Here’s a quick guide on how to setup a secure SSH based encrypted proxy. I use this to browse when I want to get to work restricted sites, and when on a ‘free’ WiFi connection, as nothing is protected on them.
This is all Windows based, but you could quiet happily take the concepts and apply it to your OS of choice.
What we need
- A PC connected to the net that’s either on permanently, or has wake on lan (and a router that supports wake on net), I’ll assume that it’s on permanently for now and leave you to configure your WOL
- An SSH server, for Windows we will be using WinSSHD by Bitvise as it’s free for personal use, and easy to configure and maintain. For *nix systems you could easily use OpenSSH Server.
- An SSH Client, again we will be using a Bitvise product (makes life easy) called Tunnelier. However you could use OpenSSH, or any SSH client you like, for example PuTTY
- A Proxy Server, we will use Squid. (The Windows Build is here). Reason being is it’s easy to get running, supports all OS’s and well documented.
- A way of having a common permanent name (or IP address), I use No-IP and the client, but fixed IP or any other DNS hoster you fancy.
- Some patience
Lets get started….
- Download and unpack Squid to the C Drive (C:\Squid)
- In there we should have a bunch of folders in there now, looking a little like the image below
- Open up the ETC folder, and rename all the files so they all are *.conf (i.e take the .default off the end of the filenames)
- fire up notepad, and edit the squid.conf file and search (CTRL-F) for the phrase http_access , This should say http_access deny all change this to http_access allow all we are not really worried about the security of your proxy server, as it’s only being accessed by already authenticated clients coming in over ssh. But if you want set the security up however you desire, as long as 127.0.0.1 has full access. (read the section above the change for details)
- Launch a command window and goto the sbin folder in C:\Squid and type squid –z this will create the swap folders that squid needs to run, then type squid to start the app in interactive mode (to check)
- Test this is working by setting the local browser to use 127.0.0.1 on port 3128, if you can browse the net then squid is working.
- If all is good, go back to the command window, press CTRL-C to stop squid, and then type squid –i this will install the squid service, bring up the services control panel (type services.msc and press enter), fine the one called Squid, set it to automatic, and then click the start on it.
Right, Squid installed and running, lets get the SSH stuff working.
- Install WinSSHD that you downloaded earlier, and set it up. After the install it will go through the easy setup. It will ask you for your setup. Here’s what I have, but upto you.
- Don’t worry about that too much now though, as we will configure it in the advanced config. Bring up the control Panel for the app if not already open, and click the Edit Advanced Settings link
- Goto the Server/Bindings and add some more ports (see image)
You can obviously tick the Enable UPnP if you like, it may make configuration of your router easier. If not ticked make sure you point the ports to the PC on your Router.
- Everything else should be good to go. Just make sure the startup type is Automatic
- Install the Tunnelier software, and set it up, it’s easy to get the connection going. Use your standard Windows username and password.
- We need to set some port forwards up now. Goto the C2S Fwding
Add some local port captures. What we are doing here is mapping a local on your Laptop/Remote PC and map it to a port on the Server PC. Above in the image I have the following. Local port 8088 maps to the Remote 3128 for the Squid port. That way if I tell IE to use proxy LocalHost on port 8088 I am actually using Server Port 3128, and hence we get connection to the outside world, from wherever the server is located. the other two are For Terminal Services (RDP) means I can connect to the various machines by issuing the command MSTSC /V:localhost:33891 and connecting via the tunnel to the remote machine.
- Pop into the SSH tab, and make sure the tick boxes for NONE are not ticked on Encrytion and Compression. You allways want those to be forced.
- When your happy that it’s working as you want then save the configuration.
Make sure you now have a fixed IP, or a No-IP account setup, and the software installed. Configure the client to connect to that address, and you should be good to go.
The ports I have setup should get you through a lot of things. 443 obviously the ‘Secure Universal hacking port’, however I’ve also got 21 (FTP) and 53 (DNS) in there, DNS specifically because most locked ‘pay for’ WiFi zones allow DNS resolution and traversal.
Any questions just shout in the comments.