Use OpenSSH as a secure Web proxy

Making sure your computers are secure is, in some respects, a full-time job. It gets even more complicated when you have to worry about wireless security too.

An important concern for travelers who use wireless networks in their travels -- whether they are using the wireless access point at a coffee shop, in an airport, or at the hotel where they spend their nights on a business trip -- is the fact that they never really know how secure that network is, unless they know it is not secure at all. That's the usual case for coffee shop wireless networks: Because they are open to everyone, you simply cannot trust them. If they weren't open to everyone, they would not be worth anything, after all.

The only sane way to address the matter of security on a laptop when you are on a public wireless access point is to be very selective about what resources you are willing to access through that network -- and how you access them. For the most part, this means you should avoid doing things such as logging into your bank's Web site, making purchases online, and otherwise sending sensitive data over this foreign network. Even when the Web site in question uses encryption for session login, that does not necessarily mean that you are not subject to some kind of man-in-the-middle attack or other trickery that would not be as easy from a network you control.

There are ways to protect yourself, however, so that you can access online resources that require sensitive data to be sent back and forth over the connection. One is to use a secure, transparent proxy. Web proxies of any sort can be very difficult for the average user to set up and configure properly, but they can also be incredibly simple, if you have no need for anything more than an encrypted connection to a transparent proxy and use the right tools. Luckily, "the right tools" in this case are very easy to come by.

The following assumes you are going to use a Linux, BSD UNIX, or commercial UNIX system at home as your proxy server. It also assumes you have a persistent Internet connection at home, usually via a typical broadband Internet account through your local DSL or cable ISP.

Server access

The first step to setting up access to your transparent proxy server is to configure the firewall on your home network to forward an SSH port to the computer you will use as your transparent proxy. You do have a firewall at home to provide secure access, right? If you don't, you should stop reading this right now and fix that fact. Connecting a home computer directly to the Internet without a separate firewall device of some sort is a monumentally bad idea.

The process of configuring your home firewall for port forwarding varies wildly from one firewall setup to the next. Most consumer-grade router/firewall devices of the sort you can get at Best Buy or Circuit City (or even Wal-Mart) provide functionality for port forwarding, and it is usually easy enough to figure out on your own. If you run your own Linux or BSD UNIX-based firewall on some old hardware you had lying around, you probably know how to set this up yourself.

We will assume that you have configured your Internet-facing firewall to accept SSH connections on port 2200 and forward them to port 22 on a UNIX-like system on your internal network. It's best if you do not use your firewall itself as the proxy server -- though it is possible (and, for that matter, easy). Make sure you secure SSH against common brute-force password cracking attacks on your proxy server.

You must also make sure that your server has HTTP access to the Internet through the firewall. This usually consists of nothing more complex than making sure you do not configure your firewall to block that access from computers in your network.

Finally, you must ensure you know the IP address you can use to connect to your home network from some outside network. This might be tricky, depending on your ISP. For those service providers that assign a relatively stable IP address, you just need to find out what the IP address is and make sure you do not lose it. You might save it in a text file on your laptop. To find out the IP address, the most obvious method is to visit any of a large number of Web sites that exist specifically for the purpose of telling you your own IP address. Two examples are and

If your ISP changes your IP address regularly, you might need to take more drastic measures. A number of services exist that provide DNS resolution to dynamic IP addresses so that, for instance, you can point a domain name at a Web server you have at home even if your home IP address changes regularly. This is one possible solution to the problem -- and perhaps the easiest.

A client for these services needs to be installed on a computer at home to inform the service's DNS servers when the IP address changes. The ez-ipupdate client is available from both FreeBSD and Debian GNU/Linux software archives for quick and easy installation, and it works with a dozen or so different services that provide DNS resolution to dynamic IP addresses.

Encrypted proxy connection

The rest of the process of using an encrypted connection to a Web proxy at home is done on the client machine -- presumably, your laptop -- and it is not difficult at all with an average install of a UNIX-like operating system such as Debian GNU/Linux or FreeBSD. We will assume you are using such an operating system for now.

If you are using a dynamic DNS resolution service, you would replace the IP address in the following example with the domain name you are using instead. In the example, we will assume that you have the stable home IP address of for the sake of convenience. Creating your encrypted proxy connection involves entering a command such as this:

  $ ssh -D 8080 -p 2200 username@

The "username" part should be replaced with the name of a normal user account on the proxy server at home. This command creates a local transparent proxy on port 8080 that then forwards all traffic it receives to on port 2200.

The last thing you have to do to make everything work is tell your Web browser application to use port 8080 on the local system for all connections. In Firefox, for instance, you would open up the Preferences dialog box, select the Advanced tab, then select the Network tab, and finally click the Settings button to configure your connection. Make sure the Manual Proxy Configuration: radio button is selected. Enter localhost in the SOCKS Host: field and 8080 in the corresponding Port: field.

If for some reason it doesn't work with "SOCKS v5," try switching to "SOCKS v4."

That's all there is to it.