How to Tunnel Traffic Through Another Machine Over SSH

encryptionPROXYsshtunneling

I want to be able to route a portion of my traffic through another machine over SSH. For example, is it possible to browse the web through the ssh tunnel and also browse the web through your LAN connection without much effort? (i.e. I want a seamless transition from using tunnel to using LAN)

Thus it is not a simple how do I tunnel ALL web traffic through ssh tunnel, but moreso how can I setup a tunnel that I can use at my discretion but not impeded my normal traffic flow. (Kind of on an as-needed basis)

I would like the filtered traffic to be encrypted when leaving the LAN and it could be ftp, ssh, web, mail whatever traffic.

Some questions I think I need to answer/address:

Does this require multiple nics?
Does this require setting up a proxy?
Can I even do this the way I want it to function?

Are there other options aside from a tunnel to achieve the result of having some traffic (user decides) encrypted through another machine (outside the LAN) and have other traffic use the normal flow through the LAN and out into the internet world?

Edit: If some of the answers depend on specific traffic types I can be more specific and say that web traffic is a primary focus of this. However, other traffic such as IM/Email traffic would be desirable.

Best Answer

I don't know if that's what you're looking for, but you can use ssh -D4545 domain.com to open a socks proxy tunnel at port 4545 to the desired machine from your computer.

You can then set up that proxy in your application (say Firefox) and use a plugin to quickly engage and disengage the proxy settings (something like TorButton).

There is one drawback though: when your target host has more than one network device, you cannot control which one will your data take to leave the machine you're tunneling to.

This can be circumvented by installing a normal proxy server on that machine, routing the traffic from, say, localhost:3128 to the desired network interface, and then doing a ssh -L4545:localhost:3128 and pointing all applications to 4545 that ought to use the proxy.

This gives you greater control on the proxy side, as the integrated proxy of SSH is not really configurable.

Related Solutions

Redirect traffic through vpn on an as needed basis

There is no practical way to select different routes on an application-by-application or process-by-process basis. (Linux had one for a time: iptables --cmd-owner, but that disappeared in kernel 2.6.14). See Linux : restricting outgoing on an application basis.

You can select different routes on a user-by-user basis with iptables --uid-owner, or select different routes for different virtual machines. So given your requirements, you can use iptables, as long as you run the proxy as a dedicated user.

ip rule add fwmark 1 table 1
ip route add 0.0.0.0/0 table 1 dev tun0
iptables -t mangle -A OUTPUT -m owner --uid-owner proxy -j MARK --set-mark 1

See Dual network connection for explanations.

SSH Over Socks Proxy – How to Connect Without Username or Password

It sounds to me like you need a socks client, or a ssh client that understand socks. -D is for ssh to be a socks server/proxy.

You could use ssh under tsocks, or another SOCKS wrapper. Or use ssh's ProxyCommand in conjunction with socat or nc -X:

ssh -o ProxyCommand='socat - socks:B:%h:21,socksport=1080' C

To have a HTTP proxy that uses the SOCKS server to send HTTP requests, you can run a small proxy (like tinyproxy) under tsocks.

Note that not all applications play nicely with tsocks or any similar wrapper that relies on LD_PRELOAD, but tinyproxy does.

Also note that you may have issues with domain name resolution (depending on whether you want the names to be resolved on either side of the tunnel). tsocks doesn't work well for resolving names remotely. The only way it can work is when your nameserver (in /etc/resolv.conf) is reachable from the other end and you're using TCP for domain resolution (which tsocks can attempt to enforce but generally fails in my experience). socksify from dante's SOCKS client/server works better in that instance as it also wraps resolving functions and can also use a nice little trick to fake name resolution so that SOCKS by-name connections can be used.

Best Answer

Related Solutions

Redirect traffic through vpn on an as needed basis

SSH Over Socks Proxy – How to Connect Without Username or Password

Related Question