SOCKS proxy with PuTTY and SSH

When using a public wifi hotspot, anyone with some basic sniffing tools can snoop on all your traffic. This includes regular web traffic (HTTP), as well as other accesses like FTP, Telnet and unencrypted POP3/IMAP. If you have access to an SSH server that’s accessible over the Internet, say a server running at home or through a hosting service, it is relatively easy to secure most connections through a SOCKS proxy.

The concept is fairly simple: you establish an encrypted tunnel between your computer and your SSH server. Then you change your browser’s proxy settings to send all traffic through this tunnel. So, say your accessing a website from an open WiFi hotspot (without a tunnel), your connection would look like this:

Your computer <-- open wifi --> WiFi router <-- Internet --> Website

It is the open wifi to the router that leaves you most vulnerable. If you use a SOCKS proxy, your connection now looks like:

Your computer <-- secure tunnel --> SSH sever <-- Internet --> Website

The traffic between your computer and the SSH server will be encrypted and therefore cannot be sniffed, at least not without a whole lot of cryptographic brute-forcing (note: nothing on the network is completely secure). You are still using the WiFi and the router/access-point of the hotspot, but the secure tunnel makes it look like you are connected to the SSH server.

Setting up the tunnel

If you are running some flavour of Unix, Linux or MacOS X, the setup is very simple. First you need to install an SSH client on your machine. Most Linux distros include the excellent OpenSSH client, if not you need to install the openssh package. Once it is installed, fire up a terminal and type:
ssh -D 8080 username@my.sshserver.org

In this case, I’ve chosen “8080” as the proxy port. You can pick any number between 1024 and 65535, but make sure you don’t conflict with any other services using those ports (see TCP and UDP ports list for commonly used ports). Of course, you have to replace “username@my.sshserver.org” with whatever is your login name and server. You’ll be prompted for your password, and once you type it and press ‘Enter’, your tunnel will be established (if you use SSH keys for authentication, you won’t be prompted for your password, and in that case why are you reading this?;-)

Setting up the proxy

Now that you’ve established the tunnel, you can tell your browser to use this tunnel for all traffic. If you use Firefox, go to Tools -> Options and then click on the “Advanced” tab. Now go to the “Network” tab and click on “Settings” next to “Configure how Firefox connects to the Internet”. Click the button for “Manual proxy configuration” and at the line for “SOCKS Host” enter “127.0.0.1” for host and “8080” for the port (remember this is the port we chose above in the tunnel configuration). Select “SOCKSv5″ for the SOCKS version and then click “OK” at the bottom to save the proxy configuration.

That’s it! Now all traffic through Firefox will now go over the secure tunnel, invisible to the others sniffing around you.

From Windows:

Let’s face it: we don’t always have a Linux machine when we need it. If you are stuck with a Windows machine (work laptop, friend’s machine that you are borrowing etc.), you can still setup a secure tunnel. As far as I know, Windows doesn’t come with a SSH client installed by default. So, I recommend you install the excellent SSH client called PuTTY — it is free and distributed under the open source MIT license. Once it’s installed, you can fire it up and in the “Session” section enter your SSH server name under “Host Name”, leave the port at the default ’22’ (unless your SSH server runs on a non-standard port). Note that this is NOT the port for the tunnel, it is just the port that the SSH server listens to for logins.

Then go over to the “Connection” section (on the left pane), and expand the “SSH” sub menu. Under SSH, click on ‘Tunnels’ and under “Add new forward port” enter “8080” for the source port and “localhost” in the destination field. Below that select “Dynamic” and “Auto”. It should look like the screenshot below:
PuTTY tunnel setup

Click “Add” (next to source port) and you should see the forwarding added:
PuTTY tunnel setup

Then go back to the “Session” menu on the left and click “Open” (make sure you’ve already entered your hostname). A new terminal window will open, and you’ll be prompted for your login and password. Once you are logged in, your tunnel is also established. You have a shell you can use to type commands to the server if you wish, but you can simply minimize that window and then go set your proxy in your browser like above. If you close the window the tunnel will be terminated as well.