Dynamic Port Forwarding with SOCKS over SSH

Dynamic Port Forwarding with SOCKS over SSH is probably the easiest and cheapest secure method to connect a client application to a remote host over a preferred port.

This method allows an application on a client computer to make request to a local port, then the requests are forwarded to a remote host, which processes the requests and returns the data back to the client. This is very similar to a simple proxy, with the exception that in a proxy set up the application sends data directly to the remote host, while in this configuration we have an emulated local SOCKS server that handles the requests first and then directs them to the remote computer… oh yeah… and the network traffic is encrypted.

Dynamic Port Forwarding over SSH is in a way a simple alternative to VPN.

Why would anyone need this? Two main reasons immediately come to mind. First, if you are on a public, non secure, non trusted, unencrypted network (for example at the local coffee shop) you can use this method to securely connect to a remote host and have your network traffic encrypted and thus protect your data and privacy. Second, if you need to bypass local network restrictions and monitoring services. A good example here is circumventing surf control restrictions. In most cases, surf control is implemented by monitoring the traffic and examining the tcp/ip packets over port 80. By using Dynamic Port Forwarding over SSH, we channel http traffic through a different port and furthermore all http requests/responses are encrypted via ssh and thus cannot be examined or filtered.

Now let’s see how it is done.

Remote Host Setup.

A remote host is needed that will receive and process the requests from the client. Any computer or device can be the remote host as long as it runs ssh. In this respect any Linux box is ideal for that purpose.

From a practical standpoint, your home router is probably one of the best candidates for being your remote host. You need to run open source software on it, like OpenWRT, DD-WRT, Tomato, etc. and have ssh enabled on it. If you are still running the original firmware that you router came with, you are only using a fraction of the hardware’s capabilities and you are missing out on a lot of great features.

If you plan on using a computer on your home network as the remote ssh host, do not forget to set up the port forwarding on your router accordingly.

Client Setup.

If your client is a Linux box, you hardly have to set up anything. All you have to do is connect to the remote host with the following command:
ssh –D port_number user_name@remote_host
(for example: ssh –D 8080 username@remote-server)

And then the only thing that is left is to configure your application to use SOCKS. Look at the Firefox setup below as an example (Step 7).

If your client is a Windows box, you have to install an ssh client. PuTTY is a good ssh client for Windows and it is free:

Step 1 : Download PuTTY.

Step 2 : Open up PuTTY and put in the host IP address or domain name. Leave the port as the default 22 and give the connection a name under “Saved Sessions” and click “Save”(my example uses a Linux box on the local network) :

Step 3 : Click the “SSH” on the left hand side under “Connections” and make sure that the “Preferred SSH protocol version” is set to 2.

Step 4  : Click on “Auth” and select “Allow agent forwarding”:

Step 5 : Go to “Tunnels” and enter the port in the “Source Port” field, select the “Dynamic” radio button and click the “Add” button. Here optionally you can check “Enable X11 forwarding”, which will come in handy if you want to run graphical applications from the remote host. For this piece to work though, you will need an X11 server running on your Windows client,like Xwing  , but this is beyond this discussion.

.

Step 6  : Click “Session” on the top left to go back to the first screen and save your setting. Click on “OK” …. and enter your userName  and your password of your Linux box .

Step 7 : Now you are ready to configure your application to use the Dynamic Port Forwarding with SOCKS. For this exercise we will configure Firefox. Open Firebox’s “Options” dialog (called “Preferences” if running on Linux) and go to “Advanced” and then “Network”, hit the “Settings” button under “Connection”. In the window that pops up select “Manual proxy configuration”, enter localhost for “SOCKS host” and the port number (8080 for this exercise). Select the “SOCKS v5” radio button and enter localhost, 127.0.0.1 in the “No Proxy for” box:

Now when you browse the internet with Firefox, all the traffic will be directed to the local SOCKS proxy server on port 8080, then the packest will be encrypted and forwarded over ssh on port 22 to the remote host (you can always change the default ssh port to any other port). It is important to notice, that the remote host will decrypt the packets from the client and then make the requests on port 80 without encryption.

My example makes use of a local  CentOs 5.x box just to demonstrate the functionality of SOCKS
It has no sence at all from the prespective of security , because my Linux box is decrypting the packets end send them to the Internet . In reality the Linux box would be hosted on a remote wan location  , the only think that has to be changed is on step 2  –> set the wan IP address  on the proper field .

Now let’s prove the encryption : On my Linux box , I make use of a packet sniffer (tcpdump ) to prove that the communication between  window XP  and Centos is encrypted  .

.

A future tutorial will go more in-depth with tcpdump  . That’s a promise 🙂

.