Routing all traffic through SSH?

Discussion in 'privacy technology' started by ambros97, Apr 24, 2008.

Thread Status:
Not open for further replies.
  1. ambros97

    ambros97 Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    5
    Hi all,

    First, my situation for those who like to read. If that's too long and boring, skip a few lines to the SKIP HERE tag:

    I am in a slightly awkward situation in that I live on a remote site (also where I work), and have no other option than to use my employers internet connectivity to surf the web and do my private email.

    It has recently come to my attention that certain individuals in my employers IT department are sniffing traffic. Needless to say, that is unacceptable (and not officially endorsed either, but they still do it).

    I also own a (windows 2003) server in another country, I have since installed cygwin on there and am using an SSH tunnel for all my web surfing. However, that is a bit annoying because I need to start the connection first before I do anything, and it's too complicated for my wife to do. I was therefore looking into a number of options:

    SKIP HERE:
    VPN does not solve my problem because I don't have the ability to setup the remote server as a VPN server (lack of IP pool availability, my employer does not permit outgoing PPTP connections).

    What I am thus looking for is a network router that routes all traffic from all my machines on my side of the network through an SSH tunnel to my server abroad, sort of a "NAT over SSH" feature. Does any such thing exist?

    Any input greatly appreciated.

    Cheers

    - Jack
     
  2. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Yes. There is a ton of options.

    First off you want PuTTY for your ssh client, and you'll need to be running SSH service on your cygwin machine, or run PuTTY on the server native OS with a listening port and forwarding.

    Another option is OpenVPN client and server, which uses a TLS connection on any port you like. As far as your employer will know, you're surfing the web.

    Do you have remote access to your server machine?

    And of course, if you don't want to bother with setting it all up yourself, there are some other options. You can use the Tor network to connect remotely, or you could use another commercial service that runs SSH or OpenVPN.
     
  3. ambros97

    ambros97 Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    5
    Hi,

    I have full access to my remote server (Terminal Server with admin privileges).

    Please note I need a solution I can install on a routing computer so my entire network (my wife has three computers, I have two...) gets routed through that server abroad. I'm about to set up an old computer of mine for that purpose.

    The present solution of having to start a local port redirection on every client I am about to use is not good.

    Thanks for your help!

    - Jack
     
  4. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Help me understand the topology you are going to work with.

    You have work computer, home computer(s), and a remote computer that will act as the exit proxy, and you want your work and home computers to use the remote computer for all exit traffic to the internet? Or do you want to use the remote computer as an intermediary for the work computer to reach the home computer and vice versa?
     
  5. ambros97

    ambros97 Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    5
    This is the situation:

    Home --> giant work network, firewalls and things --> internet

    What I am doing now is:

    Home, with ssh port forwarding --> ssh tunnel through work network --> internet --> my internet server, with apache proxy, endpoint of HTTP ssh tunnel.

    What I want to do:

    Home, any and all IP traffic --> router with permanently installed SSH connection to my internet server --> internet

    I can't use VPN because I don't have a pool of addresses available at the endpoint. So the way I see it, I need some sort of "NAT over SSH" functionality. Doable?

    Cheers

    - Jack
     
  6. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Ambros, what does having a pool of IP addresses have to do with keeping your employer from spying on you? You only need 1 external IP address for the VPN, the VPN can internally negotiate a virtually unlimited number of IP addresses.

    I would suggest an OpenVPN Server on the Windows 2003 server. And use the xB VPN / OpenVPN GUI software to make it super easy to access. All you will need to do is setup OpenVPN server to listen on the Windows 2003 server for you, and gateway from there.

    It's so easy to use, all you have to do is put it in your startup folder and it will run automatically, creating a TLS connection tot he Windows 2003 server for you, and then going out to the internet and back to you. And your wife can be connected to the machine too.
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    What you are asking for is a technical solution for a political problem - which is guaranteed to cause problems in the long term.

    Essentially, if you are using your employer's network for whatever reason, it is subject to your employer's rules. Yes, you can set up an encrypted tunnel to a remote server, but the network admins will see this (if they are halfway competent) and you could face disciplinary action (or even dismissal) as a result.

    If someone at work is spying on your traffic without authorisation, then report them to your manager or your security personnel and don't use the office network for any private purposes. If you can't get connected to a commercial ISP (the only case I can see this applying is if you live in company-owned premises) then look at mobile/wireless access (obviously, this depends on which country you live in, but in Europe at least, 3G networks can provide good connectivity for low-traffic network use).
     
  8. JohnSmith5d75

    JohnSmith5d75 Registered Member

    Joined:
    Apr 13, 2008
    Posts:
    7
    Hello Jack, you could run OpenVPN like XeroBank mentioned, and use "Internet Connection Sharing" to forward traffic from the TAP adapter out to the internet without needed an additional IP address.

    I think you could probably do the same with a virtual machine running OpenVPN or even SSH 4.3+ with tun support, but you would have to forward the VPN/SSH port from the host to the virtual machine.

    Also, instead of just using an SSH connection on each computer, like you said is too complicated, just run the one gateway machine like you indicated with the SSH tunnel always active. This would forward a SOCKSv5 proxy on the remote computer to the gateway securely. All of your applications you care about would need to be configured to use SOCKS, but surely that is easier than SSH setup each time.

    I think Paranoid2000 may be a bit paranoid. Your work might say that "all traffic is monitored" and may peek at things, but did they require that "All traffic must be plaintext so it can be monitored"? Let them watch all of your encrypted traffic to their hearts content!
     
  9. ambros97

    ambros97 Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    5
    Paranoid 2000: It's slightly more complex than that. Yes, we live in company owned premises, and yes, we have the OK to use their network for private purposes. However, when private data crosses the network, we all know who the people are that monitor it. Management will not do anything about it, word of mouth will dothe rest...

    We live as remote as an antarctic outpost, there is no wireless internet here...

    Cheers

    - Jack
     
  10. ambros97

    ambros97 Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    5
    Thanks for that suggestion. I didn't know OpenVPN could NAT out into the internet. I was under the impression it would need to assign external (public) IP's to each client that connects.

    I will try OpenVPN then.

    Cheers

    - Jack
     
  11. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I have XB VPN on a USB stick. I tried it at the local University library just out of curiosity and it seemed to work just fine. I just clicked on it and told it to connect and that was it. I don't understand all of the technical jargon that you guys are talking about, so maybe I am missing something, but it took me about 10 seconds and I assumed that I had a private connection. Is this correct?
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    When you're using a company's network, it is far better to check on exactly what is allowed first than to risk disciplinary, or even legal, action for breaching an acceptable use policy. When companies themselves can face legal action over allowing "objectionable" traffic (e.g. pornographic emails) on their network, it makes sense for network administrators (and personnel departments) to pay extra care to unusual volumes of encrypted traffic.
    Then this becomes a legal matter involving your privacy rights. This will depend on which country you live/work in so consulting a lawyer would be a sensible step, but if the company is permitting private use, then they need to take steps to ensure that privacy is respected (ideally by segregating their network into private and business VLANs). This does involve extra work (which is probably why allowing private use "informally" has been their policy so far) but if done properly, it can help protect them from legal liability for employee's private activities.

    The risk you take in simply encrypting your traffic is that your company may view this as a threat (e.g. if your PC was hijacked and used to attack others, they would have no way of detecting or stopping it) and choose to make an example of your case. You'll have to decide how likely this is to happen and whether the possible consequences are worth it.
     
Loading...
Thread Status:
Not open for further replies.