Quick Links

Connecting to the internet from Wi-Fi hotspots, at work, or anywhere else away from home, exposes your data to unnecessary risks. You can easily configure your router to support a secure tunnel and shield your remote browser traffic—read on to see how.

What is and Why Set Up a Secure Tunnel?

You might be curious why you would even want to set up a secure tunnel from your devices to your home router and what benefits you would reap from such a project. Let’s lay out a couple different scenarios that involve you using the internet to illustrate the benefits of secure tunneling.

Scenario one: You’re at a coffee shop using your laptop to browse the internet through their free Wi-Fi connection. Data leaves your Wi-Fi modem, travels through the air unencrypted to the Wi-Fi node in the coffee shop, and then is passed on to the greater internet. During the transmission from your computer to the greater internet your data is wide open. Anyone with a Wi-Fi device in the area can sniff your data. It’s so painfully easy that a motivated 12 year old with a laptop and a copy of Firesheep could snatch up your credentials for all manner of things. It’s as though you’re in a room filled with English-only speakers, talking into a phone speaking Mandarin Chinese. The moment somebody who speaks Mandarin Chinese comes in (the Wi-Fi sniffer) your pseudo-privacy is shattered.

Scenario two: You’re at a coffee shop using your laptop to browse the internet through their free Wi-Fi connection again. This time you’ve established an encrypted tunnel between your laptop and your home router using SSH. Your traffic is routed through this tunnel directly from your laptop to your home router which is functioning as a proxy server. This pipeline is impenetrable to Wi-Fi sniffers who would see nothing but a garbled stream of encrypted data. No matter how shifty the establishment, how insecure the Wi-Fi connection, your data stays in the encrypted tunnel and only leaves it once it has reached your home internet connection and exits to the greater internet.

In scenario one you’re surfing wide open; in scenario two you can login to your bank or other private web sites with the same confidence you would from your home computer.

Although we used Wi-Fi in our example you could use the SSH tunnel to secure a hardline connection to, say, launch a browser on a remote network and punch a hole through the firewall to surf as freely as you would on your home connection.

Sounds good doesn’t it? It’s incredibly easy to set up so there’s no time like the present—you can have your SSH tunnel up and running within the hour.

What You’ll Need

whatyouneed

There are many ways to setup an SSH tunnel to secure your web browsing. For this tutorial we’re focusing on setting up an SSH tunnel in the easiest possible way with the least amount of fuss for a user with a home router and Windows-based machines. To follow along with our tutorial you’ll need the following things:

  • A router running the Tomato or DD-WRT modified firmware.
  • An SSH client like PuTTY.
  • A SOCKS-compatible web browser like Firefox.

For our guide we’ll be using Tomato but the instructions are almost identical to the ones you would follow for DD-WRT so if you’re running DD-WRT feel free to follow along. If you don’t have modified firmware on your router check out our guide to installing DD-WRT and Tomato before proceeding.

Generating Keys for Our Encrypted Tunnel

2011-07-12_154823

Although it might seem odd to jump right to generating the keys before we even configure the SSH server, if we have the keys ready we’ll be able to configure the server in a single pass.

Download the full PuTTY pack and extract it to a folder of your choice. Inside the folder you’ll find PUTTYGEN.EXE. Launch the application and click Key –> Generate key pair. You’ll see a screen much like the one pictured above; move your mouse around to generate random data for the key creation process. Once the process has finished your PuTTY Key Generator  window should look something like this; go ahead and enter a strong password:

2011-07-12_155057

Once you’ve plugged in a password, go ahead and click Save private key. Stash the resulting .PPK file somewhere safe. Copy and paste the contents of the “Public key for pasting…” box into a temporary TXT document for now.

If you plan on using multiple devices with your SSH server (such as a laptop, a netbook, and a smartphone) you need to generate key pairs for each device. Go ahead and generate, password, and save the additional key pairs you need now. Make sure you copy and paste each new public key into your temporary document.

Configuring Your Router for SSH

2011-07-12_161125

Both Tomato and DD-WRT have built-in SSH servers. This is awesome for two reasons. First, it used to be a huge pain to telnet into your router to manually install an SSH server and configure it. Second, because you’re running your SSH server on your router (which likely consumes less power than a light bulb), you never have to leave your main computer on just for a lightweight SSH server.

Open a web browser on a machine connected to your local network. Navigate to the web interface of your router, for our router—a Linksys WRT54G running Tomato—the address is http://192.168.1.1. Login to the web interface and the navigate to Administration –>SSH Daemon. There you need to check both Enable at Startup and Remote Access. You can change the remote port if you desire but the only benefit to doing so is that it marginally obfuscates the reason the port is open if anyone port scans you. Uncheck Allow Password Login. We will not be using a password login to access the router from afar, we will be using a key pair.

Paste the public key(s) you generated in the last part of the tutorial into the Authorized Keys box. Each key should be its own entry separated by a line break. The first portion of the key ssh-rsa is very important. If you do not include it with each public key they will appear invalid to the SSH server.

Click Start Now and then scroll down to the bottom of the interface and click Save. At this point your SSH server is up and running.

Configuring Your Remote Computer to Access Your SSH Server

This is where the magic happens. You’ve got a key pair, you’ve got a server up and running, but none of that is of any value unless you’re able to remotely connect from the field and tunnel into your router. Time to bust out our trusty net book running Windows 7 and set to work.

First, copy that PuTTY folder you created to your other computer (or simply download and extract it again). From here out all instructions are focused on your remote computer. If you ran the PuTTy Key Generator on your home computer make sure you’ve switched over to your mobile computer for the rest of the tutorial. Before you settle you’ll also need to make sure you have a copy of the .PPK file you created. Once you have PuTTy extracted and the .PPK in hand, we’re ready to proceed.

Launch PuTTY. The first screen you’ll see is the Session screen. Here you’ll need to enter the IP address of your home internet connection. This is not the IP of your router on the local LAN this is the IP of your modem/router as seen by the outside world. You can find it by looking at the main Status page in your router’s web interface. Change the Port to 2222 (or whatever you substituted in the SSH Daemon configuration process).  Make sure SSH is checked. Go ahead and give your session a name so that you can save it for future use. We titled ours Tomato SSH.

2011-07-12_164342

Navigate, via the left-hand pane, down to Connection –> Auth. Here you need to click the Browse button and select the .PPK file you saved and brought over to your remote machine.

2011-07-12_164236

While in the SSH sub-menu, continue down to SSH –> Tunnels. It is here we are going to configure PuTTY to function as proxy server for your mobile computer. Check both boxes under Port Forwarding. Below, in the Add new forwarded port section, enter 80 for the Source port and the IP address of your router for the Destination. Check Auto and Dynamic then click Add.

2011-07-12_165154

Double check that an entry has appeared in the Forwarded Ports box. Navigate back the Sessions section and click Save again to save all your configuration work. Now click Open. PuTTY will launch a terminal window. You may get a warning at this point indicating that the server’s host key is not in the registry. Go ahead and confirm that you trust the host. If you’re worried about it you can compare the fingerprint string it gives you in the warning message with the fingerprint of the key you generated by loading it up in PuTTY Key Generator. Once you’ve opened PuTTY and clicked through the warning you should see a screen that looks like this:

2011-07-12_171145

At the terminal you will only need to do two things. At the login prompt type root. At the passphrase prompt enter your RSA keyring password—this is the password you created a few minutes ago when you generated your key and not your router’s password. The router shell will load and you’re done at the command prompt. You’ve formed a secure connection between PuTTY and your home router. Now we need to instruct your applications how to access PuTTY.

Note: If you want to simplify the process at the price of slightly decreasing your security you can generate a keypair without a password and set PuTTY to login to the root account automatically (you can toggle this setting under Connect –> Data –> Auto Login). This reduces the PuTTY connection process to simply opening the app, loading the profile, and clicking Open.

Configuring Your Browser to Connect to PuTTY

2011-07-12_201109

At this point in the tutorial your server is up and running, your computer is connected to it, and only one step remains. You need to tell the important applications to use PuTTY as a proxy server. Any application which supports SOCKS protocol can be linked to PuTTY—such as Firefox, mIRC, Thunderbird, and uTorrent, to name a few—if you’re unsure if an application supports SOCKS dig around in the options menus or consult the documentation. This is a critical element that shouldn’t be overlooked: all your traffic isn’t routed through the PuTTY proxy by default; it must be attached to the SOCKS server. You could, for example, have a web browser where you turned on SOCKS and a web browser where you didn’t—both on the same machine—and one would encrypt your traffic and one wouldn’t.

For our purposes we want to secure our web browser, Firefox Portable, which is simple enough. The configuration process for Firefox translates to practically any application you’ll need to plug in SOCKS information for. Launch Firefox and navigate to Options –> Advanced –> Settings. From within the Connection Settings menu, select Manual proxy configuration and under SOCKS Host plug in 127.0.0.1—you’re connecting to the PuTTY application running on your local computer so you must put the local host IP, not the IP of your router as you’ve been putting in every slot so far. Set the port to 80, and click OK.

We have one tiny little tweak to apply before we’re all set. Firefox, by default, doesn’t route DNS requests through the proxy server. This means that your traffic will always be encrypted but somebody snooping the connection would see all your requests. They’d know you were at Facebook.com or Gmail.com but they wouldn’t be able to see anything else. If you wan to route your DNS requests through the SOCKS, you’ll need to turn it on.

2011-07-12_202336

Type about:config in the address bar, then click “I’ll be careful, I promise!” if you get a stern warning about how you can screw up your browser. Paste network.proxy.socks_remote_dns into the Filter: box and then right click on the entry for network.proxy.socks_remote_dns and Toggle it to True. From here out, both your browsing and your DNS requests will be sent through the SOCKS tunnel.

Although we’re configuring our browser for SSH-all-the-time, you may wish to easily toggle your settings. Firefox has a handy extension, FoxyProxy, that makes it super easy to toggle your proxy servers on and off. It supports tons of configuration options like switching between proxies based on the domain you’re on, the sites you’re visiting, etc. If you want to be able to easily and automatically turn your proxy service off based on whether you’re at home or away, for example, FoxyProxy has you covered. Chrome Users will want to check out Proxy Switchy! for similar functionality.

Let’s see if everything worked as planned, shall we? To test things out we opened up two browsers: Chrome (seen on the left) with no tunnel and Firefox (seen on the right) freshly configured to use the tunnel.

2011-07-12_163523

On the left we see the IP address of the Wi-Fi node we’re connecting to and on the right, courtesy of our SSH tunnel, we see the IP address of our distant router. All Firefox traffic is being routed through the SSH server. Success!


Have a tip or trick for securing remote traffic? Use a SOCKS server/SSH with a particular app and love it? Need help figuring out how to encrypt your traffic? Let’s hear about it in the comments.