Introduction: Secure Web Browsing With a SSH Proxy
I'm going to walk you through the very simple process of encrypting your web traffic and pointing it to a known secure network. We will be adding an additional layer of encryption beyond HTTPS by hiding our web traffic into an encrypted SSH session.
I'm a huge fan of Microsoft Azure. That is where my SSH server lives but don't worry - I've got easy suggestions for everyone.
There are several reasons you might want to do this - both valid and nefarious. Here are a few:
- Public WiIFi is great but you never know who is watching your internet traffic - this tunnel makes a safe connection. Attached above are a few photos of an internet cafe near a friend's house. It does not look sketchy at all.
- Test end user experience. As a computer engineer I use this method to test out of network access. (Is my website up, down or slow to the world, can I ping my external IP address?)
- Access a home network resource like a security camera, file share, etc
- Catch a streaming event not offered in your country - (Thanks to Microsoft Azure global data centers!)
- Circumvent firewalls and security devices - not recommended for people at work or school.
Why not TOR? TOR is slow and I really don't like the idea of potentially sharing my personal network with those partaking in illegal activities.
Why not VPN? VPN setups are complicated, take a good amount of setup on both sides and I have they can be problematic when trying to access local network resources. With a browser only tunnel I can connect only a browser to the remote network.
Step 1: Know the Pieces
I've refined my process to be easy to deploy, manage, use and even make it portable. There are two parts:
- SSH Server on a known secure network
- Valid log in
- Client computer - this is you.SSH
- Client software
- Browser with altered network settings
- I'm a windows user - instructions will be for a PC - but I won't leave out Mac users
Step 2: SSH Server
I'm a huge fan of Microsoft Azure. Azure is Microsoft's could platform that offers many services. One of which is a virtual data center where you run virtual servers online. That is where my SSH server lives. It is a paid service but my MSDN subscription gives me monthly credit - so I have no out of pocket expenses, otherwise it is about $15-$30 a month. Microsoft really makes it easy to stand up an online Linux server. I'll walk you through the process below.
If you are looking for a free option here are some thoughts for you:
- Your home router. Use No-IP.com to get a dynamic DNS name and put DD-WRT on your router. I've done this for years. It works great.
- Your hosted website. If you have your own .com for your cat photos or blog many offer SSH access. I've got a handful of sites I manage with this access. It comes in handy for making a SSH web proxy.
- Raspberry Pi - the $35 awesome solid state computer. Most distros run linux. Just port forward 22 from your home router to the Pi.
Instructions for Azure!
Navigate to Portal.Azure.com and click +.
Then click Create, Compute, Ubuntu Server. I use A1 Standard pricing. You do not need a work horse of a server. A0 would probably work just fine.
Put in a host name, user name and password.
Choose the geographic location of the virtual server you are creating.
Once it is done building check under settings and note the DNS name. Under Settings, Endpoints, SSH note the public SSH port.
Step 3: Local SSH Client
Install your favorite SSH client. I prefer BitVISE to Putty.
Enter your host information, public SSH port, username and password.
Check Enable SOCKS/HTTP Proxy Forwarding
Local Interface: 127.0.0.1
Listen Port: random number. I chose 4567. Know this you will need it later
Click login, accept the SSH keychain and login with your password.
Why not putty? BitVISE will run hidden on the taskbar while putty requires an open window. BitVISE also gives you a few more tools from the task bar - like remote RDP and an extra terminal window. I've found these features useful.
Open Terminal and run the following command:
ssh -D PortNumber firstname.lastname@example.org
For me that was:
ssh -D 4567 NachoSSHuser@instructablesssh.cloudapp.net
Step 4: Local Browser
We've created and connected to our VM over SSH. Now it is time to shove our browser traffic into that encrypted tunnel.
First lets get our WAN IP address. Browse to WhatIsMyIP.org and note your IP address.
For this I'm going to use FireFox and a plugin called FoxyProxy. You can make these changes manually but the plugin makes life easy...and I'm all about easy.
Get FoxyProxy - compatible with Chrome or FireFox.
Edit proxy settings:
Add a new proxy. Enter a name and make sure at a minimum the "Enabled" and "Preform remote DNS lookups" buttons are checked. You can also do some cool things with your browser caceh and cookies here too.
Proxy Details Tab:
Choose the manual proxy configuration.
Enter 127.0.0.1 as your Host IP address and the port you chose earlier. (I chose 4567)
Check SOCKSv5 proxy
Make sure FoxyProxy is enabled for all web traffic. Now browse to WhatIsMyIP.org again. You should see a new IP address.
You have now successfully forced all of your web traffic in that browser to your external network over SSH! If you open Chrome or IE your traffic will be on your local network. If you open FireFox it will be on your remote network.
Go surf in freedom!