Secure web traffic without VPN
Using a VPN these days normally require a vendor and a possible client to route your web traffic, or to get past restrictive firewalls or to ensure that this same traffic is being watched, and that may even include your ISP. Therefore, if secure web traffic is what you want, there is an already fast, and free alternative: SOCKS5.
This proxy is an SSH encrypted tunnel between a client’s application (web browser, an IRC client, etc.) and a server. The only difference between this solution and a VPN?, is that you have to setup the process on an app-by-app basis. Since all we care for in this article is web traffic, we will be using Firefox as that application.
- a UNIX like server (i will be using Ubuntu as the flavor distro). Moreover, since most of you will not be able to host your own private on-prem server at home because most ISPs do not assign static IPs these days, I will be using a VPS provided by a cloud provider (any cloud provider will do).
- an application that can take SOCKS proxy settings (i.e. most web browsers these days)
Set up the tunnel
Open a terminal on your local computer (M$FT users will have to resort to PuTTY or WSL), create an SSH key, and upload said key to your cloud provider’s VPS (AWS user - check your security groups settings). For help in this step, see here.
then issue the following command:
ssh -i ~/.ssh/id_rsa -D 1337 -f -C -q -N user@VPS_domain
what is happening here?
-i: path to your SSH key.
-D: let the SSH daemon know that a SOCKS tunnel on a user-specifed port is coming (ranging from 1025 - 65536).
-f: forks the process to the background.
-C: compresses all your data prior to sending it.
-q: quiet mode.
-N: lets the SSH daemon know that no command will be set once the tunnel is running.
user@VPS_domain with your privileged
sudo user and either
the server’s IP address or the actual domain name.
Unless you fat fingered anything, it should give you your terminal prompt back. Then, to verify that your tunnel is running, run:
ps aux | grep ssh
Note: Windows users, see here.
Configure Firefox to use your tunnel
- Open Firefox
- click on the hamburger menu
- click on Preferences or Options menu
- scroll to bottom and find Network Settings
- under ‘Configure Proxy Access …’, select Manual proxy configuration
- For the SOCKS Host, enter:
127.0.0.1and for the port, enter:
- check the box ‘Proxy DNS when using SOCKS v5’
- click ‘OK’ and close the configuration
Browse the Internet
If you open a new tab, you will see that all of your traffic will be encrypted from now own, as well as the data that you get back from the website! Moreover, your DNS lookups will also be encrypted! which means that your ISP cannot see your traffic or where you went to go get that traffic.
Automating this process
This sounds good and dandy, but we would like to reproduce this in the future, and that’s where Bash comes to the rescue. Open your favorite text editor and create a new file:
vim ~/.local/bin/socks.sh # make sure that your PATH is set
Add the following:
#!/bin/bash -e OS="uname" ssh -i ~/.ssh/id_rsa -D 1337 -f -C -q -N user@VPS_domain case $OS in 'Linux') /usr/bin/firefox & ;; 'Darwin') /Applications/Firefox.app/Contents/MacOS/firefox & ;; *);; esac
Make the script executable:
chmod +x ~/.local/bin/socks.sh or the
/path/to/socks.sh. If your settings in your web browser (i.e. ports)
are the same ones within the script, it should start the tunnel,
background the process and open Firefox for you. You can also
Potential firewall issues
If you are connecting within no issue, then you’re good to go here.
However, if you cannot make an SSH connection because of a restrictive
firewall, then port
22 on the server-side is blocked. Moreover, since
you have root access to your server, simply visit your firewall settings
and allow SSH (most VPS providers have this set as default).
Additionally, ports 80 and 443 are often open as well, and your SSH
server can use these ports if it’s not serving web content. We’ll use
443 since encrypted traffic is expected over that port. So, from
a non-firewalled connection, SSH onto the server and edit the SSH
sudo sed -i "s/#Port 22/Port 443/" /etc/ssh/ssh_config sudo service ssh restart # depending on your distro ssh or sshd
To verify, open a new terminal (don’t close the current one) and use the new port:
ssh user@VPS_domain -p 443
If the connection is successful, log out from both shells and open your SSH tunnel with the new port:
ssh -i ~/.ssh/id_rsa -D 1337 -f -C -q -N sammy@your_domain -p 443
If you find yourself in a hostile network, such as Starbucks’ wifi, or a hotel connection. a SOCKS tunnel will give you what you need if do not trust or cannot use a client-provided VPN. If you run into any snags, or want to leave a comment, just email me at [eax at alvar3z dot com]