Automatically starting an encrypted tunnel

SSH TunnelThis shows you how to make a tunnel start automatically…

This article assumes that you have accomplished the steps at http://kaslnetwork.com/blog.php?id=84 and it for those using a Linux client (it can probably be done on Windows too with Putty, but this article doesn’t show you how to do that).

This is a very easy article, so I’m just going to give you the steps:

 

cd ~
touch .ssh_autostart
echo "#!/bin/bash" > .ssh_autostart
echo "sleep 10 && ssh -f -L 10000:your_virtual_host.com:80 user@myserver.com -N" >> .ssh_autostart
chmod +x .ssh_autostart

Now you need to make your computer automatically run the .ssh_autostart file when you log in. If you are using Gnome, then you would add the following line to a “New” entry in your gnome startup preferences:

gnome-session-properties
/home/your_username/.ssh_autostart

Now, after you log out and log back in, the tunnel should be automatically started.

Another thing I did to make this even better is I created a bookmark in my bookmarks toolbar which points to http://your_virtual_host:10000 – that way I never have to worry about forgetting to type the port.

SSH Tunneling; encrypted surfing with Virtual Hosts

Encrypted SurfingWhether you’re the Secretary of Defense, or just an average Joe trying to survive with some peace of mind and security, encryption is a good thing. Have many virtual hosts on your unencrypted Apache server, but want encryption for whichever virtual host you specify? Here is the solution! Note, this is written for Linux clients – not Windows. You can tweak the instructions to work with Windows by using Putty and creating a tunnel that way.

First of all, here is the command to tunnel for Linux:

ssh -f -L 10000:your_virtual_host.com:80 user@myserver.com -N

Explanation of the above command:

  • ssh starts the ssh client
  • -f forks the ssh client into the background
  • -L forwards the command to the binded source_port:server:destination_port
  • -N tells ssh not to execute a command on the remote server once you are logged in to it

After you have started the tunnel using the command above, you will stay logged into it as long as the terminal is open.

Next, you would open your web browser and go to the following address with the address bar:

http://your_virtual_host.com:10000

By going to that address, it fails? What? Ohhhhh that’s right, you need to add the entry for that site to your hosts file:

Open the file:

vi /etc/hosts

(If you were doing this in Windows, the file is at C:WindowsSystem32driversetchosts)

Add this line to it:

127.0.0.1 your_virtual_host.com

Now go to the address again and it should work:

http://your_virtual_host.com:10000

If you were to run a packet sniffing program such as WireShark, you could monitor your network adapter (wlan0 or eth0 – whichever one you are using) and see that everything going to myserver.com (which is where you are tunneled into via ssh – using it to access you_virtual_host.com) is encrypted! Whoo hoo now you can log into your unencrypted website without worrying that people can see your plain text password going over the network.

If you were to monitor your loopback interface (lo) then you would see all the clear text data – except it never leaves your computer unencrypted.

NOTE: Once you have added your_virtual_host.com to your /etc/hosts file, it will always look for that domain on the local machine which means you need to open to tunnel to access it. As a result, if you try to ssh into your_virtual_host.com you will see that the connection is refused. The way around this is to ssh into a different domain on the same server (notice that I ssh’d into myhost.com instead of my_virtual_host.com).

Every host you add to the 127.0.0.1 line in the /etc/hosts file that is on your server will work on the same port (10000 or whatever port you specify – you can use any port you want that isn’t taken by another program). So, if you have my_other_domain.com on the server and, in your web browser, you go to http://my_other_domain.com then it will work as well with the existing tunnel.

View the next article for setting your computer to automatically start the tunnel when you log in.

If this works for you or not, please comment below and let me know.