Whenever I'm using the internet from an insecure location (such as public wifi) I like to use an ssh tunnel (ssh -D port host) to ensure my traffic can't be sniffed. Unfortunately, there seem to be many applications which do not provide a way to specify a proxy (Flash is one major example).
It feels like there should be some way to use a tunnel for all network traffic from my computer, but I'm complete ignorant of how to do this. Any help would be greatly appreciated.
To do what you are wanting, I recommend sshuttle.
You use it like this:
./sshuttle -r username@sshserver 0.0.0.0/0 -vv
It will tunnel all your TCP traffic automatically for you. You can add the --dns argument to have it tunnel your DNS traffic as well. The remote server only needs to have Python installed.
If you only want to tunnel specific programs I would recommend proxychains.
Once it is installed, start your ssh socks proxy like this:
ssh -fNTD 127.0.0.1:<local port> username@sshserver
This will start a "SOCKS" proxy listening on <local port>.
Then edit /etc/proxychains.conf to point to the same port as <local port>:
socks5 127.0.0.1 <localport>
Finally start your program that you want proxy-ed like so:
proxychains <program name>
It should just work. However, a few programs will have trouble working with Proxy Chains. Also keep in mind, that with Firefox, you have to change additional items under about:config to force it to do DNS lookups through the proxy instead of bypassing it.
As an additional note, on web browsers. If they support socks proxies, you don't need to do anything additional to get them to use the above mentioned, ssh tunnel, just enter 127.0.0.1 for the SOCKS proxy server and the <local port> for the proxy port.
EDIT 3/29/16
Since this post is still seeing some upvotes, I thought I'd update it. Proxychains is still in most Linux repos and still works on Linux. However, the project is effectively abandoned and does not work on OSX. For either Linux or OSX, I highly recommend upgrading to a still-maintained fork: proxychains-ng: https://github.com/rofl0r/proxychains-ng
Besides working in both Linux and OSX, it is easy to compile, and also has much better support for DNS tunneling.
I should also mention another option, which is redsocks. It works similarly to proxychains(-ng) and is also likely in your dist repo: https://github.com/darkk/redsocks
EDIT 11/27/19 If you go the proxychains route, please use proxychains-ng. There are some serious bug fixes over the legacy version, like: https://github.com/rofl0r/proxychains-ng/issues/292
man ssh gives an example of exactly this. An ssh based vpn:
SSH-BASED VIRTUAL PRIVATE NETWORKS
ssh contains support for Virtual Private Network (VPN) tunnelling using
the tun(4) network pseudo-device, allowing two networks to be joined
securely. The sshd_config(5) configuration option PermitTunnel controls
whether the server supports this, and at what level (layer 2 or 3 traf-
fic).
The following example would connect client network 10.0.50.0/24 with
remote network 10.0.99.0/24, provided that the SSH server running on the
gateway to the remote network, at 192.168.1.15, allows it:
# ssh -f -w 0:1 192.168.1.15 true
# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252
~~ snip ~~
Since a SSH-based setup entails a fair amount of overhead, it may be more
suited to temporary setups, such as for wireless VPNs. More permanent
VPNs are better provided by tools such as ipsecctl(8) and isakmpd(8).
Once you have that new interface up, you'd just have to make it the default route, which is a different question.
I've developed software that allows you to forward all TCP and optionally UDP through a SOCKS5 proxy, system-wide.
http://code.google.com/p/badvpn/wiki/tun2socks
It can even be installed on a router to forward all connections from computers on the LAN.
Look for the "Tunnel" option in ssh. This creates a tunnel device that you can assign an IP address to, and then you change the default route to use that tunnel.
SSH-BASED VIRTUAL PRIVATE NETWORKS ssh contains support for Virtual Private Network (VPN) tunnelling using the tun(4) network pseudo-device, allowing two networks to be joined securely. The sshd_config(5) configuration option PermitTunnel controls whether the server supports this, and at what level (layer 2 or 3 traf‐ fic).
The following example would connect client network 10.0.50.0/24 with
remote network 10.0.99.0/24 using a point-to-point connection from
10.1.1.1 to 10.1.1.2, provided that the SSH server running on the gateway
to the remote network, at 192.168.1.15, allows it.
On the client:
# ssh -f -w 0:1 192.168.1.15 true
# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
# route add 10.0.99.0/24 10.1.1.2
On the server:
# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
# route add 10.0.50.0/24 10.1.1.1
Client access may be more finely tuned via the /root/.ssh/authorized_keys
file (see below) and the PermitRootLogin server option. The following
entry would permit connections on tun(4) device 1 from user “jane” and on
tun device 2 from user “john”, if PermitRootLogin is set to
“forced-commands-only”:
tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
Since an SSH-based setup entails a fair amount of overhead, it may be
more suited to temporary setups, such as for wireless VPNs. More perma‐
nent VPNs are better provided by tools such as ipsecctl(8) and
isakmpd(8).
Just wanted to clear up that (ssh -D port host) is not a 100% secure way for traffic not to be sniffed. Adding (ssh -D -c blowfish port host) would be a better choice because you are atleast adding encryption to your session. There are more options you could add but it is easy enough to just type "man ssh" in your terminal or Google for a complete listing.
The option I think that you are looking for is setting up a VPN (Virtual Private Network)
Have a look at this article to get an understanding of the diffrence between the two (SSH vs. VPN) or a good summarized version, before you tackle setting up your own VPN. If you do decide to go the VPN route I recommend OpenVPN, its free and lots of documentation and support.
Use these examples:
Forward port 80 from a remote host to 8888 on your localhost
ssh -fnN -L8888:localhost:80 user@server
Use this to access services on a remote host that are only available there
Forward port 80 from yourlocalhost to 8888 on a remote host
ssh -fnN -R8888:localhost:80 user@server
Use this to allow ther users to access your services: webserver, or whatever.
Cheers! :)
