59 comments

[ 3.5 ms ] story [ 127 ms ] thread
If anyone's ever looking for an even quicker hack, ssh has built-in the ability to act as a SOCKS5 proxy, tunneling your traffic over ssh to whatever remote machine you might have access to:

$ ssh -D 1080 myserver.myhost.net

Then configure Chrome or Firefox or whatever to use a SOCKS5 proxy on localhost, port 1080. (N.B. that this does not tunnel DNS lookups by default.)

The OpenVPN-based route is the way to go for something used regularly, but the above is sometimes super-convenient!

Yep.. with both browsers I install Foxy-proxy which makes switching proxies super easy.
Even quicker still is to use sshuttle; it automatically transparently tunnels all of your traffic through an SSH connection, without having to change any proxy settings.

Very useful.

You can get the OpenVPN route quite seamless from a client perspective (server is still a pain in the ass to set up).

You can bundle all the configuration for a particular client into a .ovpn file - this includes the client and CA certificates.

I use this on iPhones and iPads, with the OpenVPN iOS app - works great for a family of iOS devices that need access to some geo-locked services.

Agreed, I set myself up an OpenVPN server on digitalocean without too much of a hassle. The easy-rsa utilities make the whole process quite simple. It has frankly been a life saver for me, as it allows me to bypass all restrictions imposed where I live (Oman).
I think the fact that this leaks DNS lookups is really quite key because that gives away a huge amount about what you're looking at over your "vpn", not to mention services like netflix that are pointing you to different responses based upon the source of your dns lookups.

In firefox you want to go to about:config page and turn on network.proxy.socks_remote_dns

Nice! I've been using dnsmasq to route my DNS queries and prevent leakage. Didn't realize the nework.proxy.socks_remote_dns option existed. Thanks for sharing!
I'm using the latest stable release of Firefox (34.0.5) and I see a "Remote DNS" checkbox under my SOCKS proxy configuration. Isn't that the same option in the GUI? No about:config tweaks needed?

I would think so, but everyone seems to be giving the about:config business, so maybe I am missing something.

Most probably it has been added, my notes from this are from 2008 so it's hardly cutting edge! :)
Yes, that is the same option. Toggling the option in the GUI toggles network.proxy.socks_remote_dns in about:config. As default it is, is still off though.
I have been using Chrome/FF extension called FoxyProxy, it tunnels the DNS requests through the SOCKS proxy.
I believe that Mac OS X does tunnel DNS when you configure the proxy through Control Panel -> Network. I used this when I was in the Army and lived in housing whose internet connections were managed by a crappy ISP that did DNS-based filtering of sites they deemed objectionable.
(comment deleted)
Firefox has the config option

  network.proxy.socks_remote_dns 
which you can toggle to prevent DNS leakage.
Even better trick is SSH can actually tunnel level 3 data! Via TUN/TAP interfaces (this is effectively how some VPN implementations do it).

See "-w" option

Here are a few guides. This is more involved than just adding the -D option and setting a "proxy" field in some applications but this is more general as well:

http://sleepyhead.de/howto/?href=vpn

https://wiki.archlinux.org/index.php/VPN_over_SSH

https://help.ubuntu.com/community/SSH_VPN

Yes, except for the TCP-over-TCP issue.
Great point, Colin. That probably explains why it is not more popular (or it is rather a new-ish feature...).

I was just surprised it was there.

SSH does it's own flow control, and with HPN-SSH it is much better.

Also, if your connection to the VPN host is quite good, then the TCP-over-TCP issue does not apply as much. The bad cases happen when that connection has packet loss.

All connections have packet loss.
I sometimes use sshuttle when I want to tunnel traffic through a remote server, can intercept and route DNS requests along the tunnel to using --dns.

    sshuttle --dns -r root@XX.XX.XX.XX 0/0 --exclude 192.168.0.0/9
Exclude as used here stops local addresses being tunneled.
Love sshuttle, sadly it stopped working on OS X some time ago when apple moved from ipfw to pf.

I hope someone is able to crank out a version that used pf soon.

Would setting it as a proxy under the network connection (i.e. Network > Advanced in OS X) force all traffic (including DNS) over the proxy?
You could configure a transparent proxy with Privoxy set to use a custom dns server with dnsmasq and foxy-proxy to configure firefox to use that to forward dns request through your proxy.
Ah yes, ssh tunneling. The high school IT initiate's go-to method to dodge the web filter. It really can be an elegant solution when you don't have the patience to rev up OpenVPN for real.
(comment deleted)
I've been considering running all my mobile data through a VPN for better security, and saving all of it so I can analyze anything after the fact. Anyone doing anything like this?
If you aren't partial to OpenBSD, I've had good success with this:

https://github.com/Nyr/openvpn-install

You can turn off logging on the server with

/etc/openvpn/server.conf

    log /dev/null
    status /dev/null
Remember to restart the openvpn service after that.

That said, this wouldn't deal with the VPS provider's logging etc.

OpenVPN has a tuneable keepalive interval. I think the default is 10 seconds, which is not so good for battery. But if you set it to 10 minutes, that would be fine.

(I bet the roaming between wifi and cellular data could be a problem, though.)

If anyone is interested, here's a script that will install openvpn on a raspberry pi in one command[1].

I use it along with the openvpn ios app on my phone when I'm on corporate wifi, or I connect to it with my laptop any time I'm in a coffee shop. Just note it's meant to tunnel traffic to a "safe" network, not anonymize you on the internet.

1. https://github.com/stephen-mw/raspberrypi-openvpn-auto-insta...

Another solution I'd recommend is SoftEtherVPN[1].

It's a bit easier to configure and supports multiple protocols, including OpenVPN.

[1] https://github.com/SoftEtherVPN/SoftEtherVPN/

Back when I tried SoftEther several months back, by way of VPN Gate, the connections seemed pretty unreliable compared to OpenVPN. I think the VPN Gate software locked down the options in SoftEther, though. Packet loss affected gaming and video streaming in particular. Casual web browsing was OK.
If you are talking about VPNGate, the public VPN gateways, VPNGate can be a mixed bag. As far as I know, those connections are maintained by varying network environments; some are probably better than others.

I use SoftEther server/client for LAN access for work and home, and it works decently well. (Only thing is things like compression and certificate based authentication only works over SoftEther client, although support for certificate auth for other protocols are on its roadmap.)

Some VPS providers _do_ provide shared IPv4 address, as a way to reduce their costs. A set number (e.g. 20) of ports are forwarded to the VPS' internal IPv4 address.

For example: http://lowendspirit.com/

Any VPS which provides 'only' IPv6 will typically support outbound IPv4 via NAT, with that IPv4 address being shared between all customers on the same node.

I am often dependent on a high-latency GPRS link, and the overhead of establishing a tunnel using OpenVPN or SSH (e.g. sshuttle) is prohibitive. OpenVPN is very likely to timeout before it can negotiate a TLS session. This is one of the major reasons why I wrote my own VPN software[1] using NaCl. Deterministic public-key encryption means that there is no negotiation required at startup. The tunnel is therefore ready to use as soon as the program is started. To me, that's the difference between a usable connection and nothing at all.

[1] https://github.com/amenonsen/tappet

What I really want to do is set up something like the "UnblockUs" proxy servers, where it's all done through DNS or something similar. The key reason is for Netflix access here in Australia, through my Apple TV. Ideally it'd be at my router level, to require no config on the boxes themselves, and be able to have a filter list where certain hosts on that list are proxied and others aren't.

Last time I checked there were some nascent projects to do this in a FOSS way, but they weren't complete and most seemed abandoned. Any ideas?

What these services do is spoof the DNS replies -- redirecting your apps towards their reverse proxies.

Eventually this will break due to a) DNSsec, and b) encrypted netflix traffic.

Better come up with a more robust VPN solution. DNS hacks will work until Netflix actually cares enough to stop them.

I was going to comment with this. I have a VPS and have thought about running a VPN from there. This would protect me from a whole lot of man in the middle attacks as well as preventing the ISP's on snooping in on my traffic.

However, another big advantage to a VPN for me is anonimity, not directly giving the site information on who you are. If you were to set this up and use it just for you it's not unthinkable that government organisations like the NSA in Amerika and the AIVD in my homecountry of the Netherlands could identify you pretty easily.

For that I use Private Internet Access[1] right now, they claim to have patched a lot of the important software to have no logging, so they can't keep them. They also share IP addresses between customers which means the IP address is not a form of identification anymore. Their site looks like shit, I agree, but the service is pretty great.

[1]https://www.privateinternetaccess.com/

I use Debian + UFW + OpenVPN + Digitalocean for my US Netflix needs. I get 10Mbit downstream and 20Mbit upstream from NY3 to my 60/60 fiber connection here in Zurich. I could also configure it to use DNS only, but open dns servers are not so welcomed at the moment. Since I do quite a bit of roaming it's easiest to just configure OpenVPN.
These days there's a working OpenVPN client for Android but there were times when IPsec[1] VPN was the only good way to connect many different clients like Windows, Mac OS and iPhone to your VPN server.

Which is why I had to mention IPsec VPN and link to a good article on how to manage it on OpenBSD.

[1] http://www.kernel-panic.it/openbsd/vpn/vpn3.html

Why would you trust a VPS more than a VPN? They still can log or intercept your traffic, can't they?
Because then you can use public Wifi with less paranoia.
SSH over socks 5 would be a better option than OpenBSD
Just don't forget about the fact that OpenSSH depends on OpenBSD (as a project).
Since you need a secure server on the other end to ssh into, why not just go with OpenBSD anyway?
Another approach: https://github.com/jlund/streisand

"Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists."

I suppose you could always come up with some script that recreates the whole VPS and thus get a new IP address... but that makes it overly complicated for most people.
AWS does not charge for first 100 IP addresses.

They also have OpenVPN AMI.

Yeah. And in my case, an rDNS lookup will even resolve to a domain name owned by me, as I run some other utilities on that box.

Not stopping me, though. I use the VPN when using public WiFis, knowing that my data is protected but that I'm not anonymous.

Yes, there is an OpenVPN client on the App Store.