Where pegs grow legs: hanging ideas on words

I thought I’d share one little and less commonly used, but very useful capability with ssh. It is technically called local application-level port forwarding, and I use it quite often. There are two use cases I find it useful for.

1. Secure browsing at conferences and the like
2. Providing an easy way to access local network resources such as an internal wiki (on my home network).

The command: ssh -l chris -D 12345 local.musialek.org

Setup and Assumptions

I assume that you have a broadband connection to the internet with some sort of router behind it (very common these days). Also, in my example, local.musialek.org has been set the IP address of my router. Last, in my router’s configuration, I have set up port forwarding, to forward packets on port 22 (standard ssh traffic) to the machine on the local network that actually has sshd running on it. There are other ways of doing this, but I’m not going to go through it, as this is not the point of the post.

Browser proxy configuration

Assuming these things are set up, open up a command line window, type in the command, and log in to your ssh server. Last, we need to configure a SOCKS proxy on the browser. With connecting to our ssh server on our local network, with the -D option, we’ve also opened a listening port on port 12345 locally to forward packets along our ssh “tunnel”. SOCKS is an interesting protocol whose job is simply to facilitate communication between other protocols (but only the higher layers of the OSI model). It is what allows us to talk multiple protocols over our tunnel. To be precise, any protocol at a higher layer than layer 5, the Session layer, can be proxied. This includes FTP, HTTP, HTTPS, LDAP, DNS, DHCP, etc. It’s most commonly used with HTTP however, and this is what I want to show today.

Since it’s more easily configurable, I use FoxyProxy to get the SOCKS proxy setup on Firefox. You’ll see options to configure SOCKS.

foxyproxy settings

Make sure to set the port to 12345, which is what we configured our ssh client to listen on (with the -D option). Hit ok and now you’re browsing the internet over your ssh tunnel! That’s it!

Use #1 – Browsing securely

So use case number one, browsing securely. With the above setup, you’re at a conference, people are potentially looking at your traffic, and you don’t want that. So just start up an ssh session back home, configure your browser’s proxy and voila!, your entire session is now encrypted, and coming out of your wireless router back home.

Use #2 – Browse internal resources

I’ve got a wiki on my local network that you can’t get to on the internet, and I use it for keeping track of more personal things like my grocery list, and my list of recipes I’ve found over the years. Obviously, when I’m home and on my local network, it is accessible, but when I’m not home, I can’t get to it. But with the beauty of ssh, this is possible. Best of all, since DNS is also proxied (via the browser), I don’t have to add special rules so that any internal DNS I configure doesn’t have to be setup on my laptop!