SSH Tunnel from my laptop to my house

Discussion in 'Mac Apps and Mac App Store' started by don't do it, Feb 15, 2010.

  1. don't do it macrumors regular

    Joined:
    Apr 18, 2008
    Location:
    somewhere on the Earth
    #1
    Hey everyone, i know this is on here in different places but none of these guides on the interwebz have really worked for me. I was hoping that someone on here could tell me how to get an ssh tunnel from my boarding school to my home computer? My mail and other password protected things aren't as safe as i'd like them to be since most of the people at my school are educated hackers. Any help or links to guides that have worked for you would be appreciated. Thanks in advance.
     
  2. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #2
    Are you getting stuck at any particular point?

    If your school is using a web proxy, and blocking all other ports, you may be out of luck from the start.
     
  3. don't do it thread starter macrumors regular

    Joined:
    Apr 18, 2008
    Location:
    somewhere on the Earth
    #3
    i know they have a block on the internet but i don't believe they block the ports. transmission (bittorrent client) and logmein both work fine.
     
  4. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #4
    Cool.

    Are your school computer and your home computer both Macs, and do you remember if you had any problems setting up port-forwarding on your home router?
     
  5. don't do it thread starter macrumors regular

    Joined:
    Apr 18, 2008
    Location:
    somewhere on the Earth
    #5
    i can set up port forwarding just fine. i just can't seem to get them to find each other or connect.
     
  6. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #6
    If you're at school right now, you can do a real basic connectivity test.

    Open up the terminal, type "telnet XXX.XXX.XXX.XXX YY", where XXX is the IP address of your cable modem (whatever) at home, and YY is the port number you setup to forward SSH over to your Mac.

    You should be able to tell if that connects or not. If it does, then it should be pretty easy to get the SSH tunnel thing working.

    If not, then there's some more troubleshooting to do, but you'd probably need to be at home to do it.
     
  7. don't do it thread starter macrumors regular

    Joined:
    Apr 18, 2008
    Location:
    somewhere on the Earth
    #7
    well right now i'm at home. so i can set up the ports. (i took them down cause i couldn't get it to work.) but i also forgot to mention that both are mac computers for the moment. i have a windows laptop that isn't being used so i may switch to that later.
     
  8. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #8
    Cool that you're home, much easier to troubleshoot. :)

    So from the "home Mac", try running that basic connectivity test. If the router and everything are working, you should still be able to connect to yourself, via the Internet.
     
  9. don't do it thread starter macrumors regular

    Joined:
    Apr 18, 2008
    Location:
    somewhere on the Earth
    #9
    do i need to be on a different network? cause i can go through my iphone's connection
     
  10. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #10
    I'm able to do it all on the same network, which is probably easier for testing, but yeah, the ultimate test will be getting it to work from two separate ones.

    So if you have both Macs there, I guess go to the one that you'll take to school, open up a terminal, and try to see if you can use telnet example above. If it works, it verifies that your router is forwarding the port properly, and your home Mac is listening on that port. If not, figure that out, then work on the ssh command line. :)
     
  11. don't do it thread starter macrumors regular

    Joined:
    Apr 18, 2008
    Location:
    somewhere on the Earth
    #11
    Computer:~ user$ telnet XXX.XXX.XXX.XXX 22
    Trying XXX.XXX.XXX.XXX...
    telnet: connect to address XXX.XXX.XXX.XXX: Connection refused
    telnet: Unable to connect to remote host
    Computer:~ user$

    was the ip address supposed to be my external ip or the local computer's ip?
     
  12. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #12
    As long as you're port-forwarding 22 externally, either internal or external IP addresses should have worked.

    Take the port-forwarding out of the equation, ... does it work with the internal IP?

    If I do it internally from my MBP to my AppleTV, it looks like this:

    Computer:~ user$ telnet 192.168.1.10 22
    Trying 192.168.27.10...
    Connected to 192.168.27.10.
    Escape character is '^]'.
    SSH-2.0-dropbear_0.51
     
  13. don't do it thread starter macrumors regular

    Joined:
    Apr 18, 2008
    Location:
    somewhere on the Earth
    #13
    Computer:~ user$ telnet 192.168.1.94 22
    Trying 192.168.1.94...
    Connected to Computer-2.
    Escape character is '^]'.
    SSH-2.0-OpenSSH_5.2
    Connection closed by foreign host.
    Computer:~ user$

    i'm assuming that this is success?
     
  14. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #14
    Yup! :)

    Now the trick is to make that happen via your external IP address!

    On your router's port-forwarding, are you forwarding external TCP port 22 to TCP port 22 internally? And if so, is the internal IP address that you forward it to the same as your home Mac?
     
  15. don't do it thread starter macrumors regular

    Joined:
    Apr 18, 2008
    Location:
    somewhere on the Earth
    #15
    ok so i tried it in my LAN and had no luck, same as before. but just to check i tried from my iPhone's terminal and it connected. Then i tried through my iPhone's internet sharing and it connected as well.

    Computer:~ user$ telnet XXX.XXX.XXX.XXX 22
    Trying XXX.XXX.XXX.XXX...
    Connected to asdl-xx-xx-xxx.i.s.p.
    Escape character is '^]'.
    SSH-2.0-OpenSSH_5.2
    Connection closed by foreign host.
    Computer:~ user$
     
  16. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #16
    Ah, crap, I forgot that some routers don't allow you to go from internally to external and then back in again. :eek:

    OK, since you've verified the connectivity, I guess the next step is to try to ssh from the school Mac over the iPhone network into your home Mac?

    Try "ssh username@yourexternalip -D 9999" from the school Mac, connected to the iPhone network.

    You should get a login prompt. Enter your password, press Enter, and you should get a terminal session on your home Mac. Type 'hostname' to make sure you're really on your remote Mac?

    If that works, the -D 9999 part should have set up a SOCKS proxy that you can configure your Mac to use.
     
  17. don't do it thread starter macrumors regular

    Joined:
    Apr 18, 2008
    Location:
    somewhere on the Earth
    #17
    well i can't do that right now, i have my mac at school with me right now. so i'll try that when i get back. could you tell me what else i should do when i get there?
     
  18. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #18
    OK, so if you're at school, that SSH command in the post above should hopefully connect you.

    The -D 9999 part sets up a SOCKS proxy on your school Mac (or whatever computer you initiated the connection on). You can then configure individual programs on that computer to use the SOCKS proxy, or you can go into System Preferences and set it so your entire Mac uses it. Personally, I use Firefox and the Quickproxy add-on to quickly be able to toggle Firefox from using the proxy or not.

    If your school doesn't allow port 22 to go out their firewall, you might want to think about port forwarding a different port on your router. I have my router set so that external port 443 is forwarded to internal port 22. It's been my experience that few places block port 443 outgoing.

    Your iPhone terminal probably has SSH on it. If you want to try to SSH from it, just to test, try the ssh command minus the -D 9999 part.
     
  19. don't do it thread starter macrumors regular

    Joined:
    Apr 18, 2008
    Location:
    somewhere on the Earth
    #19
    ok sorry i was'nt paying enough attention. so i performed the "ssh username@yourexternalip -D 9999" and i entered my password.

    i have used port 22 for transmission before and it say's that it's open so i'll assume it will go through. how would i set up the proxy in system preferences?
     
  20. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #20
    System Preferences > Network > (the active network) > Advanced > Proxies

    Enable "SOCKS Proxy"
    For the SOCKS Proxy Server, it's 127.0.0.1 and the next box is 9999
    (no password required)

    You'll have to undo that config when the tunnel isn't running (and you want to use the school network).
     
  21. don't do it thread starter macrumors regular

    Joined:
    Apr 18, 2008
    Location:
    somewhere on the Earth
    #21
    ok though why is it 127.0.0.1 and how can i add a password?
     
  22. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #22
    127.0.0.1 is the loopback address, a way for a computer to refer to itself.

    On your school Mac, when you ssh w/ the -D 9999, ssh on your school Mac is acting as the SOCKS proxy.

    It's essentially watching port 9999 on your school Mac, and taking any traffic that comes in on 9999, and sends it to the other end of the tunnel (your home Mac).

    So in System Preferences, when you type 127.0.0.1, you're telling your school Mac to take outgoing we traffic and send it to itself, on port 9999. The SSH program then takes it and sends it to your home Mac, where it goes out in the Internet.

    Not sure about the password.
     
  23. don't do it thread starter macrumors regular

    Joined:
    Apr 18, 2008
    Location:
    somewhere on the Earth
    #23
    ok i'll google the password thing later. thank you very much for the help.
     
  24. TXbug macrumors member

    TXbug

    Joined:
    Aug 24, 2009
    Location:
    Austin, Texas
    #24
    I use tinyproxy on my server at home. It is available free here tinyproxy download and install.

    I have a shell script that I execute every time I want to use the proxy to get out of restricted locations. I also use FoxyProxy, a plugin for Firefox. It allows you to confirure, very easily, which sites not to use the proxy for.

    On my laptop I set up a shell script that looks like this -

    user_id=your-username
    ip_address=xxx.xxx.xxx.xxx
    ssh_port=nnnn
    #
    ssh -C -L 8080:127.0.0.1:8118 -l $user_id -p $ssh_port $ip_address

    Give it a name and chmod 755 that file name.

    Occasionally my IP address will changes because of the ISP that is why I save it to a file and edit it when necessary. I don't use port 22 because of all the foreign traffic that constantly try to breakin through brute force. I change the ssh port on my home router to some odd ball number and forward that to port 22 on the router for the server's internal IP address which is static.

    The /etc/tinyproxy/tinyproxy.conf looks like this
    Code:
    ##
    ## tinyproxy.conf -- tinyproxy daemon configuration file
    ##
    
    #
    # Name of the user the tinyproxy daemon should switch to after the port
    # has been bound.
    #
    User nobody
    Group nogroup
    
    #
    # Port to listen on.
    #
    Port 8118
    
    #
    # If you have multiple interfaces this allows you to bind to only one. If
    # this is commented out, tinyproxy will bind to all interfaces present.
    #
    Listen 127.0.0.1  
    
    #
    # The Bind directive allows you to bind the outgoing connections to a
    # particular IP address.
    #
    #Bind 192.168.0.1
    
    #
    # Timeout: The number of seconds of inactivity a connection is allowed to
    # have before it closed by tinyproxy.
    #
    Timeout 1800
    
    #
    # ErrorFile: Defines the HTML file to send when a given HTTP error
    # occurs.  You will probably need to customize the location to your
    # particular install.  The usual locations to check are:
    #   /usr/local/share/tinyproxy
    #   /usr/share/tinyproxy
    #   /etc/tinyproxy
    #
    # ErrorFile 404 "/usr/share/tinyproxy/404.html"
    # ErrorFile 400 "/usr/share/tinyproxy/400.html"
    # ErrorFile 503 "/usr/share/tinyproxy/503.html"
    # ErrorFile 403 "/usr/share/tinyproxy/403.html"
    # ErrorFile 408 "/usr/share/tinyproxy/408.html"
    
    # 
    # DefaultErrorFile: The HTML file that gets sent if there is no
    # HTML file defined with an ErrorFile keyword for the HTTP error
    # that has occured.
    #
    DefaultErrorFile "/usr/share/tinyproxy/default.html"
    
    #
    # StatFile: The HTML file that gets sent when a request is made
    # for the stathost.  If this file doesn't exist a basic page is
    # hardcoded in tinyproxy.
    #
    StatFile "/usr/share/tinyproxy/stats.html"
    
    #
    # Where to log the information. Either LogFile or Syslog should be set,
    # but not both.
    #
    Logfile "/var/log/tinyproxy.log"
    # Syslog On
    
    #
    # Set the logging level. Allowed settings are:
    #	Critical	(least verbose)
    #	Error
    #	Warning
    #	Notice
    #	Connect		(to log connections without Info's noise)
    #	Info		(most verbose)
    # The LogLevel logs from the set level and above. For example, if the LogLevel
    # was set to Warning, than all log messages from Warning to Critical would be
    # output, but Notice and below would be suppressed.
    #
    LogLevel Warning
    
    #
    # PidFile: Write the PID of the main tinyproxy thread to this file so it
    # can be used for signalling purposes.
    #
    PidFile "/var/run/tinyproxy.pid"
    
    #
    # Include the X-Tinyproxy header, which has the client's IP address when
    # connecting to the sites listed.
    #
    #XTinyproxy mydomain.com
    
    #
    # Turns on upstream proxy support.
    #
    # The upstream rules allow you to selectively route upstream connections
    # based on the host/domain of the site being accessed.
    #
    # For example:
    #  # connection to test domain goes through testproxy
    #  upstream testproxy:8008 ".test.domain.invalid"
    #  upstream testproxy:8008 ".our_testbed.example.com"
    #  upstream testproxy:8008 "192.168.128.0/255.255.254.0"
    #
    #  # no upstream proxy for internal websites and unqualified hosts
    #  no upstream ".internal.example.com"
    #  no upstream "www.example.com"
    #  no upstream "10.0.0.0/8"
    #  no upstream "192.168.0.0/255.255.254.0"
    #  no upstream "."
    #
    #  # connection to these boxes go through their DMZ firewalls
    #  upstream cust1_firewall:8008 "testbed_for_cust1"
    #  upstream cust2_firewall:8008 "testbed_for_cust2"
    #
    #  # default upstream is internet firewall
    #  upstream firewall.internal.example.com:80
    #
    # The LAST matching rule wins the route decision.  As you can see, you
    # can use a host, or a domain:
    #  name     matches host exactly
    #  .name    matches any host in domain "name"
    #  .        matches any host with no domain (in 'empty' domain)
    #  IP/bits  matches network/mask
    #  IP/mask  matches network/mask
    #
    #Upstream some.remote.proxy:port
    
    #
    # This is the absolute highest number of threads which will be created. In
    # other words, only MaxClients number of clients can be connected at the
    # same time.
    #
    MaxClients 100
    
    #
    # These settings set the upper and lower limit for the number of
    # spare servers which should be available. If the number of spare servers
    # falls below MinSpareServers then new ones will be created. If the number
    # of servers exceeds MaxSpareServers then the extras will be killed off.
    #
    MinSpareServers 5
    MaxSpareServers 20
    
    #
    # Number of servers to start initially.
    #
    StartServers 10
    
    #
    # MaxRequestsPerChild is the number of connections a thread will handle
    # before it is killed. In practise this should be set to 0, which disables
    # thread reaping. If you do notice problems with memory leakage, then set
    # this to something like 10000
    #
    MaxRequestsPerChild 0
    
    #
    # The following is the authorization controls. If there are any access
    # control keywords then the default action is to DENY. Otherwise, the
    # default action is ALLOW.
    #
    # Also the order of the controls are important. The incoming connections
    # are tested against the controls based on order.
    #
    Allow 127.0.0.1
    Allow 192.168.1.0/25
    
    #
    # The "Via" header is required by the HTTP RFC, but using the real host name
    # is a security concern.  If the following directive is enabled, the string
    # supplied will be used as the host name in the Via header; otherwise, the
    # server's host name will be used.
    #
    ViaProxyName "tinyproxy"
    
    #
    # The location of the filter file.
    #
    Filter "/etc/tinyproxy/filter"
    
    #
    # Filter based on URLs rather than domains.
    #
    FilterURLs On
    
    #
    # Use POSIX Extended regular expressions rather than basic.
    #
    #FilterExtended On
    
    #
    # Use case sensitive regular expressions.
    #                                                                         
    #FilterCaseSensitive On     
    
    #
    # Change the default policy of the filtering system.  If this directive is
    # commented out, or is set to "No" then the default policy is to allow
    # everything which is not specifically denied by the filter file.
    #
    # However, by setting this directive to "Yes" the default policy becomes to
    # deny everything which is _not_ specifically allowed by the filter file.
    #
    #FilterDefaultDeny Yes
    
    #
    # If an Anonymous keyword is present, then anonymous proxying is enabled.
    # The headers listed are allowed through, while all others are denied. If
    # no Anonymous keyword is present, then all header are allowed through.
    # You must include quotes around the headers.
    #
    #Anonymous "Host"
    #Anonymous "Authorization"
    
    #
    # This is a list of ports allowed by tinyproxy when the CONNECT method
    # is used.  To disable the CONNECT method altogether, set the value to 0.
    # If no ConnectPort line is found, all ports are allowed (which is not
    # very secure.)
    #
    # The following two ports are used by SSL.
    #
    ConnectPort 443
    ConnectPort 563
     
  25. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #25
    What's the advantage to tinyproxy vs. the ssh server that comes on OS X?
     

Share This Page