![[1+1=2]](http://www.oneandoneis2.org/Pix/1+1=2.png)
OneAndOneIs2
| « It pains me to say it | Hacking with socks » |
Wed, Apr 25, 2007
![[Icon]](rsc/img/chain_link.gif)
![[Icon]](http://www.oneandoneis2.org/favicon.ico)
Secure web access through firewalls with Portable Apps
If you have to use Windows from various locations/computers, and are frustrated by firewalls or worried about who might be snooping on your browsing, this guide is for you.
This guide was written with Portable Apps in mind, and assumes that the remote machine you will be using is an always-on Linux PC. You can, however, use the non-portable versions of the software and adjust the instructions for other operating system combinations with very little difficulty.
To begin with, on your home computer, you need SSH. If you are connected to the web via a router, you can use SSH with its default configuration. Otherwise, if your PC can be directly accessed from the web, you must edit the configuration file /etc/ssh/sshd_config and change the port number from 22 to 443.
If you have a router, you must set it to direct all traffic to its port 443 to be forwarded to your PC's port 22. On my router, this looks like this (Click image to enlarge):
![[Image]](http://www.oneandoneis2.com/geekblog/media/PortableGuide/portforward.png "[Image]")
(10.0.0.3 is my home PC's address on the LAN.)
The reason we change the default SSH port is that some firewalls only allow web traffic through: They ban connections to port 22. To bypass this, we set SSH to listen instead on port 443, which is the port usually used by secure web pages - the ones with the https:// addresses with the locked-padlock icon. It just gives us a higher chance of being able to connect no matter where we are.
That should be pretty much all the configuration on your home PC done. The only other thing you need to know is your home machine's IP address. It helps if you have a static IP address here, but it's not vital: Just check the IP every time you reconnect.
Now let's switch to a Windows PC and install our Portable Apps. Go to the web page and download the portable versions Putty, plus Firefox, Thunderbird, Gaim, and/or any other packages you may want. Install them onto your USB stick.
Now run putty.
![[Image]](http://www.oneandoneis2.com/geekblog/media/PortableGuide/putty1.png "[Image]")
In the "Host name" field, put your home IP address, and change the port from 22 to 443:
![[Image]](http://www.oneandoneis2.com/geekblog/media/PortableGuide/putty2.png "[Image]")
Now in the Connection - SSH - Tunnels window, enter a port number such as 5678, check "Dynamic" and "Auto", then click "Add"
![[Image]](http://www.oneandoneis2.com/geekblog/media/PortableGuide/putty3.png "[Image]")
You should get the port number, prefixed with a "D", in the forwarded ports box:
![[Image]](http://www.oneandoneis2.com/geekblog/media/PortableGuide/putty4.png "[Image]")
That's all. Go back to the Session window, enter a "Saved sessions" name and click "Save"
This, when run, will give you a secure tunnel home if you have a direct web connection. If, however, you are behind a proxy server, you need to let Putty know about that.
Internet Explorer will usually be configured with the correct proxy settings, so find them from here: Tools - Internet Options - Connections - LAN Settings and see what's in the "Proxy server" field. Copy these settings into Putty's Connection - Proxy window as an HTTP proxy. If a username & password is needed, enter those too. Then return again to the Session window, enter a different name for the proxy-using settings, and click Save again.
Now double-click the appropriate saved session, and Putty will open an SSH connection to your home PC. It should look just like a normal shell, such as you'd see in any xterm window.
Now start up the portable Firefox. Tools - Options - Advanced - Network - Settings. Check the "Manual proxy configuration" radio button. Leave all fields blank, except for the "Socks host" entry. Set this to "localhost" and set the port to whatever you told Putty to use - in the above examples, 5678.
"Okay" everything, and now in the Firefox address bar, enter "about:config" and press "Return"
In the "Filter" box, type network.proxy.socks, right-click on the "network.proxy.socks_remote_dns" option, and select "Toggle" to make this entry "True"
![[Image]](http://www.oneandoneis2.com/geekblog/media/PortableGuide/socks.png "[Image]")
Firefox should now be set up to use the tunnel set up by Putty: If you have web access at this point, you have succeeded. The process for setting up Thunderbird is much the same, only the "about:config" screen is accessed through Tools - Options - Advanced- General - Config editor. Other than that, the same settings apply.
To make "Gaim" work, go into "Preferences". In the "Networking" tab, configure it to use a SOCKS5 proxy, with the usual localhost and port number settings.
![[Image]](http://www.oneandoneis2.com/geekblog/media/PortableGuide/gaim.png "[Image]")
Gaim should now connect just fine.
Because all your web traffic is now running through the SSH connection, it is secure from any local snooping: All the web surfing is actually being done by your home PC, and uploaded through the encrypted connection to your local PC. Even the server you are connected to the Web through cannot see what you are doing, or what port you're doing it on, so long as the Putty connection is maintained.
8 comments
Now i go and try it here in my local network. If it works, school is not secure any more :D
nice tute, thanks. Now I need an always on Linux box. hmm.
![[Smiley]](http://geekblog.oneandoneis2.org/img/smilies/icon_wink.gif){kind=icon}
It's dead handy being able to set up this SOCKS connection. Software like Thunderbird was completely useless to me before, now it's fully functional and ready-to-go whenever I have Putty running.
Firewalls are all very well when they stop the nasty people getting in, but when they stop the nice people getting out...
At school we have a proxy and the traffic of every people gets logged by the server, you now all the things like urls, cookies, they have even a software like wireshark to see our chats (yeah we are allowed to chat in free lesons :) )
but now, they get a blank page our what can they see in their logs?
only the ip i use putty to connect to?
or can they see to traffc of the tunnel too?
i hope you read my terrible school english, i was trying hard to make myself explain in a clear way, hope i did it ;)
Basti
If you follow this guide, the only thing your proxy can see is that there is network traffic going between your school PC and your home PC. It cannot tell anything else - URLs, web pages, IM sessions, all of it goes through the encrypted SSH tunnel and is therefore hidden from them.
Now, that doesn't stop them from having monitoring software on your school PC that will allow them to see what you're doing, because they have that kind of access on those PCs. All this does is make it impossible for the proxy server, or anyone else between your PC and your home PC, to see what you're doing with the network. If the machine itself can't be trusted, there's nothing anybody can do to secure you.
BTW: the access log software is disabled for my user account in our school net, i simple delete the link for my account (Win2000, they haven't blocked the cmd.exe, bad mistake) ;)
But thanks again for the nice answer.
On the other hand, using this technique (among others) helps me perform my job easier where our very own firewall would normally hinder me.
Again, great post and thanks. Putty rules! (when stuck working on a M$ Windoze box.)
-=w=-
"Do not go gently..."
Leave a comment
![[icon]](http://geekblog.oneandoneis2.org/rsc/icons/feed-icon-16x16.gif)
Blogroll
![[icon]](http://www.creativehedgehog.com/icon.png){kind=icon}
Creative Hedgehog
La parte A se refiere solamente a las dos novelas estudiadas. La parte A debe ser preparada después de leer la primera mitad de la novela y contestar las siguientes preguntas: ¿te está gustando la novela/película o no, y por qué? No me gusta la novela. Las personajes que puedes gustar son superficiales, o hacen [...]![[Link to post]](http://geekblog.oneandoneis2.org/skins/112/rsc/img/chain_link.gif "[Link to post]")
06/08/10 - SPN3730 diario: Pascual Duarte parte A
![[icon]](http://geekblog.oneandoneis2.org/media/blogs/112/hari.png)
Hari's corner
Why being bi-lingual has its advantages10/08/10 - Being bi-lingual has its advantages
Place of Stuff
Isn't this exciting? We're out of the tedium of Genesis (world created, man falls, many people live and die. Oh, and attempted forced buggery and a spot of incest). We're into Exodus now; the Bible has got going, that tricky first chapter is out of the way and the real action can start! When the [...]
03/08/10 - The Bible ? On The Waterfront
![[icon]](http://geekblog.oneandoneis2.org/media/blogs/112/blogger.ico)
I was giddy and hopeful when I first met Cary and spent a brief amount of time with him.
The week after that I was happily high on the idea of what could be, the possibility of getting to know someone interesting and intriguing, the wide open potential of what could be.
And I wanted to tell my friends all about him and what had, and hadn't happened, but I also wanted to keep it to myself, sealed safely in the happy bubble that was floating inside me. So I talked to some close friends about him, told them he lived in Vancouver and they, meaning well, told me quite firmly that they would not allow me to go through another long distance relationship. That I shouldn't even consider it.
My bubble had been burst.
I was completely deflated. Hurt. Let down.
I talked to C-Dawg, a sad tinge to the story now that I'd been told it could. . . should never work out.
"Vancouver?" she said, her voice somewhere between amused and incredulous. "That's not long distance! Get serious. Go for it."
And I let my bubble maybe start to re-inflate. Cautiously. Maybe just a little.
Then I talked to my friend about Cary. She said good things.
Maybe there was reason to be hopefully optimistic. Maybe it was ok to be a little girly and dreamy over what-ifs.
I went for a walk with S. We had life to catch up on.
Life including Cary and the story that still makes me smile.
She encouraged me to get his email, which I did, and then she went home and tried to find out what she could about him.
See, I'm not on Facebook. (No, really.) But S is, and in the small world way that Facebook seems to work, she found that Cary and she had a mutual friend and so she looked him up for me. (The modern background check.)
You can sometimes tell a lot about a person by what they put on their Facebook, she cautioned me. Sometimes.
How old is he?
Me: I don't know.
Is he a smoker?
Me: Um, I don't know? (God, I hope not)
Could he maybe be a little bit immature?
Me: I don't know. I suppose.
Well, he seems like a good guy. Cute. Interesting. I'd say he was my type, you know. (We laugh, we already know we share similar excellent taste in men.)
"I say go for it." She says, "just be aware that he's human. Not perfect."
I don't want to hear it.
Don't want to know the reality of him.
Find myself running away from all the what might have been's towards it'll never work what what I thinking's.
It's all or nothing. Perfect or awful. It'll work or it'll be a disaster.
And I realize that my bubble, the one that's been growing and floating inside me will burst on its own, without anyone's help if I get too far into imagining just how great Cary is, how great we'd be together, how perfectly perfect it all will be.
I'm Icarus. My friends don't want me flying too close to the sun.
But I like the feeling.
I like the soaring giddiness of how utterly fantastic this thing I've found will be.
Every single time I meet someone I like that feeling.
And I ride it higher and higher until I'm flapping my bare arms, feathers fallen into the sea and the crash is coming, the relationship splintering and I'm left staring at the brokenness wondering how on earth I could have been so wrong again.
The extremes are familiar. Addictive perhaps.
But I'm trying to learn to ride in the middle.
Safer. A shorter distance to fall.
A smaller bubble to burst.
Expectations that can be met and exceeded.
A safe, yet joyful and giddy flight. Wings intact.03/09/10 - Icarus
![[icon]](http://nationeldiablo.wordpress.com/favicon.ico)
  This was possibly the most ridiculous show I have seen in a long time and I can get Sky 1 I know ridiculous. It could be summed up in three sentences Do you know what's in your cereal? Want to? Read the label. Instead it went on for a hour about how evil the [...]27/10/09 - Dispatches ? do you know what?s in your breakfast? (warning...
Blogroll generated by MagpieRSS
My links
Strange, how the only people who ever seem to complain that Linux sucks or doesn't work well are people who don't like using the CLI...
03/09/10
Dominic tried to explain how circular references can cause a memory leak to a colleague this morning, and got told off for not working. Apparently, the analogy of a madman shooting anybody who isn't being pointed at by somebody else was NOT the boss-safe way to go..
01/09/10
![[Icon]](http://static.last.fm/matt/nice_favicon.png)
I last listened to:
The Offspring - She's Got Issues
Most recent photo:
Submersible houseboat
![[Icon]](https://www.amazon.com/favicon.ico)
![[FSF Associate Member]](http://geekblog.oneandoneis2.com/media/getButton.png){kind=small}
![[Valid RSS feed]](http://geekblog.oneandoneis2.org/media/valid-rss.png "Validate my RSS feed feed")
Unless otherwise stated, all articles/files on this website are licensed under a Creative Commons License. This page's URL must be supplied in attribution.
Blog theme based on a design by Séverine Landrieu & François Planque
©2010 by Dominic Humphries • Credits: multiple blogs | webhosting