Your Ad Here
 
Questions ? info@easylivecd.com

EasyLiveCD.com
LiveCD Router
Linux LiveCD Router new
Download free
Router Firewall PRO new
Snapshots
Network Diagram
Admin Book
ConfigSave HowTo Changelog
Subscribe to new Releases
Order now
Questions ?
info@wifi.com.ar
Documentation
Index
Readme
Quickstart
FAQ
QuickStart
Shorewall Webmin
SSH Tunnels
Admin Book
Subscribe to new Releases
Hardware
WiFi
Firewall
VoIP
IP Camera
News
Linux Router
VoIP
VoIP
Linux forums
Tutorials new
WiFi.com.ar
T-Shirts and Swag


Languages
English Site
Google Translations
German
Italian
Spanish
French
Chineese Simplified

Write to us info@wifi.com.ar

HOWTO: Secure Internet Access using a PuTTY Tunnel and Linux LiveCD Router

There are times when you want to connect to the Internet through unknown and/or insecure network such as the local Cybercafe, WiFi hotspot or while travelling. If you are not careful, you might make it all too easy for someone to sniff your connection and compromise your data.

One of the best ways to secure your connection is to use OpenVPN, but if you do not have openvpn support on your windows machine, PuTTY is very easy to use (just one executable of 350 Kbytes - no installation required). So here is a way to securely connect to the net using only an SSH client (PuTTY) and a remote cdrouter box that you control/trust.

Requirements:

  1. PuTTY* loaded on your windows machine
  2. Remote host running Linux LiveCD Router
  3. Firefox or IE
  4. Gaim
  5. Email with Thunderbird

Just follow these steps…


1. Create a new PuTTY session
Run PuTTY and create a new session in PuTTY to connect to the remote host that is running OpenSSH. Fill in the hostname, the port (usually 22), make sure SSH is checked, give it a session name and hit Save:

PuTTY Session Config

2. Configure a secure tunnel
Click on “Tunnels” on the left and set up dynamic fowarding for a local port (e.g. 7070). Under “Add new forwarded port” type in 7070 for the source port, leave the destination blank, and check Auto and Dynamic. Then it the Add button. If you did it correctly, you’ll see D7070 listed in the Forwarded Ports box:

PuTTY Tunnels Config

That’s it for tunnels, as there is no need to create more than one. Remember to save your session profile in PuTTY so you don’t have to set up the tunnel next time.

3. Connect to the remote SSH box
Double click on the connection profile and type in your username and password when prompted.

4. Configure Internet Explorer
Go to Tools, Connections, Lan Settings, and then click advanced and Proxy Settings…

IE connections

5. Configure Firefox
Go to Tools, Options, General, and then click on Connection Settings…

Firefox connections

Check Manual Proxy Configuration, leave most of the fields blank, but fill in 127.0.0.1 for the SOCKS v5 host with a port of 7070 (or whatever you used in Step 2):

Firefox connection settings

6. Configure Gaim
Fire up Gaim and hit the Preferences button:

Gaim

Then select Network on the left and set up the Proxy Server. The Proxy Type should be SOCKS 5. The host is 127.0.0.1 and the port is 7070 (or whatever you chose in Step 2).

Gaim

There’s no need for a user or password. Then hit close.

7. Enjoy
That’s it. From now on, as long as you first log into the remote ssh host with PuTTY, your Internet Explorer, Firefox and IM traffic will be routed over a secure tunnel to the remote host and then out to the Net.

In general any application that can be configured for SOCKS port 7070 can be tunneled securely over putty/ssh. For example Email with Outlook, Thunderbird, some SIP softphones and more

More details and Comments

* Yes, PuTTY is available for Linux. It’s even in Portage!

Update (Email): Actually, the setup for Thunderbird to securely proxy your email traffic is pretty much the same as it is for Firefox.

And then type in 127.0.0.1 and your port number:

That’s it.

  1. Note that this method will secure your connection between your remote location (e.g. WiFi hotspot) and the ssh host (e.g. Linux box at home). It is not secure from the ssh host to Internet. For the most part, that’s OK as it will provide reasonable protection from people running packet sniffers at the hotspot. But please recognize that if your ssh host is on your cable connection at home, your ISP can still (obviously) easily sniff all your packets.
  2. Quite a few people have correctly pointed out that DNS queries will still be “leaked” to the untrusted network. So the names of any sites you visit will still get logged.

    Now if you don’t mind people knowing what sites your are connecting to, then there’s nothing to worry about. But if are running the current version of Firefox and would like to protect that information, you can open the about:config page, and change network.proxy.socks_remote_dns to true.

    You can do the same thing in Thunderbird if you would like.

    For a greater level of security on all your connections, you should consider running a full VPN (see also: IPCop + OpenVPN HOWTO).

  3. As Nate pointed out in the comments, if you have the command-line version of OpenSSH already installed on your computer, you don’t need to mess with PuTTY. Just run ssh -D 7070 user@host.example.com and that will set up your tunnel. I’m not an Apple user, but I think OS X has everything you need.
  4. There are portable versions of Firefox, Gaim, and Thunderbird, and PuTTY runs from a USB drive. So using this method (unlike using OpenVPN) there is no need to install anything on the computer you are using. Quite handy if you are borrowing someone’s computer or you are in a school computer lab.
  5. How do you know if it’s working? Personally, I used SmartSniff to look at the packets and make sure they looked encrypted and were on the right ports. Of course, any packet sniffer would do.

    The other method (and I tried this one too) is to get all set up and running with the tunnels. And then after it is apparently working, kill PuTTY and see if you lose the connection.

    Of the two, the packet sniffer is the better way to go.

  6. Apparently Opera only does SOCK4. I didn’t personally try it, but this should work with SOCKS4 proxies as well as SOCKS5.
  7. SocksCap (non-commercial, home-use only) will let you run just about anything over a SOCKS5 proxy. Including Counterpath Eyebeam SIP Softphone - if configured for TCP transport instead of the default SIP UDP transport! SocksCAP HOWTO

What won't work through a PuTTY tunnel

  • FTP, bane of firewalls (it requires a connection back from the server to the client) will fail (yes, even in passive mode); or
  • Anything that uses UDP like the SMB/CIFS (MS-Windows) or NFS network file systems and many video-conferencing protocols, likewise ICMP (PuTTY tunnels only TCP); or
  • SIP UDP falls under the problem area. But can be made to work with the TCP transport option provided in Counterpath Eyebeam. It requires SocksCAP since the softphone does not have a SOCKS configuration option built in
  • IRC's DCC mode (same problem as FTP); or
  • Many Instant Messenger protocols; or
  • eDonkey; or
  • Programs that feel it necessary to do an identd or similar request back to the caller before responding. In some of the above cases, this is generally not regarded as a bad thing.

    This document was originally posted at http://thinkhole.org/wp/category/security/ . Modified with data to connect to a Linux LiveCD Router




    • Products and Services Linux LiveCD Router (Free Download) | Download | Router PRO | Hotspot Server | Media Player | Samba File Server | VoIP Server | IP Camera Server | CDRouter Admin Manual | VoIP Server Book | Printed Book Format | Online Documentation |
    Noticias Noticias WIFI News | Linux Router | VoIP | Hotspot new | Linux and WIFI Forums | ba.net



    Contact us info@easylivecd.com
    © EasyLiveCD.com, FonoSIP.com, WiFi.com.ar, BA.NET
    >