Академический Документы
Профессиональный Документы
Культура Документы
Home
Raspberry Pi as an SSH Tunnel Gateway @stephenMW
The Raspberry Pi is a neat little Linux box that costs $25 and is the size of a credit card. I've About Me
been tinkering with mine for about a month now. I know a few people who bought them and Linkedin
are wondering what they can do with it, so I'm going to do a series called "10 slices of Pi"
Categories
In this first post, I'm going to show you how to set up your Raspberry Pi to tunnel SSH traffic
through your home network. This will help you browse privately and securely from behind apt (1)
firewalls and public wireless hotspot. aws (3)
bash (1)
canonical (1)
Why tunnel SSH traffic? command line (1)
There are a few good reasons you may want to tunnel your web traffic through your home. configuration
management (2)
By tunneling your traffic through SSH, it is encrypted to any prying eyes that may be hoping to crypto (1)
sniff passwords and sensitive information on a public wireless hotspot. dd (1)
deployments (1)
Encrypting your traffic defeats website-blocking firewalls at your school, work, or oppressive devops (2)
country. dhcpd (1)
dns (1)
dnsmasq (1)
Requirements
dyn dns (1)
1. An "always-on" SSH server on a trusted network (like your home). This is what the dynetc (1)
raspberry pi will become. ec2 (3)
2. An SSH client on the computer or laptop you wish to do the tunneling (mac has a native encryption (1)
ssh application, and for windows you can use PuTTY. firewall (1)
3. Firewall rules that allow you to access your open-ssh server from the outside. foreman (1)
4. A browser that supports SOCKS proxies. foreman-proxy
(1)
git (1)
go (1)
Setting up the Raspberry Pi golang (1)
Fortunately, there's very little setup we'll actually do on the RPI. Most of what will take place gpg (1)
will happen on your router or laptop. The first thing we'll need to do is make sure that your hash (1)
openssh-server is running and accepting connections. init (1)
json (1)
If you're logged into your RPI, simply check if openssh is listening on port 22
linux (3)
mac osx (1)
minecraft (2)
$ nc localhost 22 monitoring (1)
mysql (1)
SSH-2.0-OpenSSH_6.0p1 Debian-3
networking (1)
nsa (1)
Looks like it is! If it wasn't listening, netcat would simply hang up on you. If openssh isn't opentsdb (1)
listening, you can run the config again to enable the server. openvpn (1)
python (1)
$ sudo dpkg-reconfigure
raspberry pi (6)
rpi (5)
rsyslog (1)
Give the Raspberry Pi a static IP saltstack (1)
Before you go on to the port forwarding step, you'll want to take a moment to give your RPI a scripting (1)
static IP on the network. Since it's a regular linux computer the steps are the same. sha (1)
sources.list (1)
systemd (1)
$ sudo vi /etc/network/interfaces tcollector (1)
tftp (1)
tools (2)
tricks (1)
udp (1)
auto eth0
upstart (3)
iface eth0 inet static vagrant (1)
Since port 22 is a privileged port and is frequently scanned. I'm going to pick a random and
unprivileged port (those above port number 1024).
In this example, we're forward external port 7000 from the outside to internal port 22 on the
RPI server.
This means when you connect to your router on port 7000, it will send that traffic to your rpi
on port 22. You'll need to forward it to your raspberry pi internal network address.
Put in your appropriate settings and restart your router. Now it's time to test if it's listening
properly to the outside world. You can use the port forwarding tester over at yougetsignal.com
Directions for doing that in Windows using PuTTY can be found here.
If you're on a mac you can look at my previous post here: How to SSH Tunnel on a Mac.
You are now relaying your internet traffic through your raspberry pi as a proxy.
Caveats
This will forward your web traffic (port 80, 443), but will not forward DNS queries (port 53).
Your DNS server could be keeping a log, so your browsing isn't completely private.
Posted by Stephen Wood at 4:43 PM
18 comments:
Hi Stephen, nice post. Instead of port forwarding you might also use Yaler, our simple relay
infrastructure. The YalerTunnel command line tool offers generic protocol tunnelling via
HTTP. Please see http://yaler.net/ for info and contact.
Kind regards,
Thomas
Reply
I've had great results doing something similar to this with SOCKS5 proxies via
ProxySwitchSharp for chrome, and host-based ssh configs to pipe data through bastions
hosts that exist across multiple production environments! ^_^
A few tips that might be useful if you wanted to access another server via ssh after your
home/ssh server is by utilizing ssh-agent-forwarding as well as ControlPath in the ssh
config.
http://www.unixwiz.net/techtips/ssh-agent-forwarding.html
agent-forwarding when combined with key-based auth will allow you to only unlock the
private key ONCE. so, after the initial connection, you wont be prompted for a key password.
this makes things alot more secure for automation as an alternative to assigning a blank
password or something.
http://protempore.net/~calvins/howto/ssh-connection-sharing/#section-02
ControlPath is a way to pipe all your traffic for a given host over one pipe by utilizing a socket
file that is created. This will help speed up subsequent connections and transfers!
Reply
Replies
I run the standard debian system provided by the Raspberry Pi website. I think it's
squeeze?
Reply
Reply
Replies
Appreciate your tip. I can't find this in FF version 22.0 on the Mac. Could you
explain a little more? Thx,
In your firefox address bar, type in "about:config" and hit enter. Click on "I'll be
careful, I promise" to open up the configuration.
Generally speaking you'll want to disable these settings once you're done or you'll
have to enable your SOCKS proxy every time you use the net. That's why I use
firefox entirely for SSH tunnel traffic and chome for everything else. It's just
handier to leave the settings intact :)
Good luck!
Reply
For some reason, the ssh -D XXXX user@host -vv line, which is mentioned in the "SSH
Tunneling on Mac in 5 Minutes" post, wasn't working for me. After fiddling around, I found
that ssh -D XXXX user@host -p XXXX -vv did work.
Reply
Replies
Thanks for the tip Tyler, I had the same problem using my Mac OS 10.8.4 to log in
using Terminal.
Reply
Reply
Hi Stephen,
Many thanks for this tutorial. I'm planning on doing something similar soon.
I have a question though. Is it possible to modify this configuration so that after ssh
tunneling into the Pi from a remote location, you could have the pi then forward all traffic to
another remote vpn server? I've been searching all over to see if this is possible, but I have a
suspicion I may be overthinking it. Is it as simple as setting up an openvpn client on the pi,
alongside setting up the ssh server?
Remote Laptop ---[SSH Tunnel]---> Raspberry Pi w/ SSH server & OpenVPN Client ---
[OpenVPN]---> OpenVPN Server ---> Internet
Reply
Replies
Of course, if you're fine with your traffic going over the public inet you could just
run something like squid on your remote server and have it proxy at of your rpi
web traffic.
I've never set that up personally but the setup should be no different than any
other debian machine.
Reply
Replies
Reply
Reply
Replies
Reply
Publish Preview