Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
On Sat, 6 Jan 2007 00:07:00 + Mick [EMAIL PROTECTED] wrote: I just checked and it seems that the OEM firmware on the netgear drops all ssh attempts to connect. :( Im sure your router's firmware isn't allowing ssh connections. The router itself does not offer ssh access to anyone. What you would probably want to do is to enable port forwarding on your router to a linux system behind the router. I do not want to run a PC behind the router. Instead, I am looking for an enhanced hardware router type of solution. Would you perhaps know of either a COTS product, or a Linux embedded approach to fulfil this requirement? I am not sure what you mean by this, but I do hope you'll consider using a normal commodity PC as your router. Security is fabulous, CPU usage for routing and such will hover at about 0%, it requires very little memory (say, under 15 megs, and that's from experience -- the actual number was 13 megs fyi) and gives you a handy place for dns, email, dhcp, nis, ftp, http, and so on if you care to set up any network services for yourself. In a pinch (low on hardware) you could easily set up your workstation to route for the network at, effectively, no extra charge. That way you can open the ports you want at least. I don't know how to embed it, it's totally done, but the actual facility of this is unclear to me. I would like to be able to tunnel through ssh to my home router (netgear DG834) from random public wifi access points, for the purpose of connecting through my own ISP to the internet for internet browsing and email. are you sure you want the internet traffic to go through the wifi provider's ISP, through the worldwide web (tracepath gives routes that you may find surprising for traffic in the neighborhood will often go accross the nation for me), back through your home ISP, and into your home network, then back again through your home ISP and back into the world to the computer whose website you are attempting to browse? That's a pretty convoluted trip. for email, you could always set up a bonafide IMAP server... if you had a linuxbox routing for you ; ). The gray hair count on that project wasn't too bad for me, and I love having my email in the closet down the hallway instead of on my flaky WebMail providers' servers. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
On Monday 08 January 2007 09:53, Dan [EMAIL PROTECTED] wrote about 'Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy': I am not sure what you mean by this, but I do hope you'll consider using a normal commodity PC as your router. He's already got a home router. Some Netgear model (see below). If the only thing your network is accessing the Internet, then a PC can work as a router effectively. However, if you want to take advantage of gigabit speeds (or more than a dozen 100mbit ports) you'll definitely want a dedicated solution -- the PCI bus just can't keep up. Maybe there's a solution in PCIe or PCI-X, since they do increase bandwidth, but I've yet to see a standard PC configured to handle that much bandwidth. are you sure you want the internet traffic to go through the wifi provider's ISP, through the worldwide web (tracepath gives routes that you may find surprising for traffic in the neighborhood will often go accross the nation for me), back through your home ISP, and into your home network, then back again through your home ISP and back into the world to the computer whose website you are attempting to browse? That's a pretty convoluted trip. Well, by making that trip he does prevent attempts to sniff his data by the wifi provider (or when using non-secure wifi, anyone within range of his transmission). It sounds like he's setting up a ssh tunnel from a trusted system (his laptop) to another trusted system (his router) so his (plaintext) data can't be intercepted. (It could be intercepted as ciphertext but there's no good attacks against as ssh tunnel.) Note that SSL/TLS traffic doesn't gain any security by going though the tunnel and unencrypted traffic can still be sniffed on it's way between the trusted router and the server. -- If there's one thing we've established over the years, it's that the vast majority of our users don't have the slightest clue what's best for them in terms of package stability. -- Gentoo Developer Ciaran McCreesh pgpyCHQOkfgwK.pgp Description: PGP signature
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
On Mon, 8 Jan 2007 11:29:52 -0600 Boyd Stephen Smith Jr. [EMAIL PROTECTED] wrote: if you want to take advantage of gigabit speeds (or more than a dozen 100mbit ports) you'll definitely want a dedicated solution -- the PCI bus just can't keep up. Maybe there's a solution in PCIe or PCI-X, since they do increase bandwidth, but I've yet to see a standard PC configured to handle that much bandwidth. If you have the router between LAN segments at gigabit speeds, and need to route more than 132MB/S worth of data transfer, sure, the PCI bus isn't fast enough. Why you'd need a router anywhere between computers that need to swap this much information is byond me, but your point is i guess sound. good luck finding a PC with 10 pci slots so that you can achieve gigabit speeds on 100-tx hardware ;) -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
On Monday 08 January 2007 11:43, Dan [EMAIL PROTECTED] wrote about 'Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy': Boyd Stephen Smith Jr. [EMAIL PROTECTED] wrote: if you want to take advantage of gigabit speeds (or more than a dozen 100mbit ports) you'll definitely want a dedicated solution -- the PCI bus just can't keep up. Maybe there's a solution in PCIe or PCI-X, since they do increase bandwidth, but I've yet to see a standard PC configured to handle that much bandwidth. If you have the router between LAN segments at gigabit speeds, and need to route more than 132MB/S worth of data transfer Like, moving my rather large collection of video from one computer to another? Or, simply watching HD video from your NAS on 2-3 frontends at the same time? Actually, just about anything involving a NAS and any rael workload. good luck finding a PC with 10 pci slots so that you can achieve gigabit speeds on 100-tx hardware ;) You needn't have 10 pci slots. Many companies sell 4-port 10/100 ethernet cards (I have one that a number of years old in the next room). I'm fairly sure higher numbers of ports are available, although they are rare. 4-port 10/100/1000 ethernet cards (PCIe or PCI-X, IIRC) are also available. -- If there's one thing we've established over the years, it's that the vast majority of our users don't have the slightest clue what's best for them in terms of package stability. -- Gentoo Developer Ciaran McCreesh pgpjike0aVNjH.pgp Description: PGP signature
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
On Saturday 06 January 2007 04:32, Boyd Stephen Smith Jr. wrote: On Friday 05 January 2007 15:44, Etaoin Shrdlu [EMAIL PROTECTED] wrote about 'Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy': On Friday 5 January 2007 21:25, Mick wrote: OK. I don't think I need to run a full VPN. I just want to securely connect to my router at home while I am out about using public wifi hot spots and thereby to be able to connect to the internet using my ISP for browsing email. The only ports I should need to forward via ssh to the router/server are those serving http/https for browsing and 110/995/143/25/587 for email. If I understand correctly then, you need ssh (and a public IP address) running on the router. [snip: and then forward a ton of ports] Or you could forward X over the ssh tunnel, and run your web browser on your router. :) Thanks, I also thought of running FreeNX on the router, if only the router were capable of running apps. It seems that openwrt is not (yet?) covering the netgear DG834. The wireless version DG834G is shown as WIP on the openwrt website. I'll keep an eye on it, or one day upgrade my router. Finally, if your email program and browser are SOCKS aware, you could simply set them up to use your ssh connection as a SOCKS proxy. There's specific support for this in OpenSSH, so that you don't have to open ports individually, it can be done dynamically on-demand. Cool! I'll check it out. Never used it myself, but take a look at the openwrt project. From what I understand, it seems that it lets you put linux into the firmware of many popular routers, and manage it using a web interface. While there has been some work done on a web interface, it's not a priority for the core OpenWRT team. For me, manging my router from a command prompt worked better anyway. How do you set firewall rules using opewrt? Through a script? -- Regards, Mick pgpPj0zrohA4h.pgp Description: PGP signature
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
On Saturday 6 January 2007 05:32, Boyd Stephen Smith Jr. wrote: Finally, if your email program and browser are SOCKS aware, you could simply set them up to use your ssh connection as a SOCKS proxy. There's specific support for this in OpenSSH, so that you don't have to open ports individually, it can be done dynamically on-demand. Thanks. As I said in another reply, I'll have to look more deeply into SOCKS. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
On Saturday 06 January 2007 04:06, Mick [EMAIL PROTECTED] wrote about 'Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy': On Saturday 06 January 2007 04:32, Boyd Stephen Smith Jr. wrote: On Friday 05 January 2007 15:44, Etaoin Shrdlu [EMAIL PROTECTED] wrote about 'Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy': On Friday 5 January 2007 21:25, Mick wrote: I just want to securely connect to my router at home while I am out about using public wifi hot spots and thereby to be able to connect to the internet using my ISP for browsing email. The only ports I should need to forward via ssh to the router/server are those serving http/https for browsing and 110/995/143/25/587 for email. If I understand correctly then, you need ssh (and a public IP address) running on the router. Or you could forward X over the ssh tunnel, and run your web browser on your router. :) Thanks, I also thought of running FreeNX on the router, if only the router were capable of running apps. It seems that openwrt is not (yet?) covering the netgear DG834. The wireless version DG834G is shown as WIP on the openwrt website. I'll keep an eye on it, or one day upgrade my router. There may be another project out there that works with your router -- I know there was one specifically targeting D-Links for a while... search around. You might also see if anyone has tested OpenWRT on your firmware, WIP might mean that it just takes some massaging (which could mean anything from a few minor config file changes, to a custom build of Kamikaze), but is still available an an option. While there has been some work done on a web interface, it's not a priority for the core OpenWRT team. For me, manging my router from a command prompt worked better anyway. How do you set firewall rules using opewrt? Through a script? Well, you can use the WIP web interface, or you can get a shell and edit the firewall rules. It's standard linux, so you can use iptables directly for simple one-off changes that last until you reboot. IIRC, there is also an /etc/init.d/20firewall script that reads iptables rules out of /etc/firewall or somesuch. (Haven't messed with the OpenWRT since I moved in May.) I believe shorewall is also available as an ipkg from the WRT developers. -- If there's one thing we've established over the years, it's that the vast majority of our users don't have the slightest clue what's best for them in terms of package stability. -- Gentoo Developer Ciaran McCreesh pgp0sbZV9rOq3.pgp Description: PGP signature
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
On 05 January 2007 14:22, Mick wrote: Hi All, Apologies for the off-topic post but I thought to ask here because there have been a couple of threads in the past where embedded Linux OS' for hardware routers were discussed and that may offer a solution to my problem. I would like to be able to tunnel through ssh to my home router (netgear DG834) from random public wifi access points, for the purpose of connecting through my own ISP to the internet for internet browsing and email. What do you mean by tunnelling? Do you want an IP layer tunnelled through ssh? Bad idea! I means TCP over TCP which is bound to fail when the outer and inner TCP timeouts get out of sync. Uwe -- A fast and easy generator of fractals for KDE: http://www.SysEx.com.na/iwy-1.0.tar.bz2 Proof of concept of a TSP solver for KDE: http://www.SysEx.com.na/epat-0.1.tar.bz2 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Uwe Thiem wrote: What do you mean by tunnelling? Do you want an IP layer tunnelled through ssh? Bad idea! I means TCP over TCP which is bound to fail when the outer and inner TCP timeouts get out of sync. More about that here: Why TCP over TCP is a Bad Idea http://sites.inka.de/sites/bigred/devel/tcp-tcp.html - -- Arturo Buanzo Busleiman - Consultor Independiente en Seguridad Informatica ¿No sabés a dónde ir a comer o tomar algo? Visitá www.vivamoslavida.com.ar LISTA DE CASAMIENTO: Cualquier Fravega a nombre de Busleiman (37520). -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFnl3yAlpOsGhXcE0RAkajAJ90jlI+bZVDTKv3S3jMrjXW/YN0jwCfexID xzEtpVQfcssq6FHCd8uNPWA= =E1fU -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
On Friday 05 January 2007 14:17, Arturo 'Buanzo' Busleiman wrote: Uwe Thiem wrote: What do you mean by tunnelling? Do you want an IP layer tunnelled through ssh? Bad idea! I means TCP over TCP which is bound to fail when the outer and inner TCP timeouts get out of sync. More about that here: Why TCP over TCP is a Bad Idea http://sites.inka.de/sites/bigred/devel/tcp-tcp.html Hmm, that explains why running VCN through ssh gets a bit ropy at times? So, is port forwarding for browsing and emails through ssh a bad idea then? -- Regards, Mick pgpc3JIp3edyy.pgp Description: PGP signature
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
On Friday 5 January 2007 16:53, Mick wrote: More about that here: Why TCP over TCP is a Bad Idea http://sites.inka.de/sites/bigred/devel/tcp-tcp.html Hmm, that explains why running VCN through ssh gets a bit ropy at times? Do you mean VNC? So, is port forwarding for browsing and emails through ssh a bad idea then? No, because with ssh port forwarding you just forward the data coming from/going to the application (eg, mailreader) without stacking additional protocols (as in, for example, ppp or ip over ssh), for which you need some way of forwarding IP-or-lower-level data between interfaces (for example, using tun/tap). Some programs (like openvpn) overcome the issue by using tcp-over-udp by default. And, anyway, tcp over tcp is a bad idea, but that does not necessarily mean that it won't work. It will most likely fail when the transport link is slow or error prone. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
On Friday 05 January 2007 17:00, Etaoin Shrdlu wrote: On Friday 5 January 2007 16:53, Mick wrote: More about that here: Why TCP over TCP is a Bad Idea http://sites.inka.de/sites/bigred/devel/tcp-tcp.html Hmm, that explains why running VCN through ssh gets a bit ropy at times? Do you mean VNC? Yes, if only I could type properly! ;-) So, is port forwarding for browsing and emails through ssh a bad idea then? No, because with ssh port forwarding you just forward the data coming from/going to the application (eg, mailreader) without stacking additional protocols (as in, for example, ppp or ip over ssh), for which you need some way of forwarding IP-or-lower-level data between interfaces (for example, using tun/tap). Some programs (like openvpn) overcome the issue by using tcp-over-udp by default. OK. I don't think I need to run a full VPN. I just want to securely connect to my router at home while I am out about using public wifi hot spots and thereby to be able to connect to the internet using my ISP for browsing email. The only ports I should need to forward via ssh to the router/server are those serving http/https for browsing and 110/995/143/25/587 for email. If the above assumptions are correct then what sort of a hardware router would I need? (Either a straight off the shelf product, or one with modified firmware). Friends and colleagues often ask me how to achieve this, but all I can think is running a PC on the LAN as a server for this purpose - isn't this effectively a SOCKS5 server or am I getting mixed up here? No idea how to achieve the same functionality using the embedded OS of a hardware router. Thank you for your help. -- Regards, Mick pgpWTE4FLewG4.pgp Description: PGP signature
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
On Friday 5 January 2007 21:25, Mick wrote: OK. I don't think I need to run a full VPN. I just want to securely connect to my router at home while I am out about using public wifi hot spots and thereby to be able to connect to the internet using my ISP for browsing email. The only ports I should need to forward via ssh to the router/server are those serving http/https for browsing and 110/995/143/25/587 for email. If I understand correctly then, you need ssh (and a public IP address) running on the router. For reading and sending email the setup is straightforward: just forward each of the ports you mentioned above to the appropriate server (via the router), set up your email program accordingly, and you're done. This way, your email data will go from your computer (wherever you are) to your router via the ssh tunnel, and from there (using your ISP connectivity) to the desired servers. For browsing the internet, the setup is just a little bit more complex. At least, you need a http proxy running on the router (like squid), then do port forwarding for ports 80, 443, etc. and set up your browser accordingly to use the proxy. This way, your http requests are sent to the proxy via the ssh tunnel, and from there go to the their intended destinations using your ISP connectivity. If the above assumptions are correct then what sort of a hardware router would I need? (Either a straight off the shelf product, or one with modified firmware). [cut] No idea how to achieve the same functionality using the embedded OS of a hardware router. Never used it myself, but take a look at the openwrt project. From what I understand, it seems that it lets you put linux into the firmware of many popular routers, and manage it using a web interface. Since it's linux, you obviously get all its benefits, including ssh. Anyway, I just read the openwrt docs very quickly, so it's entirely possible that I'm misunderstanding things here, and hopefully someone more experienced than me will give you more reliable info. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
Etaoin Shrdlu wrote: For browsing the internet, the setup is just a little bit more complex. At least, you need a http proxy running on the router (like squid), then do port forwarding for ports 80, 443, etc. and set up your browser accordingly to use the proxy. This way, your http requests are sent to the proxy via the ssh tunnel, and from there go to the their intended destinations using your ISP connectivity. Actually it is very simple to socks proxy your ssh connection and use that without any additional software. ssh -D 1080 [EMAIL PROTECTED] Then pop into your broswer config and set the socks proxy to be 127.0.0.1:1080 and you're done. kashani -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
On Friday 05 January 2007 22:00, kashani wrote: Etaoin Shrdlu wrote: For browsing the internet, the setup is just a little bit more complex. At least, you need a http proxy running on the router (like squid), then do port forwarding for ports 80, 443, etc. and set up your browser accordingly to use the proxy. This way, your http requests are sent to the proxy via the ssh tunnel, and from there go to the their intended destinations using your ISP connectivity. Actually it is very simple to socks proxy your ssh connection and use that without any additional software. ssh -D 1080 [EMAIL PROTECTED] Then pop into your broswer config and set the socks proxy to be 127.0.0.1:1080 and you're done. I just checked and it seems that the OEM firmware on the netgear drops all ssh attempts to connect. :( $ ssh 192.168.0.1 ssh: connect to host 192.168.0.1 port 22: Connection refused Same story when I use my internet IP address (it times out). It seems that I will have to try openwrt. Thank you all for your suggestions. PS. I noticed that the -D option can be specified as: ssh -D [bind_address:]port. Which bind_address should be used in the above example? I am not sure I understand how this is meant to be used. -- Regards, Mick pgpir34jNX1Gi.pgp Description: PGP signature
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
Mick wrote: I just checked and it seems that the OEM firmware on the netgear drops all ssh attempts to connect. :( $ ssh 192.168.0.1 ssh: connect to host 192.168.0.1 port 22: Connection refused Same story when I use my internet IP address (it times out). It seems that I will have to try openwrt. Thank you all for your suggestions. PS. I noticed that the -D option can be specified as: ssh -D [bind_address:]port. Which bind_address should be used in the above example? I am not sure I understand how this is meant to be used. My method works for any normal sshd server you can connect to that allows forwarding. OpenWRT should work for you as the socks proxy is created on the initiating user side, your local ssh client, that's why you set your browser to 127.0.0.1:port and then it forwards packets internal to the ssh tunnel without invoking anything on the server side. If you don't set an IP with -D then it uses localhost which is what you'd want in this case. kashani -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy
On Friday 05 January 2007 15:44, Etaoin Shrdlu [EMAIL PROTECTED] wrote about 'Re: [gentoo-user] [OT] Router for ssh tunnel/SOCKS proxy': On Friday 5 January 2007 21:25, Mick wrote: OK. I don't think I need to run a full VPN. I just want to securely connect to my router at home while I am out about using public wifi hot spots and thereby to be able to connect to the internet using my ISP for browsing email. The only ports I should need to forward via ssh to the router/server are those serving http/https for browsing and 110/995/143/25/587 for email. If I understand correctly then, you need ssh (and a public IP address) running on the router. [snip: and then forward a ton of ports] Or you could forward X over the ssh tunnel, and run your web browser on your router. :) Finally, if your email program and browser are SOCKS aware, you could simply set them up to use your ssh connection as a SOCKS proxy. There's specific support for this in OpenSSH, so that you don't have to open ports individually, it can be done dynamically on-demand. Never used it myself, but take a look at the openwrt project. From what I understand, it seems that it lets you put linux into the firmware of many popular routers, and manage it using a web interface. While there has been some work done on a web interface, it's not a priority for the core OpenWRT team. For me, manging my router from a command prompt worked better anyway. -- If there's one thing we've established over the years, it's that the vast majority of our users don't have the slightest clue what's best for them in terms of package stability. -- Gentoo Developer Ciaran McCreesh pgp3Qo07uig7f.pgp Description: PGP signature
