SSH tunnel home without having to leave the home PC on
DisclaimerBlah blah blah, and the topic about something?This post appeared here for several reasons:
1) Boomburum asked me
2) There is an assumption that there are still people in Habré who are directly related to IT, but at the same time have a very remote idea of the benefits of SSH and its extraction from a regular home router, and to whom I hope it will be very interesting and useful discover.
Habrules who have learned the Tao IOS , tun, VPN , * wrt, WOL ... etc are offered a choice:
A) Close the topic, do business and do not take yourself out of nirvana reading this amateur garbage.
B) Spend time on constructive criticism and useful additions in the comments.
Especially for GrammarNazi :
Please write about errors in PM - I promise to fix it.
So, I promised to tell “how to raise the ssh-tunnel home without having to leave the home PC on” and, as peter23 correctly guessed , it will be about the ssh server on the router.
First, about who and why this may be needed and what the initial conditions are.
Suppose you are on a network that is connected to the Internet with restrictions that cause you inconvenience. Or on the contrary - you have connected to a public access point and you have
But then at your home the router is always turned on and, as long as you are not there, it just spends electricity.
There are several options out of the situation. Only one of them is described below.
')
1) We determine the router
Do you know your router well?
Take a closer look, maybe the stated functions already have support for SSH or even TOR . If not, check if you can add it there. For a great variety of home and SOHO routers, there are a lot of alternative firmware, such as, for example, DD-WRT . I do not deny the merits of other alternative firmware, but for example I will take this one.
Do you have the “people's” D-Link DIR-xxx, ASUS WL-xxxGx / RT-Nxx, Netgear, TP-Link, TRENDnet, “geek” Linksys WRT-xxx, Ubiquiti or something like that? What a score!
We go to the base of compatible routers on the official website of the firmware and enter the name and model of your router in the search bar. If everything is good, then just in case, let us turn to the collective mind to clarify the details about the support of your model. Having realized the subtleties of the question, we are flashing the router according to the instructions on the site. Do not forget about 30/30/30 .
If everything went well, then we set up a permanent connection to the Internet and proceed to the next item.
2) The way home
The next step is to understand how to get home from the Internet.
What is the address to contact the router?
Necessary condition - your provider provides you with an external IP address.
Well, if this address is static , then just remember it for the future. If the address is dynamic , then the easiest way is to use a service like DynDNS supported by the router's firmware .
This is easy: register on the site, in the Setup-> DDNS router menu, select this site in the drop-down list, enter “login-password-host-rest to taste”, click the “Apply Settings” button and forget about it. Now you need to remember only the host (by the way, even if you have a static IP address , you can make the address easy to remember , otherwise the provider will change or a relocation happens).
As a result, we have in our hands “the address of our home” on the Internet in the form of an IP or domain name. Hooray!
3) We get acquainted with the possibilities of SSHd on the router.
http://www.dd-wrt.com/wiki/index.php/SSH
A very flexible tool, isn't it?
Let's try using it to let all your traffic from the browser and other programs through the home router. Those. raise the ssh-tunnel from you to the home router, so that the entrance to it on your side looks like a local SOCKS proxy and at the output of the router all traffic is resolved in accordance with the purpose, allowing us to secretly with impunity and safely access the free Internet ( yes, yes, this is a very “fat” formulation, undoubtedly) and at the same time to use home network resources, if there are any. In short - to feel at home.
Further I assume that you will use Windows, since in life I have not met another OS user who would not know what to do with SSH.
Well, okay, after all, more, but they have already been explained to them , and in general .
4) The keys to the apartment, where the money is.
For a secure connection to our router login-password pair is not very good. DD-WRT for reasons unknown to me outside by SSH recognizes only the root user , so not using key authentication is the height of levity. But it’s even better: you don’t need to enter a complex superuser password every time and this is another reason to learn how to use a safer way.
To do this, we need a pair of keys public and private. We will give the public to the router, and we will keep the private one as the apple of our eye.
To get them, launch puttygen , press the “Generate” button and move the mouse until we see something like this:
We save the private key to a file with the .ppk extension, and the public key can be simply copied from the puttygen window here in the DD-WRT settings:
It would be good not to forget that remote SSH access in DD-WRT must be enabled in the section Administration -> Management .
I love to set port 443 for SSH, since this port is almost always open in corporate networks and modest encrypted traffic to it usually does not arouse suspicion. Inside the network, I also put 443, so as not to be confused, but at the same time I turned off the password and telnet access.
I advise lovers of beauty to set up Port-Knocking and lock in a private key, if not lazy to knock on the ports and the keyboard every time.
5) Customer is always right
Everything, the router (read “server with SSHd”) is configured, we return to our sheep, i.e. Windows
We take the program SSH-client, for example, a wonderful portable KiTYY (thanks to NZeraF for the tip-off). And we configure it to connect to our router approximately as in the screenshots below:
We will walk under the root ...
... so be careful.
The path to the private key can be specified relative to the root of the disk (convenient for the portable option).
A little bit of magic port forwarding (the port can be set from the noodle, for example 5150).
We recall the “way home”, invent the name of the connection (aka session) and save.
It is necessary, of course, to take into account the peculiarities of Internet access from the network in which you are located (there are all kinds of proxies and so on). In general, the client is configured and the tunnel can be started and used.
For convenience, you can create something like this batch file or a shortcut for quick launch:
kitty.exe -load "sessionname" -send-to-tray6) And what to do with it?
There are lots of options. You can for example use such a tunnel as a local proxy for the browser. One way or the other:
Or for access via RDP or SSH to other servers, or just an IM client or Skype to release on the Internet.
And even if your application does not understand SOCKS proxies, it’s enough just to run
polipo socksParentProxy=localhost:5150and you will have HTTP proxy on port 8123. In general, everything is in your hands.
UPD :
My answer is from personal correspondence in the footsteps of the topic for those unfortunate people who have only port 80 and no CONNECT .
daniel.haxx.se/docs/sshproxy.html
www.nocrew.org/software/httptunnel.html
Well, immediately for beginners-penguin-ubuntolubov - corkscrew or proxytunnel
And for their more red-eyed friends, a bonus from ValdikSS
By the way, on Habré already wrote that, the router and you can download torrents and a lot more . Yes, and the home computer can be turned on remotely anyway (or, after forwarding the port, like this ).
PS: One of the sources of inspiration
PPS: Question for experts (about browsers and DNS).
Source: https://habr.com/ru/post/116214/
All Articles