Secure web traffic without VPN

Using a VPN these days normally require a vendor and a possible client to route your web traffic, or to get past restrictive firewalls or to ensure that this same traffic is being watched, and that may even include your ISP. Additionally, VPNs have had vulnerability holes for quite some time (see here). Therefore, if secure web traffic is what you want, there is an already fast, and free alternative: SOCKS5.

This proxy is an SSH encrypted tunnel between a client's application (web browser, an IRC client, etc.) and a server. The only difference between this solution and a VPN?, is that you have to setup the process on an app-by-app basis. Since all we care for in this article is web traffic, we will be using Firefox as that application (any modern browser would work for this technique).


Set up the tunnel

ssh -i ~/.ssh/id_rsa -D 1337 -f -C -q -N user@VPS_domain

what is happening here?

Replace user@VPS_domain with your privileged sudo user and either the server's IP address or the actual domain name.

Unless you fat fingered anything, it should give you your terminal prompt back. Then, to verify that your tunnel is running, run:

ps aux | grep ssh

Note: Windows users, see here.

Configure Firefox to use your tunnel

Browse the Internet

If you open a new tab, you will see that all of your traffic will be encrypted from now own, as well as the data that you get back from the website! Moreover, your DNS lookups will also be encrypted! which means that your ISP cannot see your traffic or where you went to go get that traffic.

Automating this process

This sounds good and dandy, but we would like to reproduce this in the future, and that's where Bash comes to the rescue. Open your favorite text editor and create a new file:

vim ~/.local/bin/ # make sure that your PATH is set

Add the following:

#!/bin/bash -e

ssh -i ~/.ssh/id_rsa -D 1337 -f -C -q -N user@VPS_domain

case $OS in
  /usr/bin/firefox &
  /Applications/ &

Make the script executable: chmod +x ~/.local/bin/ or the /path/to/ If your settings in your web browser (i.e. ports) are the same ones within the script, it should start the tunnel, background the process and open Firefox for you. You can also alias it to your bashrc file.

Potential firewall issues

If you are connecting within no issue, then you're good to go here. However, if you cannot make an SSH connection because of a restrictive firewall, then port 22 on the server-side is blocked. Moreover, since you have root access to your server, simply visit your firewall settings and allow SSH (most VPS providers have this set as default). Additionally, ports 80 and 443 are often open as well, and your SSH server can use these ports if it's not serving web content. We'll use port 443 since encrypted traffic is expected over that port. So, from a non-firewalled connection, SSH onto the server and edit the SSH server's settings:

sudo sed -i "s/#Port 22/Port 443/" /etc/ssh/ssh_config
sudo service ssh restart # depending on your distro ssh or sshd

To verify, open a new terminal (don't close the current one) and use the new port:

ssh user@VPS_domain -p 443

If the connection is successful, log out from both shells and open your SSH tunnel with the new port:

ssh -i ~/.ssh/id_rsa -D 1337 -f -C -q -N user@VPS_domain -p 443


If you find yourself in a hostile network, such as Starbucks' wifi, or a hotel connection. a SOCKS tunnel will give you what you need if do not trust or cannot use a client-provided VPN. If you run into any snags, or want to leave a comment below.

Happy hacking!

Subscribe to my blog via RSS.

#howto #sysadmin #vpn