You are not logged in.

Pages: 1

#1 2013-06-10 19:25:03

jefdaj
Member
Registered: 2012-12-05
Posts: 25

Details of setting up an SSH tunnel

Hi all! Given the recent news about government spying and all, I thought this would be a good time to start securing my internet connection. I have a Rasberry Pi at home (also running Arch!), and when I'm out in the world I'd like to tunnel all my web traffic through ssh to it. Here's my setup so far:

I created a 'tunnel' user on the Pi. Then I ran ssh-keygen on my laptop to generate tunnel_rsa and tunnel_rsa.pub, and copied tunnel_rsa.pub to /home/tunnel/.ssh/authorized_keys on the Pi.

I installed ufw on the laptop and set it up to only allow SSH:
  Status: active
  To                         Action      From
  --                         ------      ----
  Anywhere                   ALLOW       192.168.0.0/24
  SSH                        LIMIT       Anywhere
  SSH (v6)                   LIMIT       Anywhere (v6)
  22                         ALLOW OUT   Anywhere
  22                         ALLOW OUT   Anywhere (v6)

I installed proxychains on the laptop, and edited /usr/bin/{proxychains,proxyresolv} to point to their correct libs:
  export LD_PRELOAD=/usr/lib/libproxychains.so

I wrote /etc/proxychains.conf to use localhost as a proxy:
  strict_chain
  proxy_dns
  tcp_read_time_out 15000
  tcp_connect_time_out 8000
 
  [ProxyList]
  socks5 127.0.0.1 9050

I signed up for free DNS with no-ip.org, and set up my home router to update it. I also forward port 22 to the Pi from there.

I installed autossh on the laptop.

Now I can establish a tunnel from the laptop to the Pi like so:
  autossh -M $AUTOSSH_PORT -TND 9050 tunnel@$PI_IPADDR -v

It's working great for the most part! The firewall rejects everything but SSH, and I can prefix commands with 'proxychains' to dynamically forward them through the tunnel. Once it's working consistently I'll put the 'export LD_PRELOAD...' line in /etc/profile.d/proxychains.sh to invoke it automatically.

But there's one little problem. When I'm at a cafe or whatever, I have to disable ufw, agree to some random wifi agreement via browser, ping for the current ip address of my Pi, and then start the tunnel. Is there a good way to automate that or get around it?

So far I'm thinking a post-connection script that:
  1) disables ufw or adds rules to allow DNS (port 53) and http (port 80)
  2) waits for successful ping to some website, signifying that I've got wifi working
  3) pings for the IP address of my Pi
  4) enables ufw or removes the extra rules
  5) starts the tunnel using autossh

There's also the issue of detecting whether I'm on my home network, and if so changing $PI_IPADDR.

Does that sound about right? Are there ways to improve it?
Thanks!

Offline

Pages: 1

Board footer

Powered by FluxBB