How to easily forward Firefox (PC & Android) traffic through an SSH tunnel

Say you are travelling, or are at a neighbourhood coffee shop, using whatever unsecured WiFi network they make available. You could either:

  1. trust that no one is sniffing your web traffic, capturing passwords, e-mails, IMs, etc.
  2. trust that no one is using more sophisticated methods to trick you into thinking that you are secure (i.e. man in the middle attack)
  3. route your Internet traffic through a secure tunnel to your home PC before going out onto the web, protecting you from everyone at your current location

which would you choose?

VPNs and SSH tunnels are actually a relatively easy means for you to be more secure while browsing the Internet from potentially dangerous locations.

Making use of an SSH tunnel on your PC

There are many, many different ways for you to do this but I find using a Linux PC that is running on your home network to be the easiest.

Step 1: Install SSH Server

Configure your home Linux PC. Install ssh (and sshd if it is separate). If you are using Ubuntu this is as easy as running the following command: sudo apt-get install ssh

Step 2: Make it easy to connect

Sign up for a free dynamic DNS service like DynDNS or No-IP so that you know of a web address that always points to your home Internet connection. To do this follow the instructions at the service you choose.

Step 3: Connect to tunnel

On your laptop (that you have taken with you to the hotel or coffee shop) connect to your home PC’s ssh server. If you are on Windows you will need to get a program like PuTTY. See their documentation on how to forward ports. On Linux you can simply use the ssh command. The goal is to forward a dynamic port to the remote ssh server. For instance if you are using a Linux laptop and ssh then the command would look something like: ssh -D [dynamic port] [user]@[home server] -p [external port number – if not 22]. An example of one would be ssh -D 4096 user@example.com -p 4000

Step 4: Configure browser to use SSH tunnel proxy

In your browser open the networking options window. This will allow you to tell the browser to forward all of its traffic to a proxy, which in this case, will be our dynamic port that we set up in step 3. Here is an example of my configuration for the example above.
If you don’t feel awesome enough doing the above graphically you can also browse to “about:config” (without quotes) and set the following values:

  • network.proxy.proxy_over_tls
    • true
  • network.proxy.socks
    • Change to “127.0.0.1” with no quotes
  • network.proxy.socks_port
    • Change to the SSH Tunnel Local Port set above (4096)
  • network.proxy.socks_remote_dns
    • Change to true
    • Note: you cannot actually set this setting graphically but it is highly recommended to configure this as well!
  • network.proxy.socks_version
    • Change to 5
  • network.proxy.type
      Change to 1

Step 5: Test and use

Browse normally – you are now browsing the Internet by routing all of your traffic (in Firefox) securely through your home PC. Note that this doesn’t actually make web browsing any more secure beyond protecting you from people in your immediate vicinity (i.e. connected to the same insecure WiFi network).


What about Android?

Just like the PC you can also do it on Android even without root access. Please note that while I’m sure there are a few ways to accomplish this, the following is just one way that has worked for me. I’m also assuming that you already have an SSH server to tunnel your traffic through.

Step 1: Install SSH Tunnel

The first thing you’ll want to do is install an application that will actually create the SSH tunnel for you. One such application is the aptly named SSH Tunnel which can be found on the Google Play Store here.

Step 2: Configure SSH Tunnel

Next you’ll want to launch the application and configure it.

  • Set the Host address (either a real domain name, dynamic DNS redirector or IP address of your SSH server) and port to connect on.
  • You’ll also want to configure the User and Password / Passphrase.
  • Check the box that says Use socks proxy.
  • Configure the Local Port that you’ll connect to your tunnel on (perhaps 1984 for the paranoid?)
  • I would recommend checking Auto Reconnect as well, especially if you are on a really poor WiFi connection like at a hotel or something.
  • Finally check Enable DNS Proxy.

Step 3: Connect SSH Tunnel

To start the SSH tunnel simply check the box that says Tunnel Switch.

Step 4: Install Firefox

While you may have a preference for Google Chrome, Firefox is the browser I’m going to recommend setting up the tunnel with. Additionally this way if you do normally use Chrome you can simply leave Firefox configured to always use the SSH tunnel and only switch to it when you want the additional privacy. Firefox can be found on the Google Play store here.

Step 5: Configure Firefox to use SSH Tunnel

In order to make Firefox connect via the SSH tunnel you’ll need to modify some settings. Once you are finished the browser will only work if the SSH tunnel is connected.

  • In the Firefox address bar browse to “about:config” with no quotes.
  • In the page that loads search and modify the following values:
    • network.proxy.proxy_over_tls
      • true
    • network.proxy.socks
      • Change to “127.0.0.1” with no quotes
    • network.proxy.socks_port
      • Change to the SSH Tunnel Local Port set above (1984?)
    • network.proxy.socks_remote_dns
      • Change to true
    • network.proxy.socks_version
      • Change to 5
    • network.proxy.type
        Change to 1

Step 6: Test and browse normally

Now that you have configured the above you should be able to browse via the tunnel. How can you check if it is working? Simply turn off the SSH Tunnel and try browsing – you should get an error message. Or if you are on a different WiFi you could try using a service to find your IP address and make sure it is different from where you are. For example if you configured Firefox to work via the SSH tunnel but left Chrome as is then visiting a site like http://www.whatismyip.com/ should show different information in each browser.

This post is a complication of two posts which originally appeared on my personal website here.



Be the first to comment

Leave a Reply

Your email address will not be published.


*