Page 1 of 2 12 LastLast
Results 1 to 15 of 24
  1. #1
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    826

    Proxy Connections With SSH or PUTTY

    There are four very good reasons why you'd want to proxy internet applications thru a SSH tunnel - either for security (local traffic between you and the server running SSH will be encrypted), for privacy (hiding your "real" IP address), for technical reasons (such as IP-based authentication mechanisms that you'd like to be able to access even from multiple locations or with dynamically-assigned IPs) or, of course, just because you can.

    Since there have been a number of questions here lately about how to proxy connections thru a server - often phrased something like "how do I use Squid, which is hellaciously complicated to setup and gross overkill for what I want to do, to browse the web from my server's IP address?" (Well, that's how I remember the questions, anyway. ) - I've put together this little tutorial on using PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/) and plain old SSH to do this.

    First, you need access to, and an SSH account on, a server. For the examples below, this server is "example.tld", and we'll pretend your account is "foo". While there's nothing stopping you from doing this as root, it's a bad idea to allow direct root login, and an equally bad idea to login as root needlessly.

    Second, you need either PuTTY (see above) on Windows or older Macs; on Linux and Unix machines, you need SSH or SSH2; the former is generally included in the base system of most distributions, and the latter is an optional package.

    First, PuTTY instructions. Get PuTTY, and load it up. You'll see a screen somewhat like this:
    In the address bar, enter your server's hostname or IP address (here example.tld). Make sure the "SSH" button is checked, and that you're using port 22.

    Then, in the left-hand menu, click on "SSH". You should see a screen like that below:


    Tick "enable compression", and set your preferred SSH version to "2". Now, click on the "tunnels" line under SSH; you should see a screen like this:



    Tick the "dynamic" button, then put in a source port - here I've used 4567, but you can use pretty much anything not otherwise in use - 1234, 2525, 6666, or whatever. Click the "add" button, and you should see something like this:



    With me so far? Good. Now, go back to the "session" tab at the top of the menu:



    Enter a name for this connection - here the imaginative "My SSH Proxy" - and click "Save".

    Now, to use this tunnel, fire up PuTTY, enter your username and your password; you should log in as normal. Then, fire up the SOCKS-compatible application you'd like to use - in this case, everyone's favorite web browser, Firefox. Click Tools -> Options -> General -> Connection Settings, and you should get to a screen like this:



    Tick "Manual Proxy Configuration", then put in "127.0.0.1" in the "SOCKS Host" line, and the port you setup in PuTTY earlier - in this case again, 4567. Tick the "Socks 5" button, hit OK, and you should be browsing the web via an encrypted connection to your server. Check out one or more of those "what's my IP address" sites, and you should see your server's IP address.

    People on Linux and Unix boxes can eschew the whole Putty thing by simply opening up a shell window and typing:

    ssh -C -2 -D 4567 foo@example.tld
    Login with your password, and proceed as above, setting up Firefox. IE, Mozilla, Konqueror, and other programs are setup to use the SSH tunnel pretty much the same way as Firefox - the basic thing you need to do is point it to your local IP - 127.0.0.1 - and the port - 4567, or whatever you chose.

    Hopefully that answers some of the questions people have been having...
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  2. #2
    thanks for sharing !! but is it safe to login using proxy ?

  3. #3
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    826
    Is it safe to login where or to what using a proxy?
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  4. #4
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    Thanks Ankheg...I've been looking for a solution to do this for a *long* time...never really checked too much into it though. Gonna give it a whirl right now..I'll post back with how it works out. Cheers!

    edit - works great!
    Last edited by layer0; 08-13-2006 at 09:03 PM.
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  5. #5
    Ankheg: great tutorial! Thanks for sharing this with us!

  6. #6
    That works a treat - now if only I could find a way to proxy SSH through my work proxy and then procy my brosers through SSH - lol

    Long winded way of doing what I want

  7. #7
    thanx dear

  8. #8
    I have done this on both a linux machine and a windows machine. I set my browser up to go through the proxy but all that results is a white page.

    Is there any special server-side configuration that might need to be done in order to get this forwarding to work?

  9. #9
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    826
    It shouldn't require any special settings, no. I'd double check /etc/ssh/sshd_config to make sure there aren't any settings that are set which possibly shouldn't be (AllowTcpForwarding no, for instance, or GatewayPorts no).

    Assuming the remote machine is running a reasonably default configuration of a reasonably current mainstream server OS, this technique should - and does - work fine as described; I'm using it right now, actually, to post this. I'd look at a firewall issue, perhaps, or a DNS issue at the remote end. You don't have any egress filtering or anything going on with APF or anything, right?
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  10. #10
    It's not a DNS issue, I don't think. I can normal ssh into the server and get to all the websites with lynx.

    I didn't set up anything, to my knowledge, to do egress filtering or APF. I don't know what those are, though, to be honest, so I couldn't honestly tell you whether or not they are.

    What kind of thing with a firewall (it is behind a router/hardware firewall) would I need to watch out for that might cause this kind of problem?

  11. #11
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    826
    Offhand, I can't immediately think of how a router/firewall would create problems with this, but I was thinking more of a software firewall - like APF - at the far end.

    If that's not the case, I'd suggest you double-check you've got everything set up correctly. Maybe try a different port, make sure you're using the right settings for the dynamic SSH port, back off to Socks4, disable compression... even try a different browser (I'm open to the possibility that some toolbar or plugin could cause problems, especially some of the proxy-switcher, tor, or privoxy plugins for Firefox.)

    Usually, if you've screwed up somewhere, you'll get a "the proxy server is refusing connections" message. A blank screen is a new one on me.
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  12. #12
    Is there a way to bind the proxy connection to another ip other than the main server ip?

    A great tutorial here I'm using it fine.
    ServerTweak Networks, LLC >> ServerTweak.com
    Experience the fastest network and superior servers, feel the power of ServerTweak!
    Fremont, CA DataCenter | Dedicated Servers | Colocation | Cross Connects HE.net | 1/4 - Full Cab Sales

  13. #13
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    826
    Quote Originally Posted by eymbo View Post
    Is there a way to bind the proxy connection to another ip other than the main server ip?
    Generally, whatever IP address you connect to, is the IP address you connect from. So if you want to use 123.45.67.89, for example, you use that IP, rather than server.foo.com, which might be 123.45.67.88. Or whatever.
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  14. #14
    Quote Originally Posted by Ankheg View Post
    Generally, whatever IP address you connect to, is the IP address you connect from. So if you want to use 123.45.67.89, for example, you use that IP, rather than server.foo.com, which might be 123.45.67.88. Or whatever.
    Yeah that was what I was thinking however I did try and it didn't work. :?
    ServerTweak Networks, LLC >> ServerTweak.com
    Experience the fastest network and superior servers, feel the power of ServerTweak!
    Fremont, CA DataCenter | Dedicated Servers | Colocation | Cross Connects HE.net | 1/4 - Full Cab Sales

  15. #15
    Quote Originally Posted by eymbo View Post
    Yeah that was what I was thinking however I did try and it didn't work. :?
    Then you are not doing it correctly. Make sure that you have your browser pointed to the proxy you are creating with putty.

    You can also use remote port settings to forward email ports and such through your ssh connection, very handy if you want to check your POP account on the go.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •