Web www.freebsdmadeeasy.com
Main Menu

Setting up an SSH Tunnel

An SSH Tunnel can be used to get around a firewall, encrypt data, and to bypass common filters. They can also give you access to your internal network when you are outside of it. In this tutorial we are going to set up a tunnel between a Windows XP machine and a FreeBSD box. The XP machine will be the remote computer and will connect using SSH Tunnel to access tinyproxy on the FreeBSD box with a web browser.

Enabling the SSH Daemon

If you enabled SSH when you installed FreeBSD you already on your way to getting one set up. If you aren't able to SSH to your machine make sure that it is enabled in rc.conf

sshd_enable="YES"

You can start it with

# sh /etc/rc.d/sshd start

To check that SSH is running you can attempt to SSH into your own machine.

# ssh localhost

If you are asked to accept the key or are asked for a password then its working.

Installing Tinyproxy

Tinyproxy can be installed from the ports. The current version at the time of writing this was 1.7.0

# cd /usr/ports/www/tinyproxy
# make install distclean

Once the install completes you will need to rename the config file and edit it.

# ee /usr/local/etc/tinyproxy.conf

Its a good idea to change the port to something other than 8888. In this tutorial we will use 6000 for the tinyproxy port. The rest of the settings will work as they are, 127.0.0.1 is allowed access by default, and since we will be tunneling to this machine thats the only one we need.

It may also be a good idea to change the log path to something besides /var/logs/tinyproxy.log if you have a small /var partition. The log contains a list of all urls you access through it and this can easily fill up your partition if you use it daily. You may also want to make sure that data is safe if there are other users on the machine.

Starting Tinyproxy

Before you can start tinyproxy you need to add the following to your /etc/rc.conf file

tinyproxy_enable="YES"

Then start it using its start up script

# sh /usr/local/etc/rc.d/tinyproxy start
Starting tinyproxy.

Installing SSH Tunnel

SSH Tunnel is actually the name of the program we will be using for out ssh tunnel. You can download SSH Tunnel here.

Choose Config from the Edit menu and enter in the tunnel information. Fill it out similiar to the following with your own information.

config

The tunnel creates a port on the Windows machine that comes out on the FreeBSD machine. This is why the listen port is your localhost. On the other end you give the internal IP of the BSD box and the port you set tinyproxy to.

Once you save the tunnel it will appear on the drop down menu from the home screen. Choose it and hit connect.

SSH Tunnel

If you are able to connect successfully the light will turn green. If you are not able to connect try connecting with a different SSH client to make sure that you are able to connect at all. If the FreeBSD machine is behind a firewall or router you will need to forward port 22.

Testing the Tunnel

Open a command window in XP (Run and then cmd) and type the following

telnet localhost 1050

1050 is the port we used above in the tunnel settings, if you choose a different port use that. If you get an error that you are unable to connect then either the tunnel settings or the tinyproxy config is incorrect. Otherwise you are ready to start using the tunnel.

Configuring the Browser

In Firefox go to Tools > Options and then choose connection settings from the general tab. Select manual proxy configuration and enter localhost and 1050 for the port. This will point your browser to go through the tunnel and tinyproxy on the other end for everything.

mozilla settings

Point your browser to http://www.freebsdmadeeasy.com/checkip.php to see your IP address. If everything is set up correctly you will see the IP of the FreeBSD machine.

Tunneling Other Traffic

Tinyproxy limits what can go through to traffic on port 80 and 443 by default for web traffic. If you would like to tunnel other traffic such as your instant messengers you will either need to add those ports to the tinyproxy.conf file or you can comment out the following lines

#ConnectPort 443
#ConnectPort 563

Once they are commented out and you restart tinyproxy everything will be allowed through the proxy. This is a risk, so if you don't need this option just stick to the defaults or allow the ports individually.

Using Putty instead of SSH Tunnel

If you do not have admin rights on your machine you can use Putty instead to set up the tunnel.