An SSH server in combination with a locally running SOCKS proxy server allows you to browse the internet more securely from for example public Wifi hotspots by routing your internet traffic through a secure channel via a remote server. If you combine this with DNS over HTTPS, which is currently at least available in Firefox and Chrome, it will be more difficult for other parties to analyse your traffic. Also it allows you to access resources from a server outside of a company network which can have benefits for example if you want to check how a company hosted service looks to a customer from the outside. Having a server in a different country as a proxy can also have benefits if certain services are only available from a certain country (a similar benefit as using a VPN or using Tor) or as a means to circumvent censorship.
Do check what is allowed in your company, by your ISP and is legal within your country before using such techniques though. I of course don't want you to do anything illegal and blame me for it ;)
How to configure OCI
The example configuration is based on Oracle Linux 7 but will most likely be the same for RHEL and CentOS. Mind that creating always free instances is only possible in your home region and that changing your home region after account creation is currently not possible. See here.
When configuring the OCI instances, there are some challenges when you are not that experienced with cloud providers such as creating an SSH key pair and making the instance accessible from the internet. After the instance is created, there are also some measures to take to keep the instance updated and to make using it as SOCKS proxy from a remote source easier by assigning the SSH port to 443 (which is usually used for HTTPS traffic).
Create an instance
Creating an OCI instance is relatively easy but consists of several steps.
Prepare the SSH public and private keys
First prepare an SSH key. There are several tools which allow you to do this. The below screenshots are from MobaXterm. You can also use PuttyGen, keytool (a command line tool), KeyStore Explorer, etc. I prefer MobaXterm since next to generating keys, it is also a powerful SSH client, provides a Linux like environment and has a nice SSH tunnel manager.
Do not supply a password. Next to saving the public and private key using the respective buttons, also save the top part starting with ssh-rsa. This is the part which OCI needs to configure the instance. The private key is the thing you use to login from a client.
Create the instance
Why Oracle Linux? I was having some difficulties with the Ubuntu image and I suspect running an Oracle OS on Oracle Cloud might make things easier in the future.
In the below step you copy the previously saved public key.
Now start creating the instance and wait until it is ready
Create a public IP
When using the free tier, you only have a single public IP address. You can create 2 compute instances though. I recommend using different accounts on a single compute instance if you want to allow different users to access it.
Assign the public IP
Note that if an IP is already assigned, you first have to indicate no public IP, apply and then change the setting to the wanted public IP.
Confirm client connectivity
You can confirm you can access your instance with MobaXterm using a regular SSH connection You use the assigned public IP at port 22 and your private key to login with user opc. The screenshot indicates port 443 but that is after you changed it as described below. It starts out with port 22, the default SSH port.
Since your OCI instance will be accessible at a public IP address and has an open SSH port, it will be bashed with hack attempts. You can keep the SSH port closed until a certain sequence of connection attempts is executed (port knocking) but you might not be able to execute those through a company proxy server. If you keep the port open, it is important to keep your system updated in order to reduce the number of vulnerabilities which can be abused to gain access. Since manual maintenance of environments is no hobby of mine and I do like my system to remain up to date and do not care about reboots once in a while, I've automated this.
The below commands are based on RHEL 7 and variants like OL 7 and CentOS 7
sudo yum -y install yum-cron yum-utils
sudo systemctl enable --now yum-cron.service
sudo systemctl start yum-cron.service
sudo sed -i 's/apply_updates = no/apply_updates = yes/g' /etc/yum/yum-cron.conf
echo "$(echo '* 11 * * * /usr/bin/needs-restarting -r || sudo shutdown -r' ; crontab -l)" | crontab -
- It checks for updates regularly (interval specified in yum-cron.conf)
- It applies the updates
- It checks if updates require a restart daily using the needs-restarting command which is part of yum-utils
- It executes the restart when required
Change the SSH port
Company proxy servers almost never block port 443. This is the port used to access HTTPS websites. In order to give you maximum flexibility to access your OCI instance, it is recommended to run the SSH server on port 443.
Change the port
sudo sed -i 's/#Port 22/Port 443/g' /etc/ssh/sshd_config
sudo semanage port -m -t ssh_port_t -p tcp 443
sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
sudo firewall-cmd --reload
sudo systemctl restart sshd.service
Configure a local SOCKS proxy server
Linux / Unix (should probably also work on Mac)
This is by far the easiest since you don't need more than an SSH client which is there usually by default. Execute a command like:
nohup ssh -i ~/oraclecloudalwaysfree.key -D 8123 -f -C -v -N opc@132.145.250.238 -p 443
And you get an SSH SOCKS server which is available at localhost port 8123. Of course change this to your own IP and refer to your own private key. Output will be saved in ~/nohup.out. If the connection fails, you can check that file for the cause.
MobaXterm
I've used MobaXterm before to login using SSH normally. MobaXterm also has an easy to use tunnel interface
The last two icons indicate to MobaXterm to start the tunnel when the application is started and to automatically reconnect upon disconnect.
Android: ConnectBot
ConnectBot is an Android App which allows you to create SSH connections to remote servers, use private keys to login and configure SSH tunnels. If you have a rooted Android phone, you can even use the ProxyDroid app to configure the SOCKS proxy server globally and not specifically per app. The process on how to configure this is described here. For a secure connection to OCI, first load your private key in ConnectBot. Next create a connection to opc@yourhost. Next add a port forward of type Dynamic (SOCKS) with source port 8080. This will start a local SOCKS proxy server available at port 8080. This is what you can configure in webbrowsers.
iPhone
For iPhone it is probably also possible to run a SOCKS proxy locally and connect to it from a browser but since I have no iPhone available I'll leave that to others. You can read for example some discussion on this here.
Others
Bitvise SSH client can also easily be used to configure SSH tunnels. See my blog post about this here.
Configure clients to use the SOCKS proxy server
Firefox desktop
In Firefox on a desktop this is easy.
Firefox mobile
For Firefox on a mobile device this is slightly harder, but on for example Chrome, these settings are not available at all. In Firefox the same settings as described above are available but not nicely from a GUI. The following here describes the steps you need to take.
In the firefox URL bar, type 'about:config' and press enter to access advanced settings
Search for 'socks' and set the following settings:
Now confirm you can access the web using your OCI instance by going to
Torrent client on mobile
If you are looking for a torrent client which can run on your mobile phone and supports using a SOCKS server, checkout Flud or tTorrent. I'm using Flud.
Linux / Unix (should probably also work on Mac)
This is by far the easiest since you don't need more than an SSH client which is there usually by default. Execute a command like:
nohup ssh -i ~/oraclecloudalwaysfree.key -D 8123 -f -C -v -N opc@132.145.250.238 -p 443
And you get an SSH SOCKS server which is available at localhost port 8123. Of course change this to your own IP and refer to your own private key. Output will be saved in ~/nohup.out. If the connection fails, you can check that file for the cause.
- -D 8123 starts a SOCKS 4 and SOCKS 5 compliant proxy server on port 8123
- -i indicates the private key to use
- -f indicates background execution of SSH
- -C requests compression of data
- -v gives verbose output. Useful for debugging
- -N indicates no remote command needs to be executed. we just need the tunnel functionality
- -p indicates the port to connect to on the remote host.
- opc@132.145.250.238 indicates the user and host to connect to
MobaXterm
I've used MobaXterm before to login using SSH normally. MobaXterm also has an easy to use tunnel interface
The last two icons indicate to MobaXterm to start the tunnel when the application is started and to automatically reconnect upon disconnect.
Android: ConnectBot
ConnectBot is an Android App which allows you to create SSH connections to remote servers, use private keys to login and configure SSH tunnels. If you have a rooted Android phone, you can even use the ProxyDroid app to configure the SOCKS proxy server globally and not specifically per app. The process on how to configure this is described here. For a secure connection to OCI, first load your private key in ConnectBot. Next create a connection to opc@yourhost. Next add a port forward of type Dynamic (SOCKS) with source port 8080. This will start a local SOCKS proxy server available at port 8080. This is what you can configure in webbrowsers.
iPhone
For iPhone it is probably also possible to run a SOCKS proxy locally and connect to it from a browser but since I have no iPhone available I'll leave that to others. You can read for example some discussion on this here.
Others
Bitvise SSH client can also easily be used to configure SSH tunnels. See my blog post about this here.
Configure clients to use the SOCKS proxy server
Firefox desktop
In Firefox on a desktop this is easy.
Firefox mobile
For Firefox on a mobile device this is slightly harder, but on for example Chrome, these settings are not available at all. In Firefox the same settings as described above are available but not nicely from a GUI. The following here describes the steps you need to take.
In the firefox URL bar, type 'about:config' and press enter to access advanced settings
Search for 'socks' and set the following settings:
- network.proxy.socks = 127.0.0.1
- network.proxy.socks_port = 8080
- network.proxy.socks_remote_dns = true
Search for 'proxy.type' and set the following setting:
- network.proxy.type = 1
Torrent client on mobile
If you are looking for a torrent client which can run on your mobile phone and supports using a SOCKS server, checkout Flud or tTorrent. I'm using Flud.
- Open Flud
- Go to Menu > Settings > Network > Proxy Settings
- Enter the settings as shown below
- Proxy type: SOCKS5
- Host: localhost
- Port: 8080
- Make sure to check 'Use proxy for peer connections' and uncheck 'Requires authentication'
- Click 'Apply Proxy'
- Done!
No comments:
Post a Comment