TangoRangers.com’s Blog

Recently I started school (which is why I haven’t done much of anything on my sites) where they have a wifi connection just like at a coffee shop. The problem with these open networks is that people (like myself) can run a packet catcher like WireShark and get user names and password for various sites such as yahoo, facebook, and myspace. Since when you log in to those you are doing so without https (encryption). Also my school logs every site to visit and when I’m bored in class I don’t want them to know I’m researching hacking sites.

To solve this I setup a Linux box on my network and point port 22 to it. 22 is the default SSH port in case you didn’t know. Then I create a secure tunnel from my laptop to my home box (my laptop also running Linux).

SSH -D 1080 username@ip

This creates what is essentially a SOCKS v5 proxy on port 1080. Anything and everything you do remotely can be routed through 1080 (any port works, I just like that number).

Now I don’t know how to setup my Linux machine so that I don’t need to configure every program I use to work with the proxy and currently have to setup everything manually. Here is how to do it with FireFox.

Open FireFox, goto Edit –> Preferences –> Advanced –> Network –> Connection –> Settings

Click “Manual proxy configuration:”, then under SOCKS Host put “localhost” port “1080″ and make sure that SOCKS v5 is clicked.
Where it says “No Proxy For” you can leave localhost in, I’m not really sure, never tried. I just cleared it out and everything went smoothly.

Close the window and start surfing!

As long as you keep the SSH connection alive this will work. If you SSH connection does die you will know right away when you can’t surf. You will also need to revert your connection settings back when you are no longer using the SSH proxy. Also keep in mind that even tho you are routing via an encrypted tunnel to your remote machine, traffic will still be unencrypted after that point. Surfing may take longer than you would like. This is due to the fact that ALL traffic will be routed first to your remote machine then to you via the tunnel.

Lastly, I’m told that not every SSHd configuration allows SSH proxies. Mine does. I’m not sure why, I haven’t bothered to look into that yet. You may need to check your /etc/sshd_config file as there may be an option there. If you need help you know where to ask for it. Enjoy!

Here are my instructions on how to get VNC in KDE 3.5+ working through an SSH tunnel. It’s easier than you might think.

To start all you need is 2 or 3 linux machines with OpenSSH installed. Most distros come with it (altho I know Ubuntu does not).
NOTE: All my machines run Slackware 12.0 or higher.

Step 1 – Setup the host.
This is fairly simple, open up you Control Center, and find Desktop Sharing. Just look at my picture below and see the settings I would recommend for this.

Just make sure you set a STRONG password!

Now comes the fun part. Creating the SSH tunnel. By default the VNC connection is on port 5900.
For this example you have 2 computers. Your at a coffee shop with free wifi but your smarter than everyone else, so your going to use encryption to your home desktop and surf the internet from there.
Your home computer (lets say) has a domain name. For my examples it will be daijoubu.net, and your internal computer is 192.168.1.2.
Make sure you set your router to forward port 22 (the SSH default) to 192.168.1.2
Open up a terminal (some times it’s called Konsole) and type:

ssh dkun@daijoubu.net -L 5931:localhost:5900

The user name I’m using is dkun, just put in your user name
You will be prompted for your password, after entered you have formed the SSH connection. What this command does is it takes all traffic from your desktop port 5900, and forwards it to your laptop (at the coffee shop) to localhost port 5915.
Seems complicated, but trust me, it works!
Now open up Krcd and type

vnc:/localhost:5915

Just as shown below.

If you have 3 computers. For example, you don’t forward to your desktop (for security reasons) but you do forward to a file server. Lets say your file server is 192.168.1.3 and your desktop if 192.168.1.2 type:

ssh dkun@daijoubu.net -L 5915:192.168.1.2:5900

This will form the SSH tunnel to your server (192.168.1.3) then forward port 5915 from 192.168.1.2 through the SSH tunnel back to you.
Reminder: Doing it this was results in plain text from 192.168.1.3 to 192.168.1.2. This is only a problem if you don’t trust your internal network!

From here is gets simple, after you click Connect you will be prompted for the following window.

These are the settings I recommend for over the Internet, VNC can take a lot of bandwidth.
Next you will get a password prompt, type in your password and hit OK

Your remote desktop will appear! if you look quickly you will see this at the bottom right of the screen

That’s it! Now you can use your remote desktop over a secure connection!

WARNINGS! If you attempt a connection without the SSH tunnel your passwords will be sent in plain text! That is BAD!
DO NOT FORWARD PORT 5900 ON YOUR ROUTER!

Extra Notes: If you do not have a domain name to work off of, you can put in an IP address after the username@, make sure it’s an internet IP address, 192.168.1.2 will NOT work
If you don’t have a static IP address you can use dyndns to get you one. They are really good, but if your IP changes you will have to update your opendns account. I would recommend checking before you head out.

Special Thanks to Spyder_3lite of UCoD.com. If it weren’t for you showing me something way cool with SSH, I never would have been able to do this.

Note: This was originally written on my other site Daijoubu.net. I have moved it here for better indexing from Google. ^_^

Update! Version 1.2.2 is now out. I had a bug fix to address. Below is the original post from December 21st with the release of version 1.2.

—–

I have finished coding and testing SSHT v1.2, it is available to download on sourceforge… well hopefully. I uploaded it today and for some reason it’s still only showing v1.1 to download. We just may have to wait a couple days and see what happens. As soon as I see the problem resolved I will edit this post to reflect the changes. So go download, try it out, and post in our Forum telling me what you think or any problems you may encounter. Thank you.

Oh, and in case you are wondering, SSHT stands for “Secure SHell Tracker.” I love acronyms.

-DaijoubuKun

Post note: My bad, I missed an option on sf.net. Problem Resolved, now go download it!