Archive for June, 2014

SSH Tunneling on Insecure WiFi

Using public wifi can be dangerous since the connection is inherently unencrypted. Whenever connecting to public wifi at coffee shops or airports I’ve always tunneled my traffic through my SSH server at home. This can be done fairly easily in a few simple steps (I’m working on a Mac but there’s plenty of tutorials to do this on Mac, Windows or Linux):

  1. ssh myhost.com -D8080
  2. change your system’s proxy settings to use SOCKSv5 on localhost port 8080

OSX Networking Settings (Proxies)

This worked fine but I always worried that some traffic my not flow through my tunnel. I’d usually verify that everything was set up properly by visiting a site such as ipchicken.com which echoes back your IP address (and verifying that it is my home IP).

However, this is error prone since you need to explicitly direct traffic through the tunnel and some applications may not use your system’s proxy settings. So I recently started redirecting traffic through the tunnel using a firewall rule rather than in specific applications. This ensures all traffic will go through the tunnel.

After doing some research I found a tool which acts as a transparent proxy called redsocks (http://darkk.net.ru/redsocks/) and configured my firewall to redirect. (adapted from http://lucumr.pocoo.org/2013/1/6/osx-wifi-proxy/)

  1. install redsocks (sudo brew install redsocks)
  2. configure redsocks to proxy traffic from port 8888 to localhost:8080
    base {
        log_debug = on;
        log_info = on;
        log = stderr;
        daemon = off;
        redirector = generic;
    }
    
    redsocks {
        local_ip = 0.0.0.0;
        local_port = 8888;
    
        ip = 127.0.0.1;
        port = 8080;
    
        type = socks5;
    }
  3. install firewall rules to redirect traffic to proxy (sudo ipfw add 00100 fwd 127.0.0.1,8888 tcp from me to not me not dst-port 22)

So this worked great until I tried to connect to a vpn which was using split tunneling. VPN traffic would travel through the tunnel but all other traffic does not. Since my firewall rule was capturing all traffic I think it caused none of the vpn traffic to travel through the tunnel, so to fix this I added a rule with a higher precedence which would allow all vpn traffic through the tunnel.

  1. figure out what tunnel the vpn is using (netstat -nr)
  2. allow traffic to that tunnel (sudo ipfw add 00010 allow tcp from me to any via utun0)

From what I understand though, using a ssh tunnel as a vpn is not ideal since tcp over tcp can result in very poor performance. This seems to be working pretty well for me as a quick way to secure my internet access on the occasion that I’m on public wifi. I’m aware that this set up doesn’t tunnel my dns traffic but that can easily be done by adding a rule to route udp traffic through the tunnel as well.

Let me know if you guys have any suggestions or feedback!

2 Comments