Secure - How to surf via ssh tunnel

From Linux - Help
Jump to navigation Jump to search
Surf dog ssh.jpg

Surf via an ssh tunnel:

Goal: Rout all the internet traffic trough a ssh tunnel when you are surfing outside your home (eg. freewifi). This how to focus on ssh and not on openvpn connection this is called "A poorman's VPN".

Hardware prerequisite

A computer running linux with ssh server listening on port 22 / or 2222 that run's in your home (7/7 - 24/24), a great solution is a Raspberry Pi.

Software prerequisites


port forwarding rule in your modem


icecat or Tor browser!!! Do not use Firefox or Chrome (Chromium) because they tracking you and is not a secure web browser (test your browser panopticlick).

sshd config

Install sshd with command (Arch only):

 sudo pacman -S openssh
  • search on google openssh or openssh-server / client with your distribution to find how to install it (client is for the remote computer).

You have installed on your server sshd and you need to configure it use vim (or nano) /etc/ssh/sshd_config:

 $ sudo vim /etc/ssh/sshd_config 
 Port 22
 ListenAddress ::
 Protocol 2
 HostKey /etc/ssh/ssh_host_rsa_key
 ServerKeyBits 1024
 LoginGraceTime 600
 KeyRegenerationInterval 3600
 PermitRootLogin no
 IgnoreRhosts yes
 StrictModes yes
 X11Forwarding no
 X11DisplayOffset 10
 PrintMotd yes
 KeepAlive yes
 SyslogFacility DAEMON
 RhostsRSAAuthentication no
 RSAAuthentication yes
 PasswordAuthentication no
 PermitEmptyPasswords no
 UseLogin no
 UsePrivilegeSeparation yes
 PubkeyAuthentication yes
 UseDNS no
  • this is an example and need to be improved, if you have a better setup, please feel free to edit your setup.

Know we need to enable your sshd, so type:

 sudo systemctl enable sshd
 sudo systemctl start sshd

Check that your server is listening to port 22 (or the port you used in the config of sshd) with command:

 $ netstat -tulpn | grep 22
   tcp        0      0    *               LISTEN 

Setup port forwarding

Your server is up and running and you want to access him from anywhere you are in the world. Yyou can from anywhere with a Internet connection create a ssh tunnel to securely surf from there. You need to connect to your modem to the webtool. If you don't now how to do, search on google: How to port forwarding + name of your provider.

My case is a little different, if I want to access my modem I need to surf to a website (this behavior depends of your provider).

You need to search for port forwarding tab or page in your modem (mostly you can find it in advanced settings) and you need to forward the port 22 to your local server (or the choosed port in the sshd config).

If by example your server have adres and you choose in the sshd config port 22, well you need to use this two information in your modem (see image below).

2017-07-13-153616 732x290 scrot.png

After you setup your port forwarding rule, it will works directly.

Remote host config

First we need to create an public and private key on your computer and share it with your server. You need to type in bash:

 $ ssh-keygen -t rsa
 ssh-keygen -t rsa
 Generating public/private rsa key pair.
 Enter file in which to save the key (/home/demo/.ssh/id_rsa): 
 Enter passphrase (empty for no passphrase): 
 Enter same passphrase again: 
 Your identification has been saved in /home/demo/.ssh/id_rsa.
 Your public key has been saved in /home/demo/.ssh/
 The key fingerprint is:
 5a:ed:7a:c6:55:4e:4f:ed:87:39:8c:74:55:3d:83:97 nobody@a
 The key's randomart image is:
 +--[ RSA 2048]----+
 |          .oo.   |
 |         .  o.E  |
 |        + .  o   |
 |     . = = .     |
 |      = S = .    |
 |     o + = +     |
 |      . o + o .  |
 |           . o   |
 |                 |

Now you can type the command to copy the Public key to your server:

 $ ssh-copy-id username@ip_of_your_server

You should see something like:

 The authenticity of host 'ip_of_your_server' can't be established.
 RSA key fingerprint is 5a:ed:7a:c6:55:4e:4f:ed:87:39:8c:74:55:3d:83:97.
 Are you sure you want to continue connecting (yes/no)? yes
 Warning: Permanently added 'ip_of_your_server' (RSA) to the list of known hosts.
 user@'s password: 
 Now try logging into the machine, with "ssh 'username@ip_of_your_server'", and check 
 to make sure we haven't added extra keys that you weren't expecting.

The public key is now located in /home/nobody/.ssh/ The private key (identification) is now located in /home/nobody/.ssh/id_rsa

We need to configure the remote host, you only need bash, ssh, icecat and an external Internet connection, you can do it from 4g mobile or from a free wifi but first read everythin to be sure your are not missing anything.

First install icecat, then you can connect to another network and need to type command:

 ssh -D 5222 -f -C -q -N username@your_isp_ip

IPS IP can be found by surfing in your network to

The command will prompt you:

 $ username@ip password: 

You can type in your password and you can check the connectivity of the tunnel with the command:

 $ ps aux | grep ssh

It will return:

 nobody  18873  0.0  0.0  52508  3792 ?  Ss 13:14 0:01 ssh -D 5222 -f -C -q -N 

So great the tunnel is working!!

Need to configure Icecat

Open your browser and go to preferences -> advanced -> network -> settings.

You will see that your browser is not using a proxy, you can check the box Manual proxy configuration and only in socks host write in: localhost and use port 5222.

And use the option: Proxy DNS when using SOCKS v5 --> This is an important option, because if not using it or if the option is not available, you will get a DNS leak.

2017-07-13-155907 1919x1000 scrot.png

So know you can try to surf, if you surf to and DNS leak, you should get two times your ISP IP adres, it will say that all your traffic (web and DNS) is routed to your ssh server @home. Beware that if your pc is already sniffed by an application or a malware this will not secure at all the connection!!!