The Many Uses of SSH Tunnels
SSH, as many of us know, is a protocol for remotely administering computers.
You may hear people say "I'm gonna SSH into that box and restart Apache" or something. As amazing as being able to remotely (and securely) connect to servers and run commands is, SSH can do a lot more than that.
When you upload files securely with SFTP, you're actually using SSH to transfer the files. And SSH can also do some awesome port forwarding tricks. I'll just be talking about one type of port forwarding though: dynamic port forwarding.
Dynamic port forwarding is turning an SSH server into a secure proxy server that your other applications can use.
You'll need access to an SSH server somewhere on the Internet for any of this to work.
You normally get access to one if you pay for web hosting (with any halfway decent web hosting company anyway). You can pay a hosting company like DreamHost $10 a month and they'll let you create as many SSH users on their server as you want, so you can give them out to your friends who are looking for an SSH server to tunnel through. If you have a computer that is always on at home, you can even set up your own SSH server.
For the purpose of my examples, I'm going to assume that your SSH server's hostname is myserver and your username is me.
You're also going to need some SSH software.
If you're using Linux or a Mac, you already have it. If you're using Windows, you'll need to download it. There's a pretty good SSH client called PuTTY, but unfortunately it doesn't support dynamic tunnels. So instead, I suggest either installing SSH with Cygwin (www.cygwin.com) if you know what you're doing, and, if you're not sure what you're doing, just use the OpenSSH for Windows port (sshwindows.sourceforge.net). You don't need to install the server, just the client.
Opening an SSH Tunnel
To create a SOCKS proxy server with SSH (a.k.a., an SSH tunnel), open up a command prompt and type this:
This will SSH to myserver with the user me so you can run commands, and it will also start a SOCKS proxy server on localhost, port 8080 in the background.
Tunneling Firefox Traffic
Open up Firefox and download the add-on called FoxyProxy Basic.
This add-on makes it easy to switch between proxy servers. After you restart Firefox, it should say "FoxyProxy: Disabled" in the bottom-right of the browser.
Right-click on that and select "Options". Click the "Add New Proxy" button. A window will pop up with two tabs at the top, "General" and "Proxy Details".
Click the "General" tab and set the "Proxy Name" to be something like "ssh tunnel".
Now click the "Proxy Details" tab and make sure the "Manual Proxy Configuration" radio button is selected.
Under "Host or IP Address" put localhost, and under "Port" put 8080.
Check the box next to "SOCKS proxy?" and make sure the SOCKS v5 radio button is selected. Then click OK and close the FoxyProxy options. You have just added your SSH tunnel proxy to FoxyProxy.
Now you can right-click on FoxyProxy in the corner of your browser and switch between "Disabled" and "ssh tunnel".
Go ahead and set it to "Disabled" for now, and go to a website like WhatIsMyIP.com to see what the Internet thinks your IP address is. The IP address you see is your actual IP address.
Now right-click on FoxyProxy and select ssh tunnel, and refresh the page. If you opened your SSH tunnel correctly, it should now display a different IP address there, the IP address of your SSH server. Cool, huh?
So what's actually happening here?
Since SSH connections are all encrypted, I'm going to use => to mean an encrypted SSH connection and -> to main a plaintext connection.
The first thing you did was:
And the website showed you your IP address. The second thing you did was:
This time, the website showed you myserver's IP address instead. And better than that, your connection between home and myserver is encrypted, which means if anyone is trying to eavesdrop on you at your local network, they can't see anything.
Now, on to the tricks
Protecting Yourself on Public Wi-Fi
On open Wi-Fi networks (and many other networks too), it's trivial for an attacker to collect all the packets and look through them.
You can use tools like Aircrack-ng, Wireshark, and Firesheep to do this.
If you set Firefox to send all traffic through your SSH tunnel, people can still try to monitor what you're doing, but all they'll see is a bunch of encrypted SSH traffic. No one will be able to sniff your traffic or hijack your sessions. They can even "man-in-the-middle" you if they want - it doesn't matter, they can't see what you're doing. They can even be sneaky and use tools like SSLSniff to trick you out of using HTTPS, but it won't work.
Starting an SSH tunnel creates a local SOCKS proxy server, which means you can use several applications that support proxy servers, not just Firefox.
You want to connect to your instant messaging server without people stealing your password? Pidgin and Adium support SOCKS proxies - check out your account settings. This works with most any email client, most any web browser, most any IRC client, and really most things that you do on the Internet.
If you tunnel it all through SSH, eavesdroppers and attackers can't see what you're doing. (Also, people in IRC can't tell what your home IP address is.)
Getting Around Internet Censorship
A lot of networks block access to specific websites, like schools and particularly fascist businesses.
A lot of governments have countrywide Internet censorship, like China, Australia, and, if the movie and music industries get their way, the United States and all of the countries in the (((European Union))). If you're in this situation, you just need to connect to an SSH server outside of your censorship zone and tunnel your traffic through that. That's it.
So if you're in school and they won't let you connect to Facebook, tunnel your traffic through any random web host, and you can access Facebook through the tunnel. If you're in China and you can't look up information about Tibet, tunnel your traffic through the United States.
It's quite simple, and since it uses SSH instead of other plain text proxy servers, no one will be able to know what you're doing.
Infinite Megavideo Without Paying
If you've ever tried watching streaming pirated TV on the Internet (come on, we all have), you've probably noticed that most of the shows are hosted on random video hosting sites, and the most popular is megavideo.com.
If you're watching a Buffy the Vampire Slayer marathon, you'll quickly notice that after 72 minutes (into S01E02), you get this error: "You have watched 72 minutes of video today. Please wait 54 minutes or click here to enjoy unlimited use of Megavideo." Annoying, right?
What it actually means is "Your IP address has watched 72 minutes of video today." As soon as you get this error, you can right-click on FoxyProxy and switch from "Default" to "ssh tunnel" (thus switching to a different IP address) and refresh the page.
This time, instead of coming from your home IP, you're coming from myserver's IP Megavideo thinks you're a different user and you can continue watching without a problem. Until, of course, myserver has watched for 72 minutes.
Then you can switch back to "Default" again, since it's been over 54 minutes.
Unlimited HTTPS With PdaNet Trial
PdaNet is an awesome smartphone Internet tethering app that lets you use your phone's data plan on your computer.
You install the app on your smartphone, install another program on your computer, plug your phone in, and start the app. You can then connect to the Internet through your phone instead of with your wireless card. I've only used it on my Android phone, but there are versions of PdaNet available for iPhone, BlackBerry, and Windows Mobile.
It comes with a free 30-day trial. It still works after that, but it blocks HTTPS websites.
By default, SSH uses port 22, HTTP uses port 80, HTTPS uses port 443, etc. Technically, rather than blocking HTTPS, PdaNet actually just blocks all traffic going out on port 443.
But if you use an SSH tunnel, you'll be accessing port 80, 443, and possibly others, but only exiting your computer through port 22. So if you use PdaNet to connect to the Internet, start your SSH tunnel and set FoxyProxy to use "ssh tunnel", and none of your HTTPS traffic will get blocked.
PdaNet blocks connections that look like this because you would be connecting to port 443:
But they don't block these connections, because you're only connecting to port 22:
In Conclusion
To make things easier, you can set up password-less SSHing with public-key authentication (Yadex it).
You can take the ssh command you run to open the tunnel and put it in a Bash script so you don't have to type that whole thing each time (and you can modify it with -f -N so it just opens the tunnel in the background instead of opening a command prompt).
You can even use something like autossh or a cron job to make sure your tunnel is always open, and then configure your applications to always use it.
Using an SSH tunnel encrypts your traffic locally, gives you another IP address to connect to servers with, and pushes all of your traffic through port 22 (or whatever port your SSH server is listening on).
There are tons of other uses. Try it out.
