. Anyways, if you do browse on an unprotected hotspot, it is very easy for anyone to see all your web traffic, your passwords, your email, basically everything you do. They can save this info, then go home and get into all your accounts, basically take over your life if you give away the right info. You don’t want that do you?

Now, when I decided to finally get secure, I did some research, looking on Google, I figured someone had already done this and documented it well. The best and most comprehensive thing I found was on Lifehacker with an article in their “Geek To Live” series. Now I went through these steps, and I had some issues getting things working. I followed their steps to the letter, but it still didn’t work. I am on Windows Vista, which in the comments of the article, looks like other people had issues as well. We will get to that later 🙂

The Lifehacker article has you use Cygwin for all the SSH stuff. Pretty much this is what doesn’t work on Vista, at least from my conclusions. Over the last week or so I have been working with network guru Chris Super (my loyal tester) to get this whole setup working, and he came to the same conclusion. So, what do you do when Cygwin doesn’t work and you are running Vista? Well there are some other tools you can use to get this all running smooth. And a side note, Cygwin – ugh, why don’t you have an uninstaller? So 1996….

Step 1: SSH Server

First you are going to have to set up a SSH server. I have a Vista box at home sitting under the TV, the perfect candidate. Instead of Cygwin and configuring stuff with a command prompt, you can install a cool looking GUI SSH Server, freeSSHd – this program really is cool. First, they are using components from WeOnlyDo software, which I have used before in some of the .NET networking tools I have written. Second, they make this really easy to set up and configure. You install it, add a user (NT auth or regular), set some options for tunneling and access and you are set. If you have issues with this step I can help you out, but the options are pretty self explanatory. One thing I found is that when you add a new user, you need to restart the service for the user to work. One other thing I did was run my SSH server on a different port than the default (22) as people just try to hack this port all day. Pick something way up in the list 22822 for example.

Step 2: Dynamic DNS

The second step, unless you are running in a datacenter, is to make it so you don’t have to connect to your IP address. Instead, we want a cool domain name. What I used for this is Dynamic DNS. Chris actually blogged about this a while ago, which reminded me of the service. They have come a long way since they first started, which is nice. What you do is sign up for their service, and then install their updater tool on the same computer or another computer on your internal network. How this tool works is it checks on an interval your remote IP and updates the Dynamic DNS service. Pretty cool. Now you can remember a human readable domain name instead of your IP address!

Step 2.5: Configure your Home Router

Now that you have your SSH Server running, and your domain name pointing at your cable modem, you want to configure your router. Most if not all routers have a way to forward ports to internal IP Addresses. What you want to do is allow the port you configured in step 1 (22822) to forward to the internal IP address of your SSH Server box. That way, when you do requests to your SSH server from outside your internal network, the traffic will go to the correct box. Save your settings and you are good to go.

Step 3: SSH Client

Here is another place where Lifehacker’s steps didn’t work for me, because of Vista again. Cygwin really doesn’t work worth a damn on Vista it seems. A really good SSH Client that works on Vista is Putty. There isn’t even an install, it is just an exe. Awesome. Basically what I did was create a batch file to run putty with the command line options I wanted. The major caveat to get this to work is you need to run putty as an admin. I have that already set up on my box so no issue, but you might need to run a cmd prompt as administrator to get this to work!

One line in the batch file:

putty -D 9999 -P <the port you configured from step 1>-l <login name you configured in step 1> -ssh <your domain name from step 2>

Replace the pieces in <> with your values. The 9999 in the command is the local port that your client applications will connect to, which then gets forwarded out to your SSH server through your domain name. We will get to that in Step 3.

Once you run putty, it should ask you to login with the password you created in step 1, and you are good to go. You need to have tunnel set up for your user in the SSH Server. You might have SFTP and Shell also set up, so you will see putty show you a command line. This is the command line on the actual server on your internal network! You should now be connected to your SSH server, but yet, you still aren’t secure, because no applications are set up to use the new proxy yet.

Step 3: Configure Client Applications

Now you can configure your applications on your laptop to use your new proxy. The major applications you need to configure are your Internet Browsers. Firefox and Internet Explorer.

In Firefox, go to Tools->Options: Advanced Tab, Network Tab, Settings Button. Check the radio button for “Manual Proxy Configuration”. in the SOCKS Host area put localhost (you might need to put 127.0.0.1) and then the port you configured in step 1.

In Internet Explorer (7.0), go to Tools->Options: Connections Tab, LAN Settings Button. Check the box to “Use a proxy server for your LAN…”, click the Advanced button, in the Socks area, put localhost and the the port you configured in step 1

Wow, tons of steps to just change a little setting! I have been playing with a way to automatically set these up based on your local IP Address but haven’t perfected it yet. Once I do, I will post up an easier way.

Other applications you might have on your machine are email, IM, etc. As far as email, you might want to use a web mail client at this point. Also, for IM, you can configure them all to use SOCKS, but when I am the coffee shop I use a web based IM like Meebo because since your Internet session in your browser is already secure because you configured your SOCKS settings in your browsers, your IM’s will also be secure. There are a few other applications that you might use, like Windows Live Writer, etc and they usually have a place to set up SOCKS settings. If an application doesn’t have a place to set up SOCKS, then you probably don’t want to use it.

If you do have a corporate VPN client, you can connect to that as it is secure, and then connect to corporate sites internally and email, etc. Usually corporate networks
have tunnel’s set up when you connect to VPN. All your “corporate” traffic will go down the secure tunnel, while other traffic (such as IM, Browsing, etc) will go down an unsecured tunnel. Now that you have your SSH server set up, basically you have 3 tunnels if you connect to VPN. Secure Corporate, Secure Public, and Unsecured Public (for the applications you can’t configure SOCKS for)

Step 4: Browse Securely

Now that you have your secure setup, you can browse with more confidence. You still need to be careful, but your traffic is pretty much unreadable my would be hackers. I tested this by running it on an XP Virtual Machine, while running Wireshark on my Vista box and all the traffic was unreadable.

 Once you get back home though, you need to reverse all the SOCKS settings in your client applications so you can browse again from your internal network. That is unless you want to connect to SSH from your internal network, but that is just overkill and bad performance.

As far as connection speeds, some people really complain that is slow. I haven’t really noticed. It is a bit slower, but I would rather it be a little slower and secure than fast and wide open. For casual browsing, reading feeds news, etc, it is fine.

Other Stuff:

I set up all this using a Vista box for the backend server and a Vista box for the client. In our testing we found that you need to run Putty as an administrator for it to work. I actually downloaded Ubuntu Linux 7.04 as a VMWare image, loaded up VMWare player and tested using the built in SSH client and that worked fine, so I knew my SSH Server was working. Also, I tested using a Windows XP SP2 VPC Image using Cygwin as the SSH client and it worked fine as well. So remember, if you are on Vista, you need Putty and you need to run it as an administrator!!

Since I have only been running this for around two days, there are still some bugs to be worked out. Every so often you might receive an error from Putty about an abnormal packet received. It basically disconnects you. You probably are fine since your client applications are still configured to use the proxy, so if you try to browse you will get an error, you need to shutdown Putty, and then reconnect to your SSH server, then you can browse just fine again.

I have tested this on Unsecured networks at local coffee shops, and as I write this blog post, I am sitting at Starbucks, connected to T-Mobile hotspot, securely tunneling through SSH to my server in my apartment, browsing securely – just need to login to the hotspot first, then connect to SSH, and change your client application settings.