How to set up an SSH tunnel for HTTP(S) instead of a VPN or proxy, in order to change IP, to get IPv6, to secure a Web connection, or to compress data
I have migrated my personal Linux server (mainly Web) on a virtual machine based on OpenVZ,
which VPN functions
have been disabled by my hosting company (OVH Virtual KS).
Furthemore, I did not succeed in getting satisfying IPv6 via VPN with my previous server. VPN is thus not an option.
Classical HTTP proxys are not an option either because they do not handle DNS requests, and not always HTTPS.
As I am in Denmark while writing these lines, a country currently without any IPv6 possibility for private houses, I need a kind of tunnel when in need of IPv6, as well as a French IP as required by some non-neutral online services. It also allows circumventing some filters, and to ensure a better confidentiality in some circumstances.
The solution presented in this article has a goal of being as simple as possible, while relying solely on mainstream free software. This is based on standards such as SSH, and SOCKS version 5 (in order to support UDP for DNS requests, and IPv6). This requires:
Everything starts with a physical or virtual machine, to which you have an administrator or at least SSH access. This machine must have an Internet access that is more desirable than at the other side of the tunnel (for instance in terms of confidentiality, of geographical location of the IPv4 or IPv6 address, or access to some private networks).
Note your username as well as the address of the server, in order to provide this information during the following steps at the format you@your-server.example.
A majority of affordable Web servers for rent run Linux, and the majority of Linux distributions (Debian, Ubuntu, Gentoo, Red Hat, Mandriva…) include an OpenSSH server out-of-the-box, in which case everything is ready, and no or little configuration is necessary:
/etc/ssh/sshd_config # This is also the default value AllowTcpForwarding yes
Tested on Ubuntu 12.04.
It is then necessary to establish an SSH tunnel from your client.
I present below a simple approch for 3 different platforms (Linux, Windows, Android),
and it suffices to follow the one matching your case.
I use the local port 8081, but you can change it and pick any value between 1024 and 65535,
while avoiding the most used ports.
To close an SSH session from the client, type [Ctrl]+[D], or:
exit
For those on Linux, use OpenSSH (which is pre-installed in the majority of cases) with the following command:
ssh -D 8081 you@your-server.example
Appropriate for slow connections, it is possible to activate data compression:
ssh -D 8081 -C you@your-server.example
Some other options can tune the use of the tunnel (f, n, N, q, T). Refer to the documentation:
man ssh
Tested on Ubuntu 12.04.
For those on Microsoft Windows, PuTTY is the software to choose.
In the tab “Session”, type the address of the server.
Then in the area “Connection / SSH / Tunnels”, add the port 8081 in dynamic mode.
Appropriate for slow connections, it is possible to activate data compression in “Connection / SSH”.
![[PuTTY session]](PuTTY-1.en.png "Configuration of PuTTY session")
![[PuTTY tunnel]](PuTTY-2.png "Configuration of SSH tunnel with PuTTY")
![[PuTTY compression]](PuTTY-3.png "Configuration SSH compression with PuTTY")
Then connect by clicking on the “Open” button.
Tested with PuTTY 0.62 on Windows 7 and Windows 8.
For those on Google Android, ConnectBot – which is available on Android Market / Google Play – is the needed application.
At start-up, add a server at the format you@your-server.example, and then disconnect. With a long click on the new line representing your server, select “Edit port forwards”, and then the menu button, then “Add port forward”.
Fill-in the form as visible on the screenshot below, with whatever name in “Nickname”, “Type” Dynamic (SOCKS), “Source port” 8081, and empty “Destination”.
![[ConnectBot forward port]](ConnectBot-redirection-port.en.png "Forwarding ports with ConnectBot on Android")
It is possible to enable data compression with a prolonged click on the line representing your server, then “Edit host / Compression”.
Then connect again, and let ConnectBot run in the background by pressing the Android home button.
Remember to close your connection and quit ConnectBot when you do not need it anymore.
Tested with ConnectBot 1.7.1 on Android 4.0.3.
I picked up Mozilla Firefox as the Web browser in this setup, as it is the only one to support SOCKS 5 with the needed settings by default, without any extension necessary. Furthermore, this approach works the same on Firefox for desktop (Windows, Linux), and Firefox Mobile (Android).
Browse to the advanced parameters via about:config, search network.proxy, and put the following values:
Example for Firefox Mobile on Android:
![[Firefox Proxy Android]](Android-Firefox-Mobile-Proxy.png "Proxy settings for Firefox Mobile on Android")
In order to avoid having to change these settings manually and to keep coherent cookies, I use a Web browser dedicated to this configuration with a tunnel, and another Web browser for normal surf. On Android, I use Firefox Mobile beta to play this role.
Et voilà !
You can now access the Web with your server’s IP, and with a secured link between your client and your server.
For Web browsing (HTTP), SSH tunnels are a light, easy, and efficient alternative to VPN (heavier and not always possible) and HTTP proxys (which do not include DNS and not always HTTPS),
in particular as a temporary solution for a single user.
This solution may be used without administrative rights on the client machine, and the needed software can be found in USB version if necessary.
If you expect an answer or to report a problem, favour contacting me by e-mail.