Secure web traffic without VPN

02 May, 2022

Using a VPN these days normally require a vendor and a possible client to route your web traffic, or to get past restrictive firewalls or to ensure that this same traffic is being watched, and that may even include your ISP. Additionally, VPNs have had vulnerability holes for quite some time (see here). Therefore, if secure web traffic is what you want, there is an already fast, and free alternative: SOCKS5.

This proxy is an SSH encrypted tunnel between a client's application (web browser, an IRC client, etc.) and a server. The only difference between this solution and a VPN?, is that you have to setup the process on an app-by-app basis. Since all we care for in this article is web traffic, we will be using Firefox as that application (any modern browser would work for this technique).

Requirements

• a UNIX like server (i will be using Ubuntu as the flavor distro). Moreover, since most of you will not be able to host your own private on-prem server at home because most ISPs do not assign static IPs these days, I will be using a VPS provided by a cloud provider (any cloud provider will do).
• an application that can take SOCKS proxy settings (i.e. most web browsers these days)

Set up the tunnel

• Open a terminal on your local computer (M$FT users will have to resort to PuTTY or WSL), create an SSH key, and upload said key to your cloud provider's VPS (AWS user - check your security groups settings). For help in this step, see here.

• then issue the following command:

ssh -i ~/.ssh/id_rsa -D 1337 -f -C -q -N user@VPS_domain

what is happening here?

• -i: path to your SSH key.
• -D: let the SSH daemon know that a SOCKS tunnel on a user-specifed port is coming (ranging from 1025 - 65536).
• -f: forks the process to the background.
• -C: compresses all your data prior to sending it.
• -q: quiet mode.
• -N: lets the SSH daemon know that no command will be set once the tunnel is running.

Replace user@VPS_domain with your privileged sudo user and either the server's IP address or the actual domain name.

Unless you fat fingered anything, it should give you your terminal prompt back. Then, to verify that your tunnel is running, run:

ps aux | grep ssh

Note: Windows users, see here.

Configure Firefox to use your tunnel

• Open Firefox
  1. click on the hamburger menu
  2. click on Preferences or Options menu
  3. scroll to bottom and find Network Settings
  4. under 'Configure Proxy Access ...', select Manual proxy configuration
  5. For the SOCKS Host, enter: localhost or 127.0.0.1 and for the port, enter: 1337
  6. check the box 'Proxy DNS when using SOCKS v5'
  7. click 'OK' and close the configuration

Browse the Internet

If you open a new tab, you will see that all of your traffic will be encrypted from now own, as well as the data that you get back from the website! Moreover, your DNS lookups will also be encrypted! which means that your ISP cannot see your traffic or where you went to go get that traffic.

Automating this process

This sounds good and dandy, but we would like to reproduce this in the future, and that's where Bash comes to the rescue. Open your favorite text editor and create a new file:

vim ~/.local/bin/socks.sh # make sure that your PATH is set

Add the following:

#!/bin/bash -e

OS="uname"
ssh -i ~/.ssh/id_rsa -D 1337 -f -C -q -N user@VPS_domain

case $OS in
  'Linux')
  /usr/bin/firefox &
  ;;
  'Darwin')
  /Applications/Firefox.app/Contents/MacOS/firefox &
  ;;
  *);;
esac

Make the script executable: chmod +x ~/.local/bin/socks.sh or the /path/to/socks.sh. If your settings in your web browser (i.e. ports) are the same ones within the script, it should start the tunnel, background the process and open Firefox for you. You can also alias it to your bashrc file.

Potential firewall issues

If you are connecting within no issue, then you're good to go here. However, if you cannot make an SSH connection because of a restrictive firewall, then port 22 on the server-side is blocked. Moreover, since you have root access to your server, simply visit your firewall settings and allow SSH (most VPS providers have this set as default). Additionally, ports 80 and 443 are often open as well, and your SSH server can use these ports if it's not serving web content. We'll use port 443 since encrypted traffic is expected over that port. So, from a non-firewalled connection, SSH onto the server and edit the SSH server's settings:

sudo sed -i "s/#Port 22/Port 443/" /etc/ssh/ssh_config
sudo service ssh restart # depending on your distro ssh or sshd

To verify, open a new terminal (don't close the current one) and use the new port:

ssh user@VPS_domain -p 443

If the connection is successful, log out from both shells and open your SSH tunnel with the new port:

ssh -i ~/.ssh/id_rsa -D 1337 -f -C -q -N user@VPS_domain -p 443

Fin

If you find yourself in a hostile network, such as Starbucks' wifi, or a hotel connection. a SOCKS tunnel will give you what you need if do not trust or cannot use a client-provided VPN. If you run into any snags, or want to leave a comment below.

Happy hacking!

Subscribe to my blog via RSS.

#howto #sysadmin #vpn