SSH Tunnels – Part 1: Client Side

This post is the first in an upcoming series of three posts regarding SSH tunneling.  In this post I will demonstrate how to connect a computer to an existing SSH server that is properly configured and accessible over an Internet connection.  If you do not have an SSH server to connect to and/or your SSH server is not accessible over an Internet connection, check out the other parts of this series.

 

SSH Tunnel Series

  • Part 1: Client Side:  Discusses connecting to an existing SSH server and using it to encrypt Internet traffic on untrusted networks.
  • Part 2: Server Side:  Discusses creating and configuring an SSH server.
  • Part 3: Network Side:  Discusses configuring your network to allow SSH connections from other networks, and tips and tools to make connections easier.

 

Example Configuration Used

This how-to requires some previously configured software.  As this configuration will vary from person to person, this can’t be a perfectly personalized guide for your situation.  Instead, I will use some example data as a placeholder for your configuration.  Whenever you see this information in the following how-to, you will need to replace it with the information relevant to your setup.  If you are unsure what this means, feel free to leave some questions in the comments and I will gladly assist you.

Example Server & Network Configuration

SSH Server Address: ssh.jtmorris.net

SSH Server Port: 22

SSH Username: tacos

SSH Password: tacosareawesome

 

Establishing SSH Connection

The first part in using an SSH tunnel is establishing the connection to your SSH server.  The methods for doing so vary from operating system to operating system.  I will detail how to make this connection on a typical Linux distribution, on the most recent versions of Mac OS X, and recent versions of Windows.

Linux Client

For many computer related tasks, Linux can be much more complex than its Windows and Mac OS X cousins.  Fortunately, in this regard, that is not true.  Linux is supremely easy to setup provided you know the proper terminal command.

  1. Open a terminal window.
  2. Type the following command: ssh -D 5222 tacos@ssh.jtmorris.net -N -p 22
  3. Follow on screen prompts.
    • If a message appears regarding the authenticity of the host and whether you want to remember the host, accept it.  This should be a one time message.
    • You will need to enter a password.  If you are unfamiliar with terminal sessions, please note that it is very common that when prompted for a password, the screen will remain blank while you type.  This is a security feature, it prevents people from being able to peer over your shoulder and see your password.  Unfortunately, it makes it look as if the terminal is not responding to your typing.  This is not the case, it recognizes your typing, it just doesn’t display it.  Type the password normally, for this example, it is “tacosareawesome,” and hit enter.
  4. The connection should then be established.  If it was successful, the terminal won’t really react.  You’ll see a blinking cursor on a blank line.  This is good.  Now minimize the terminal.  DO NOT CLOSE IT!  Only minimize.  Upon closing the terminal, your SSH connection will be broken, and you will have to reestablish it before continuing.

 

Mac OS X Client

The Mac OS X procedure is very similar to the Linux one.  In fact, outside of the method for accessing the terminal, it should be identical.  As of this writing, you can find the terminal by opening you launchpad and typing “terminal.”  If you are unable to find it, let me know in the comments and I will gladly help you out.

Once you have a terminal window open, follow the same procedure as the Linux client.

  1. Type the following command: ssh -D 5222 tacos@ssh.jtmorris.net -N -p 22
  2. Follow on screen prompts.
    • If a message appears regarding the authenticity of the host and whether you want to remember the host, accept it.  This should be a one time message.
    • You will need to enter a password.  If you are unfamiliar with terminal sessions, please note that it is very common that when prompted for a password, the screen will remain blank while you type.  This is a security feature, it prevents people from being able to peer over your shoulder and see your password.  Unfortunately, it makes it look as if the terminal is not responding to your typing.  This is not the case, it recognizes your typing, it just doesn’t display it.  Type the password normally, in this case, it is “tacosareawesome,” and hit enter.
  3. The connection should then be established.  If it was successful, the terminal won’t really react.  You’ll see a blinking cursor on a blank line.  This is good.  Now minimize the terminal.  DO NOT CLOSE IT!  Only minimize.  Upon closing the terminal, your SSH connection will be broken, and you will have to reestablish it before continuing.

 

Windows Client

Unfortunately, Windows is the most difficult to use of the three operating systems when connecting to an SSH server.  Windows does not have a built in SSH client to handle the connection like Linux and OS X do.  This means you will need to download an SSH client for Windows.  There are a handful of programs out there that can do the job.  Probably the most popular, and the one that I use, is called PuTTY.  It is a great little tool and has been around for a long time.  You can download it at http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.  There are a lot of choices in the list of download options, you want the Windows x86 version of the PuTTY client.  Download the PuTTY file and save it.

PuTTY is a standalone executable file.  This means that it does not install on your computer, it simply runs when you double-click on the file.  Therefore, you will want to move that file somewhere that you can find it, and won’t delete it.  Once you have PuTTY downloaded, open it and follow the instructions below.

  1. In the category list on the left, scroll down and find the Tunnels category that is located in the SSH section of the Connection category.  Click on that Tunnels section to bring up its options page.puttyss
  2. In the Source port field, type 5222.
  3. In the radio button field under Destination, choose Dynamic.
  4. Click the Add button.
  5. Scroll back up the category list and find the Session category.puttyss2
  6. Under the Host Name (or IP address) section, type in the address of your server, in the case of this example, it is “ssh.jtmorris.net”
  7. Under the port, change it to whatever port you are using, in this case, the default of 22 is accurate.
  8. In the Saved Sessions input field, type a name for this connection (e.g. “SSH Tunnel”), then click Save.
  9. Now, double click on the “SSH Tunnel entry in the list below Saved Sessions.
  10. A black terminal window should appear.
    • If this is your first time connecting to the SSH server, you may receive a message regarding the authenticity of the host and whether you want to remember the host.  Click OK.  This should be a one time message.
  11. You will then be prompted to enter a username, “tacos” in this case.
  12. Then a password.  “tacosareawesome” in this case.
    • If you are unfamiliar with terminal sessions, please note that it is very common that when prompted for a password, the screen will remain blank while you type.  This is a security feature, it prevents people from being able to peer over your shoulder and see your password.  Unfortunately, it makes it look as if the terminal is not responding to your typing.  This is not the case, it recognizes your typing, it just doesn’t display it.  Type the password normally, and hit enter.
  13. A connection should be established to your SSH server.  If it was successful, you will likely get some form of a prompt.  If it wasn’t successful, some sort of error message should appear.
  14. Now minimize the PuTTY terminal.  DO NOT CLOSE IT!  Only minimize.  Upon closing the terminal, your SSH connection will be broken, and you will have to reestablish it before continuing.

 

 

Configuring Applications to Use SSH Tunnel

The previous section created what is called a dynamic SSH tunnel between port 5222 on your local computer, and your SSH server.  However, the creation of the tunnel does not automatically send your Internet traffic through the tunnel.  Instead, you must direct your programs to use the tunnel.  This is accomplished by configuring  your programs to connect to a SOCKS proxy on port 5222 of your local computer.  Any program that can be configured to use a SOCKS proxy should work with this SSH tunnel.  Most popular web browsers can be configured to connect to this SOCKS proxy.  The instant messaging client Pidgin can connect through a SOCKS proxy.  The Mozilla Thunderbird email client can connect through a SOCKS proxy, and much more.  Below, I will demonstrate configuring the Mozilla Firefox web browser on Windows 8.  Most programs should be very similar.  If you have a specific program you would like me to help you with, let me know in the comments below.

Mozilla Firefox Web Browser

  1. Open Firefox, click the menu dropdown at the top left, and then click Options.
  2. Find the Advanced settings tab, and then the Network sub-tab.ffsocksss1
  3. Now click the “Settings…” button under connection.
  4. Click the Manual proxy configuration radio button.
  5. In the SOCKS Host input field type “localhost”, and in the “Port” field, type 5222.ffsocksss2
  6. Click OK, on the Connection Settings dialog window, and OK in the Options window.
  7. And that should be it.  Firefox is now configured to send all web traffic through the SSH tunnel.

 

Tips & Tricks

One thing that most computer geeks have in common is laziness.  For us, repeating all of these steps every time we want to enable an SSH tunnel is a horrifying thought.  As such, I have included a tip or two that will remove some of the tediousness and repetition.

Firefox Add-On:

There are several add-ons for Firefox that will enable rapidly enabling and disabling the SOCKS proxy in Firefox.  This is very useful if you only use SSH tunneling some of the time.  My favorite add-on is called Elite Proxy Switcher.  It places a status message in the lower status bar that will cycle the SOCKS proxy connection on and off when clicked.  This keeps you from having to go into the options menu every time you want to turn the tunneling on and off.

ffaddonss1

3 Comments

Leave a Reply