Browse Securely Using an SSH Tunnel and Raspberry Pi

Any time you use an unsecured wifi connection at a public location such as a coffee shop, you run the risk of a nearby device spying on data you are sending and receiving. This post will go over setting up an SSH tunnel connected to a Raspberry Pi (or other linux device) at home that will not only secure your connection, but also get around any content filtering the location may have in place. It is also a quick and easy way to remote into your home network without having to use a VPN.

The Raspberry Pi is an ideal device for this because it is cheap, easy to setup, and uses very little power. 

Keep in mind, this does not anonymize your internet activity so don't get any ideas about using this for nefarious purposes.

If you already have your SSH server configured, skip ahead to the computer setup.
Mac
Linux
Windows

Hardware Requirements
1. Raspberry Pi Model B running Raspbian and connected to your home LAN.
2. Internet router capable of port forwarding
2a. Internet router capable of Dynamic DNS (Optional)
2b. Dynamic DNS Service (Optional)

Actually, any model Raspberry Pi will do. I list the Model B because all you need to do is plug it into your home network.
For the router, I think it would be harder to find a device that doesn't support port forwarding. Consult your manual for setup, as the process can be quite different depending on the brand you have.
I definitely recommend using a dynamic DNS service as it will make your life a lot easier in the long run. While I haven't used it, I have read good things about Duck DNS at https://duckdns.org/about.jsp

Raspberry Pi Setup
Follow one of the many multitudes of setup guides. This is an excellent place to start: http://www.raspberrypi.org/help/quick-start-guide/
For this guide, the Pi must:
1. Be able to reach the internet
2. Have a static IP on your LAN.

Please note your LAN IP address for the router setup.

Router Setup
Follow the instructions for your router to forward port 22 to the IP address of the Pi..

Note your home IP address
If you don't have a static WAN IP and are not using a Dynamic DNS service you need to check your IP before you leave home. There are many options to find your IP, here are a few:
  • Go to google.com and type "what is my ip" and your public address should be at the top of the page. 

Setup Your Device

OS X Yosemite
1. Open the terminal and type the command below. Change user to the username on the destination Raspberry Pi (usually "pi"), and home_fqdn to your Dynamic DNS name or WAN IP.

ssh -D 5000 -N user@home_fqdn

-D = Port to listen on
-N = Don't execute a remote command
-C = Compression (only use on very slow connections)

Type type yes if prompted about a security certificate, and then type the password for your user. When you hit enter the cursor will move down  to a new blank line. Leave the terminal window open until you are done using the internet.

2. Configure your internet browser.
  • Go to "System Preferences"
  • Go to "Network"
  • Click your connection (probably Wi-Fi) and then click the advanced towards the bottom right.
  • Click "Proxies" then check "SOCKS Proxy"
  • In the "SOCKS Proxy Server" field that appears on the right, type "localhost" in the first box, and "5000" in the  second box.  Click OK, then apply.

At this point Safari and any other browser that check the system preferences (Chrome and Firefox) will now use the SSH tunnel. You can test by going to http://dustinbarnett.com/ip and your home IP address should be displayed.

When you are done, go back to the terminal and press ctrl-c on the keyboard, then reverse the network configuration settings.

Linux
Open a terminal and type:

ssh -D 5000 -N user@home_fqdn

Type type yes if prompted about a security certificate, and then type the password for the user. When you hit enter the cursor will move down  to a new blank line. Leave the terminal window open. Configure a SOCKS proxy server that points to localhost:5000. The procedure for this depends on the browser and distribution you are using.
When done, hit ctrl-c on the terminal to end the ssh session, then reverse the proxy settings.

Windows
For Windows, the process is different since it doesn't have a built in SSH client. First download Putty here:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
(Don't mind the sketchy-looking download link)

1. Open Putty, click on "Tunnels" located under Connection->SSH tree.


2. Type "5000" into the Source port field.
3. Click the "Dynamic" radio button.
3. At the top of the menu tree click "Session"
4. Enter your home IP in the host name field, Then click the save button. Next time you want to connect you can just use the saved session as long as your IP stays the same.
5. Edit the SOCKS proxy to localhost:5000 and you're good to go.

Hopefully my instructions are clear enough. Let me know if you have any questions!

No comments:

Post a Comment