SSH tunneling with Tomato
Eric Butler released Firesheep yesterday and the Internet forums have already started debating the ethics of it. I’m not sure what kind of impact it’ll have on other people, but it convinced me to take action and secure my computers.
There are a few ways to secure your computers, but after reviewing the HN thread, it looks like the quickest and cheapest (free) way is to set up an SSH tunnel and route all wireless traffic through it.
These instructions assume you’re moderately tech savvy (find a nerdy friend), and that your home router runs Tomato.
Set up the SSH daemon
The first thing you’ll need to do is turn on Tomato’s built-in SSH daemon.
- Open up a web browser and navigate to http://192.168.1.1
- Type in your router’s username and password
- Click on the “Administration” link in the lefthand menu
- Check “Enable at Startup” and “Remote Access” (so that you can create an SSH tunnel to your router even when you’re out and about)
- Enter “2222” for the remote port. (Pick another port number if you like.)
- Uncheck “Allow Password Login.” (We’ll enter in authorized keys in the next section.)
Set up each computer
Next, you’ll need to create SSH keys for each of the computers you plan on using.
- Open up Terminal and type
ssh-keygen -dto create a new key
- Accept all the defaults
- Type in a passphrase of your choosing
- Using a text editor, open up the newly created “id_dsa.pub” file. (Found under ~/.ssh/id_dsa.pub by default.)
- Copy and paste the contents of the file into the “Authorized keys” section in Tomato. (Add multiple keys by pasting them one after the other in the “Authorized keys” section.)
- Create a new text file and paste in the following:
ssh -fND 8887 -p 2222 root@[router's external IP address]
- Save the file as “setup_tunnel.sh”
- Make the file executable by running
chmod +x setup_tunnel.shin Terminal
Now whenever you want to create an SSH tunnel to your router, just open up Terminal and run
Route traffic through the tunnel
Once you’ve got a secure tunnel running on your computer, you’ll need to route traffic through it.
- System Preferences → Network
- Select “AirPort” in the lefthand list
- Click on the “Advanced” button
- Click on the “Proxies” tab
- Check “SOCKS Proxy” and enter “localhost” for the host and “8887” for the port
- System → Preferences → Network Proxy
- Check “Manual proxy configuration”
- Under “Socks host” type “localhost” and “8887” for the port
- Click “Apply System-Wide…”
By default, Firefox doesn’t route DNS through the proxy, so do the following to fix that.
- Open up Firefox and type “about:config” in the address bar
- Click “I’ll be careful, I promise”
- Type “network.proxy.socks_remote_dns” in the filter.
- Toggle the value to “true” by double clicking on it
And that’s it, a free way to secure your computers’ Wi-Fi connections!