configuring SSH to act as a vpn tunnel

Maybe I am asking for a miracle but, I would like to configure a web
browser to use a proxy on a remote network. The trick is, due to port
blocking rules the proxy is not accessible outside the network -- which
defeats my plans.

So, what I would like to do is somehow configure firefox to use the ssh
tunnel I establish and connect to the proxy on that remote box (that I
will start).

Before anyone just says "Export the display back for a remote FF
session" I respond:

Yes, I can do that and currently am. However, the latency and BW usage
renders it difficult to use.

so, I guess the general question is: Can I use ssh as a generic vpn??

Christian

Christian Bongiorno <""@ lastname> wrote:
> Maybe I am asking for a miracle but, I would like to configure a web
> browser to use a proxy on a remote network. The trick is, due to port
> blocking rules the proxy is not accessible outside the network -- which
> defeats my plans.
>
> So, what I would like to do is somehow configure firefox to use the ssh
> tunnel I establish and connect to the proxy on that remote box (that I
> will start).
>
> Before anyone just says "Export the display back for a remote FF
> session" I respond:
>
> Yes, I can do that and currently am. However, the latency and BW usage
> renders it difficult to use.
>
> so, I guess the general question is: Can I use ssh as a generic vpn??
>
> Christian

It works, but due to the complexity, it's slow.

For generic VPN, my vote to OpenVPN,
<http://sourceforge.net/projects/openvpn/>.

It runs on both Windows and all kind of UNIXish
systems, including Linux.

There is a theoretical problem of running TCP on top
of TCP, like SSH and many other VPN tunnels do.
OpenVPN can run on top of UDP, where the problem
does not exist.

--

Tauno Voipio
tauno voipio (at) iki fi

Christian Bongiorno wrote:

> so, I guess the general question is: Can I use ssh as a generic vpn??
>

While many apps can run over ssh, why not just use a vpn? I use OpenVPN,
which can be configured to use any udp or tcp port (udp preferred).

In message <gq-dnSWDmcfOdLLfRVn-(E-Mail Removed)>, Christian Bongiorno
wrote:

> Maybe I am asking for a miracle but, I would like to configure a web
> browser to use a proxy on a remote network. The trick is, due to port
> blocking rules the proxy is not accessible outside the network -- which
> defeats my plans.
>
> So, what I would like to do is somehow configure firefox to use the ssh
> tunnel I establish and connect to the proxy on that remote box (that I
> will start).
>
> Before anyone just says "Export the display back for a remote FF
> session" I respond:
>
> Yes, I can do that and currently am. However, the latency and BW usage
> renders it difficult to use.
>
> so, I guess the general question is: Can I use ssh as a generic vpn??
>
It's not a VPN as such, because you don't have complete access to the
network the other end. However, it does work quite nicely if you want to
set up tunnels for a few ports. I use PuTTY on a Windows machine at work to
tunnel various ports on the machine to my home machine, one of which is so
I can use Privoxy on my home machine. I just tell the ssh client to forward
localhostort to remotehostroxyport and tell my web browser to use
localhostort as its proxy server.

Also a good trick if you're using a wireless connection at your local coffee
shop or elsewhere, ssh to home and browse/read mail/news via there, then
it's a lot harder for people to see what you're doing because all they get
are encrypted packets on an ssh link.
--
Dave
mail da (E-Mail Removed) (without the space)
http://www.llondel.org/
So many gadgets, so little time...

> Maybe I am asking for a miracle but, I would like to configure a web
> browser to use a proxy on a remote network. The trick is, due to port
> blocking rules the proxy is not accessible outside the network -- which
> defeats my plans.
>
> So, what I would like to do is somehow configure firefox to use the ssh
> tunnel I establish and connect to the proxy on that remote box (that I
> will start).

If you're planning to run the proxy server on the remote host just to
forward your connections from work, then don't-- there's a simpler way.
Set up a "dynamic port forward" in the client invocation, e.g. -D1080.
This will cause ssh to act as a local SOCKS proxy. SOCKS packets sent
to localhost:1080 will be forwarded over the encrypted channel to the
ssh server, which will unwrap them, send them out to the net, and
forward replies back through the tunnel to the client.

Now just tell Firefox to use localhost:1080 as a SOCKS server. Be sure
to specify SOCKS v5, since this will cause DNS queries to be resolved
remotely instead of locally.

Otherwise, if you're planning to have the remote proxy server running
anyway, then you can just do as Dave suggested-- forward
localhost:someport to remotehostroxyport, and tell Firefox to use
localhost:someport as a proxy server.

--
To reply by email, replace "deadspam.com" by "alumni.utexas.net"

Christian Bongiorno <"<firtname>"@ wrote:
> Maybe I am asking for a miracle but, I would like to configure a web
> browser to use a proxy on a remote network. The trick is, due to port

> blocking rules the proxy is not accessible outside the network --
which
> defeats my plans.

If you can access a remote machine via SSH you can use that to
forward requests to the proxy server, using OpenSSH's tunnels.

For example I have a host I can connect to from work, and I simpl
run:

ssh -L 8080:localhost:8080 (E-Mail Removed)way

This forwards all traffic sent to the local machine on port 8080
to port 8080 on the home gateway which is running squid.

Once this is done inside your browser you simply set your proxy
to b localhost:8080 and all will work correctly.

> so, I guess the general question is: Can I use ssh as a generic vpn??

You can (google for ppp over ssh) but it's slow and incurs a penalty
in
speed.

Instead you should simple use SSH's tunnel facilities, which will be
perfect for your problem. (And the proxy server doesn't even have to
run on the host you're SSH'ing to, so long as the two hosts can see
each other all will be well).

Steve
--
# Debian System Administration
www.debian-administration.org/

Dave {Reply Address in.sig} wrote:

> Also a good trick if you're using a wireless connection at your local
> coffee shop or elsewhere, ssh to home and browse/read mail/news via there,
> then it's a lot harder for people to see what you're doing because all
> they get are encrypted packets on an ssh link.

I did just that last week, except with a vpn. I was in a coffee shop, that
just started offerring WiFi and it's free until April. So, I forced myself
to drink a "Chocolate Lover's Latte, vanilla fudge brownie", so that I
could try out the WiFi service. ;-)

>I did just that last week, except with a vpn. I was in a coffee shop, that
>just started offerring WiFi and it's free until April. So, I forced myself
>to drink a "Chocolate Lover's Latte, vanilla fudge brownie", so that I
>could try out the WiFi service. ;-)

Way off-topic, but I've noticed that what I pay for Starbucks coffee
each month so I can use their WiFi is more than I'd pay VZW for
wireless Broadband....

-Joel

----------------------------------------------------------------------------
Free Bible and Mishna printouts in Hebrew: http://liturgy.exc.com/
----------------------------------------------------------------------------

Dr. Joel M. Hoffman wrote:

>>I did just that last week, except with a vpn. I was in a coffee shop,
>>that
>>just started offerring WiFi and it's free until April. So, I forced
>>myself to drink a "Chocolate Lover's Latte, vanilla fudge brownie", so
>>that I
>>could try out the WiFi service. ;-)
>
> Way off-topic, but I've noticed that what I pay for Starbucks coffee
> each month so I can use their WiFi is more than I'd pay VZW for
> wireless Broadband....

I haven't used the WiFi access in those coffee shops since then, as I don't
care to pay the rate they want. However, the plan offered there is better
than others. With that one, you can pay by the minute, if you charge it to
your cell phone bill or a charge card. With others, you have to pay by the
hour, even if you only use 5 minutes.