4/29/13

Setup SSH on Your Router for Secure Web Access from Anywhere

How-To Geek

Setup SSH on Your Router for Secure Web Access from Anywhere

Connecting to the internet from Wi-Fi hotspots, at work, or anywhere else away from home, exposes your data to unnecessary risks. You can easily configure your router to support a secure tunnel and shield your remote browser trafficread on to see how.

What is and Why Set Up a Secure Tunnel?

You might be curious why you would even want to set up a secure tunnel from your devices to your home router and what benefits you would reap from such a project. Lets lay out a couple different scenarios that involve you using the internet to illustrate the benefits of secure tunneling. Scenario one: Youre at a coffee shop using your laptop to browse the internet through their free Wi-Fi connection. Data leaves your Wi-Fi modem, travels through the air unencrypted to the Wi-Fi node in the coffee shop, and then is passed on to the greater internet. During the transmission from your computer to the greater internet your data is wide open. Anyone with a Wi-Fi device in the area can sniff your data. Its so painfully easy that a motivated 12 year old with a laptop and a copy of Firesheep could snatch up your credentials for all manner of things. Its as though youre in a room filled with English-only speakers, talking into a phone speaking Mandarin Chinese. The moment somebody who speaks Mandarin Chinese comes in (the Wi-Fi sniffer) your pseudo-privacy is shattered. Scenario two: Youre at a coffee shop using your laptop to browse the internet through their free Wi-Fi connection again. This time youve established an encrypted tunnel between your laptop and your home router using SSH. Your traffic is routed through this tunnel directly from your laptop to your home router which is functioning as a proxy server. This pipeline is impenetrable to Wi-Fi sniffers who would see nothing but a garbled stream of encrypted data. No matter how shifty the establishment, how insecure the Wi-Fi connection, your data stays in the encrypted tunnel and only leaves it once it has reached your home internet connection and exits to the greater internet. In scenario one youre surfing wide open; in scenario two you can login to your bank or other private web sites with the same confidence you would from your home computer. Although we used Wi-Fi in our example you could use the SSH tunnel to secure a hardline connection to, say, launch a browser on a remote network and punch a hole through the firewall to surf as freely as you would on your home connection. Sounds good doesnt it? Its incredibly easy to set up so theres no time like the presentyou can have your SSH tunnel up and running within the hour.

What Youll Need

www.howtogeek.com/68061/setup-ssh-on-your-router-for-secure-web-access-from-anywhere/

1/5

4/29/13

Setup SSH on Your Router for Secure Web Access from Anywhere

There are many ways to setup an SSH tunnel to secure your web browsing. For this tutorial were focusing on setting up an SSH tunnel in the easiest possible way with the least amount of fuss for a user with a home router and Windows-based machines. To follow along with our tutorial youll need the following things: A router running the Tomato or DD-WRT modified firmware. An SSH client like PuTTY. A SOCKS-compatible web browser like Firefox. For our guide well be using Tomato but the instructions are almost identical to the ones you would follow for DD-WRT so if youre running DD-WRT feel free to follow along. If you dont have modified firmware on your router check out our guide to installing DDWRT and Tomato before proceeding.

Generating Keys for Our Encrypted Tunnel

Although it might seem odd to jump right to generating the keys before we even configure the SSH server, if we have the keys ready well be able to configure the server in a single pass. Download the full PuTTY pack and extract it to a folder of your choice. Inside the folder youll find PUTTYGEN.EXE. Launch the application and click Key > Generate key pair. Youll see a screen much like the one pictured above; move your mouse around to generate random data for the key creation process. Once the process has finished your PuTTY Key Generator window should look something like this; go ahead and enter

a strong password:

Once youve plugged in a password, go ahead and click Save private key. Stash the resulting .PPK file somewhere safe. Copy and paste the contents of the Public key for pasting box into a temporary TXT document for now. If you plan on using multiple devices with your SSH server (such as a laptop, a netbook, and a smartphone) you need to generate key pairs for each device. Go ahead and generate, password, and save the additional key pairs you need now. Make sure you copy and paste each new public key into your temporary document.

Configuring Your Router for SSH

Both Tomato and DD-WRT have built-in SSH servers. This is awesome for two reasons. First, it used to be a huge pain to telnet into your router to manually install an SSH server and configure it. Second, because youre running your SSH server on your router (which likely consumes less power than a light bulb), you never have to leave your main computer on just for a lightweight SSH server. Open a web browser on a machine connected to your local network. Navigate to the web interface of your router, for our routera Linksys WRT54G running Tomatothe address is http://192.168.1.1. Login to the web interface and the navigate to

www.howtogeek.com/68061/setup-ssh-on-your-router-for-secure-web-access-from-anywhere/

2/5

4/29/13

Setup SSH on Your Router for Secure Web Access from Anywhere
Administration >SSH Daemon. There you need to check both Enable at Startup and Remote Access. You can change the remote port if you desire but the only benefit to doing so is that it marginally obfuscates the reason the port is open if anyone port scans you. Uncheck Allow Password Login. We will not be using a password login to access the router from afar, we will be using a key pair. Paste the public key(s) you generated in the last part of the tutorial into the Authorized Keys box. Each key should be its own entry separated by a line break. The first portion of the key sshrsa is very important. If you do not

include it with each public key they will appear invalid to the SSH server.

Click Start Now and then scroll down to the bottom of the interface and click Save. At this point your SSH server is up and running.

Configuring Your Remote Computer to Access Your SSH Server

This is where the magic happens. Youve got a key pair, youve got a server up and running, but none of that is of any value unless youre able to remotely connect from the field and tunnel into your router. Time to bust out our trusty net book running Windows 7 and set to work. First, copy that PuTTY folder you created to your other computer (or simply download and extract it again). From here out all instructions are focused on your remote computer. If you ran the PuTTy Key Generator on your home computer make sure youve switched over to your mobile computer for the rest of the tutorial. Before you settle youll also need to make sure you have a copy of the .PPK file you created. Once you have PuTTy extracted and the .PPK in hand, were ready to proceed. Launch PuTTY. The first screen youll see is the Session screen. Here youll need to enter the IP address of your home internet connection. This is not the IP of your router on the local LAN this is the IP of your modem/router as seen by the outside world. You can find it by looking at the main Status page in your routers web interface. Change the Port to 2222 (or whatever you substituted in the SSH Daemon configuration process). Make sure SSH is checked. Go ahead and give your session a name so that you can save it for future use. We titled ours Tomato SSH. Navigate, via the left-hand pane, down to Connection > Auth. Here you need to click the Browse button and select the .PPK file you saved and brought over to your remote machine. While in the SSH sub-menu, continue down to SSH > Tunnels. It is here we are going to configure PuTTY to function as proxy server for your mobile computer. Check both boxes under Port Forwarding. Below, in the Add new forwarded port section, enter 80 for the Source port and the IP address of your router for the Destination. Check Auto and Dynamic then click Add. Double check that an entry has appeared in the Forwarded Ports box. Navigate back the Sessions section and click Save again to save all your configuration work. Now click Open. PuTTY will launch a terminal window. You may get a warning at this point indicating that the servers host key is not in the registry. Go ahead and confirm that you trust the host. If youre worried about it you can compare the fingerprint string it gives you in the warning message with the fingerprint of the key you generated by loading it up in PuTTY Key Generator. Once youve opened PuTTY and clicked through the warning you should see a

screen that looks like this:

At the terminal you will only need to do two things. At the login prompt type root. At the passphrase prompt enter your RSA keyring passwordthis is the password you created a few minutes ago when you generated your key and not your routers password. The router shell will load and youre done at the command prompt. Youve formed a secure connection between PuTTY

www.howtogeek.com/68061/setup-ssh-on-your-router-for-secure-web-access-from-anywhere/

3/5

4/29/13

Setup SSH on Your Router for Secure Web Access from Anywhere
and your home router. Now we need to instruct your applications how to access PuTTY. Note: If you want to simplify the process at the price of slightly decreasing your security you can generate a keypair without a password and set PuTTY to login to the root account automatically (you can toggle this setting under Connect > Data > Auto Login). This reduces the PuTTY connection process to simply opening the app, loading the profile, and clicking Open.

Configuring Your Browser to Connect to PuTTY

At this point in the tutorial your server is up and running, your computer is connected to it, and only one step remains. You need to tell the important applications to use PuTTY as a proxy server. Any application which supports SOCKS protocol can be linked to PuTTY such as Firefox, mIRC, Thunderbird, and uTorrent, to name a fewif youre unsure if an application supports SOCKS dig around in the options menus or consult the documentation. This is a critical element that shouldnt be overlooked: all your traffic isnt routed through the PuTTY proxy by default; it must be attached to the SOCKS server. You could, for example, have a web browser where you turned on SOCKS and a web browser where you didntboth on the same machine and one would encrypt your traffic and one wouldnt. For our purposes we want to secure our web browser, Firefox Portable, which is simple enough. The configuration process for Firefox translates to practically any application youll need to plug in SOCKS information for. Launch Firefox and navigate to Options > Advanced > Settings. From within the Connection Settings menu, select Manual proxy configuration and under SOCKS Host plug in 127.0.0.1youre connecting to the PuTTY application running on your local computer so you must put the local host IP, not the IP of your router as youve been putting in every slot so far. Set the port to 80, and click OK. We have one tiny little tweak to apply before were all set. Firefox, by default, doesnt route DNS requests through the proxy server. This means that your traffic will always be encrypted but somebody snooping the connection would see all your requests. Theyd know you were at Facebook.com or Gmail.com but they wouldnt be able to see anything else. If you wan to route your DNS requests through the SOCKS, youll need to turn it on. Type about:config in the address bar, then click Ill be careful, I promise! if you get a stern warning about how you can screw up your browser. Paste network.proxy.socks_remote_dns into the Filter: box and then right click on the entry for network.proxy.socks_remote_dns and Toggle it to True. From here out, both your browsing and your DNS requests will be sent through the SOCKS tunnel. Although were configuring our browser for SSH-all-the-time, you may wish to easily toggle your settings. Firefox has a handy extension, FoxyProxy, that makes it super easy to toggle your proxy servers on and off. It supports tons of configuration options like switching between proxies based on the domain youre on, the sites youre visiting, etc. If you want to be able to easily and automatically turn your proxy service off based on whether youre at home or away, for example,

www.howtogeek.com/68061/setup-ssh-on-your-router-for-secure-web-access-from-anywhere/

4/5

4/29/13

Setup SSH on Your Router for Secure Web Access from Anywhere

FoxyProxy has you covered. Chrome Users will want to check out Proxy Switchy! for similar functionality. Lets see if everything worked as planned, shall we? To test things out we opened up two browsers: Chrome (seen on the left) with no tunnel and Firefox (seen on the right) freshly configured to use the tunnel. On the left we see the IP address of the Wi-Fi node were connecting to and on the right, courtesy of our SSH tunnel, we see the IP address of our distant router. All Firefox traffic is being routed through the SSH server. Success!

Have a tip or trick for securing remote traffic? Use a SOCKS server/SSH with a particular app and love it? Need help figuring out how to encrypt your traffic? Lets hear about it in the comments.

Got Feedback? Join the discussion at discuss.howtogeek.com

SHOW ARCHIVED READER COMMENTS (56)

Jason Fitzpatrick is warranty-voiding DIYer and all around geek. When he's not documenting mods and hacks he's doing his best to make sure a generation of college students graduate knowing they should put their pants on one leg at a time and go on to greatness, just like Bruce Dickinson. You can follow him on Google+ if you'd like. Published 07/13/11 102,771 Views

RECOMMENDED POSTS
The How-To Geek Guide to Buying an HDTV Make Your Own Windows 8 Start Button with Zero Memory Usage The Best 8 New Features in Android 4.1 Jelly Bean Geek School: Learning Windows 7 Managing Applications Stupid Geek Tricks: How to Play Tetris in uTorrent What You Said: The Best Sources for Awesome Wallpapers

www.howtogeek.com/68061/setup-ssh-on-your-router-for-secure-web-access-from-anywhere/

5/5