Tunnel Everything through SSH
转自 http://www.plenz.com/tunnel-everything
Tunnel Everything through SSH
This site remains here for legacy reasons and will not be updated! All the other articles are probably still available but not linked any more. Start page.
In this Tutorial I'll cover how you can tunnel any TCP traffic through an encrypted SSH connection or a SOCKS server, even if a certain program doesn't support proxying of connections natively.
The only requirement for SSH tunneling to work is a shell account on a machine connected to the internet (and, optionally, a HTTP Proxy server). I will refer to this account as your server (it doesn't matter if you may not become root).
Tunneling HTTP
In case you just want to tunnel HTTP traffic (to surf safely, to let the request appear to originate from a different IP and/or to not disclose HTTP clear text passwords to your LAN) best practise is to set up Privoxy on your server. By default, Privoxy binds to127.0.0.1:8118 (thus only allowing connections from localhost), which is good for us. No configuration must be done for this.
The next step is to establish a tunnel from your computer to your server's Privoxy. That is done with the following SSH command:
ssh -NL 8118:localhost:8118 user@server
This command opens a tunnel on your computer: All connections to port 8118will be forwarded (encrypted, of course) over the SSH connection and come out at your server's port 8118 (where Privoxy is running).
Once you have established the connection you will want to edit your browser's proxy settings accordingly. Just set the HTTP (and, with some browsers, the HTTPS) proxy to localhost, port 8118.
Advantages
The great advantage over SOCKS tunneling (see below) is, that even the DNS requests are made from your server. No-one on your LAN can gather information on what kind of site you're surfing. Another advantage is that Privoxy already filters out some advertisements and removes sensitive headers from your requests.
Tunneling Arbitrary Protocols (Dynamic Forward/SOCKS)
If you want to tunnel not just HTTP traffic but arbitrary other TCP protocols as well, a HTTP Proxy isn't adequate any more. Instead, you'll have to set up a SOCKS proxy. That also is possible with SSH:
Setting up the SSH proxy
Setting up the SSH SOCKS proxy is really easy. On your computer, just enter the following command:
ssh -ND 3333 user@server
That command establishes a connection to your server, logs in as useruser (you'll have to enter your password though, of course) and then starts a little SOCKS proxy on your server.
On your computer, all connections to port 3333 will be forwarded over the secure SSH channel and will then be forwarded by the proxy to their destination.
Now you'll have to configure the program you want to connect through that tunnel to use localhost, port 3333 as it's SOCKS server (if you have the choice, select SOCKS version 5).
Not many programs support SOCKS proxy forwarding natively (hardly any CLI programs). But there is a workaround for that: tsocks. It enables arbitrary programs which don't support the SOCKS protocol natively to establish connections via a SOCKS server.
How tsocks works
On your computer, install the tsocks program.
I won't go into detail about how this program works, but it basically does the following:
- Before the actual program is loaded tsocks loads its own shared library.
- This library overwrites the kernel's
connect()
function and replaces it with its own. - Whenever the program tries to send a request the request is forwarded through your proxy server (and then over the secure tunnel).
All this is done through setting the environment variableLD_PRELOAD to /usr/lib/libtsocks.so
.
The tsocks program itself is just a simple shell wrapper script. All the actual redirecting stuff is done via the library.
Editing the /etc/tsocks.conf
Now you'll have to edit the file /etc/tsocks.conf
to relay all connections through your proxy. Open the file and delete all lines. Then enter just the following two lines:
server = 127.0.0.1 server_port = 3333
If you may not become root ...
... just enter the two lines from above into a file called.tsocks.conf
and place it in your home directory. Then, write a little shell script:
#!/bin/sh TSOCKS_CONF_FILE=$HOME/.tsocks.conf export TSOCKS_CONF_FILE exec tsocks "$@"
I call this script viaservername
. Place this script in a directory contained in your $PATH
and make it executable.
Tunneling Connections
For programs who natively support proxying connections (e.g. Mozilla Firefox) you can now set the proxy address to localhost port3333. I don't recommend to do that for browsers; instead, use HTTP tunneling (see above).
All other programs which's connections you want to tunnel through your server are prefixed with tsocks. This would look like some of the following program calls (if you wrote a shell script, use that instead of tsocks):
tsocks dog http://www.google.com tsocks netcat example.com 80 tsocks irssi -c irc.freenode.net -p 6667
If you call tsocks without parameters it executes a shell witht the LD_PRELOAD environment variable already set and exported. That means that every program called from this shell will be redirected through the external server and every subsehll started from this shell will also have the LD_PRELOAD variable set. So if you started tsocks directly after logging in all your traffic would be redirected through your external server.
Example
$ cat =myip #!/bin/sh lynx -dump http://tnx.nl/ip $ ssh -fND 3333 xxx@feh # -f: goes to background after prompting for password xxx@feh.name's password: $ IP=`myip`; host $IP Name: p54XXXX8B.dip.t-dialin.net Address: 84.143.XXX.XXX $ IP=`tsocks myip`; host $IP 16:15:23 libtsocks(26802): Call to connect received on completed request 3 Name: feh.name Address: 217.160.108.109
Have fun!
© 2005-2006 Julius PlenzQuestions? Suggestions? Reviews? I love to receive email!
$Id: tunnel-everything.php 73 2006-03-02 12:16:36Z feh $