Kyle Brandt

When a person accesses a public wireless access point, a hotspot, they are often very susceptible to having their browsing session spied on. There are several good posts, that have been out there for a while, that instruct how to prevent this using SSH tunneling. Two of these posts are:

• Lifehacker: Encrypt your web browsing session
• James Stassburg: HOWTO: Tunneling HTTP over SSH with DD-WRT, DynDNS and Putty

However, I figured since every set up is a bit different, it wouldn’t hurt to give another working example. This is meant to be an example for users with different levels of computing / networking knowledge, and not strictly a step by step how-to since my setup is probably a bit abnormal. My set-up also encrypts the DNS information, meaning if someone is listening, not only will they not be able to see the data on the websites I am viewing/sending, they also will not even be able to tell which sites I am visiting*.

My current home network has two Wireless Access Points (Linksys WRT54GL), the first is using Sveasoft’s Alchemy firmware, and the second using DD-WRT. These are alternate firmwares that expand the capabilities of the WRT54GL router. The Sveasoft router is my gateway to the internet. The DD-WRT router is running in client bridged mode***. Client Bridged mode allows me to connect devices to the DD-WRT router in a way that makes the Sveasoft router essentially think that the devices are connected to it itself–this is the Bridge aspect. However, the DD-WRT router gets its own IP , and I can run an ssh server on it–The client aspect.

A Diagram of what my set-up looks like when browsing from Starbucks (or any public hotspot):

1. Have the following installed:
   • An SSH client on your Laptop: Ubuntu Comes with one, for Windows I suggest Putty, See Strassburg’s how-to.
   • DD-WRT firmware on your router, only one router is needed, DD-WRT could be installed on the router that is the gateway to the internet on your home network (the equivalent to the Sveasoft router in my above diagram).
     • Another option is to have a computer on your home network running the SSH service, this computer could be linux or windows. DD-WRT is not the easiest thing to get installed, so if you have a home computer, it might be best to chose this option.
2. Start the SSH service (aka sshd, ssh daemon) on the dd-wrt router.
   • Adminstration Tab: Services Tab: Secure Shell: Check Enable SSHd
     • I think if your DD-WRT router is the gateway on your local network, then instead you would enable remote ssh on the Administration Tab: Management Tab. Since I am connected to the internet through another router, as far as the DD-WRT router is concerned I am connecting from the gateway (My sveasoft router), so I am already on the local network, hence it doesn’t think what I am doing is remote access.
3. On the DD-WRT router, if it is not the gateway, under Setup : Basic Setup, enter your ISP’s DNS server. Or, as I do, you can use the OpenDNS DNS server (See their homepage for the IP address. This step is only required if you want your DNS requests to be encrypted as well).
4. If the SSH server is not running on the gateway (As in my my case), enable port forwarding to the ssh server on the gateway. So on my Sveasoft router, I go to Applications and Gaming Tab: Port Fowarding. And open the port 22 (Or whatever port the SSH service is running on) to the IP address of the SSH server. On my layout it would be 192.168.1.50, the IP of the DD-WRT router.
5. Go to Starbucks with your laptop and get a Chai Latte, make sure you know the internet IP of your home network before you leave home. If your ip is not static, see Strassburg’s how-to on setting up DYNdns, this will allow you to have a name to connect to that should keep track of your home network IP, Sveasoft’s firmware and DD-WRT are both capable of this.
6. If using Ubuntu Fiesty Fawn, or most Linux distributions: Type “ssh -ND localhost:5555 root@123.123.123.123″ in the terminal of your laptop without quotes. 5555 can be different port but I will use it for these purposes. 123.123.123.123 should be substituted with your actual home network IP address. “root” is the user name you would use with DD-WRT by default, you should definitely have a different account if you are using a different SSH server for security reasons. It should just hang there after you enter your password.
7. In Firefox, go to preferences, advanced, network settings. Select Manual Proxy Configuration, and under SOCKS host enter “localhost” without quotes, and then for the port enter 5555, or whatever port you used in the the command for step 6.
8. In Firefox, type about:config in the address bar. Find network.proxy.socks_remote_dns and click it so it set to True. This will make your DNS requests encrypted as well.
9. Fire up Wireshark as a root user and make sure the packets are actually being encrypted as you browse.
10. Enjoy your browsing and chai latte. Please note, with this how to, only the internet activity from Firefox is being routed to your home network encrypted, nothing else is.

*This is one short coming of Strassburg’s How-To.
** Not entirely true, I do of course use encryption on my own wireless network.
*** My explanation of client bridge mode isn’t entirely accurate, but for my purposes, it essentially works the way I have described above, see: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=68