Skip to page content

SSH tunneling with Tomato

Eric Butler released Firesheep yesterday and the Internet forums have already started debating the ethics of it. I’m not sure what kind of impact it’ll have on other people, but it convinced me to take action and secure my computers.

There are a few ways to secure your computers, but after reviewing the HN thread, it looks like the quickest and cheapest (free) way is to set up an SSH tunnel and route all wireless traffic through it.

These instructions assume you’re moderately tech savvy (find a nerdy friend), and that your home router runs Tomato.

Set up the SSH daemon

The first thing you’ll need to do is turn on Tomato’s built-in SSH daemon.

  1. Open up a web browser and navigate to http://192.168.1.1
  2. Type in your router’s username and password
  3. Click on the “Administration” link in the lefthand menu
  4. Check “Enable at Startup” and “Remote Access” (so that you can create an SSH tunnel to your router even when you’re out and about)
  5. Enter “2222” for the remote port. (Pick another port number if you like.)
  6. Uncheck “Allow Password Login.” (We’ll enter in authorized keys in the next section.)

Set up each computer

Next, you’ll need to create SSH keys for each of the computers you plan on using.

  1. Open up Terminal and type ssh-keygen -d to create a new key
  2. Accept all the defaults
  3. Type in a passphrase of your choosing
  4. Using a text editor, open up the newly created “id_dsa.pub” file. (Found under ~/.ssh/id_dsa.pub by default.)
  5. Copy and paste the contents of the file into the “Authorized keys” section in Tomato. (Add multiple keys by pasting them one after the other in the “Authorized keys” section.)

Connecting securely

  1. Create a new text file and paste in the following:

    #!/bin/sh

    ssh -fND 8887 -p 2222 root@[router's external IP address]

  2. Save the file as “setup_tunnel.sh”
  3. Make the file executable by running chmod +x setup_tunnel.sh in Terminal

Now whenever you want to create an SSH tunnel to your router, just open up Terminal and run ./setup_tunnel.sh.

Route traffic through the tunnel

Once you’ve got a secure tunnel running on your computer, you’ll need to route traffic through it.

OS X

  1. System Preferences → Network
  2. Select “AirPort” in the lefthand list
  3. Click on the “Advanced” button
  4. Click on the “Proxies” tab
  5. Check “SOCKS Proxy” and enter “localhost” for the host and “8887” for the port

Ubuntu

  1. System → Preferences → Network Proxy
  2. Check “Manual proxy configuration”
  3. Under “Socks host” type “localhost” and “8887” for the port
  4. Click “Apply System-Wide…”

Secure Firefox

By default, Firefox doesn’t route DNS through the proxy, so do the following to fix that.

  1. Open up Firefox and type “about:config” in the address bar
  2. Click “I’ll be careful, I promise”
  3. Type “network.proxy.socks_remote_dns” in the filter.
  4. Toggle the value to “true” by double clicking on it

And that’s it, a free way to secure your computers’ Wi-Fi connections!

Comments

  1. anne-on-a-moose on November 16, 2010

    Thanks! I’ve been trying to get openvpn to work for months with tomato and my linux laptop. This was much easier and worked for my needs.

    Thank you!


  2. interwebz on November 16, 2010

    Thx! :-D

    I use it to remotely turn on my Desktop PC with an Openvpn Access Server with Wake On LAN.

    It works great!


  3. Rahim Sonawalla on November 16, 2010

    Thanks guys, glad it was useful!


  4. pizzaholic on November 25, 2010

    I’m having difficulty with this tutorial. Here’s what I did:

    1) Enabled at start-up and remote access in Tomato for the SSH daemon on port 22 and alson on a remote port of my choosing.

    2) Unchecked “Allow password login”

    3) ssh-keygen -d

    4) Pasted the public key on my laptop into my Tomato router.

    5) Created a file on my desktop and called it whatever. File contents are as follows:

    #!/bin/sh

    ssh -fND 8887 -p 2222 root@[router’s external IP address]

    6) In the file contents, I replaced the port 2222 with my own port that I chose in step 1, and placed my router’s external public IP address inside the square brackets.

    7) Opened a terminal and ran chmod +x setup_tunnel.sh

    8) Set up system-wide proxy settings in SYSTEM>PREFERENCES>NETWORK PROXY exactly as you have shown.

    9) When I run the program from terminal it tells me it “could not resolve hostname [my router’s external IP address]: Name or service not known.”

    Have I missed something?

    -Alex


  5. pizzaholic on November 25, 2010

    If I am understanding the scope of this tutorial, I can use my laptop to request a website from the Internet by tunneling the request through the router using SSH and onto another computer, which would in my case be a desktop PC so that essentially it is this desktop PC that is making the page request? Is it my Desktop PC that will be acting as the transparent proxy?


  6. Rahim Sonawalla on November 26, 2010

    Alex, you might want to first try doing this inside your home network to make sure everything is working. Just repeat the steps above, but within your home network and with your router’s internal IP instead (typically 192.something). If that works you’ll want to make sure your router’s external IP isn’t changing. Tomato supports services like DynDNS so that it’ll alway point to the correct IP. I can write up a short tutorial about this if you want.

    To clarify, when you’re away from home, your Internet traffic will be routed through the SSH tunnel to your router. Your router will then make the request for you and send the response back through the SSH tunnel to you. (No need to have another computer running, just the router.)


  7. pizzaholic on November 27, 2010

    I ran this command in terminal and I get this response:

    inkzoid@ZOIDDG-PC:~$ ssh 192.168.1.1
    Permission denied (publickey).
    inkzoid@ZOIDDG-PC:~$

    Not trying to do anything specific by doing that command; just wanted to see what happens. I copied and pasted my public key into the router, hit ‘save’ and then rebooted the router. My public key is in ~/inkzoid/.ssh/tomato.pub

    Anyways after changing the SOCKS proxy to 8887 and doing the about:config change, Firefox still works so I’m assuming that I have done everything (except for the public key integration) correctly?

    Also, when I ran the file ./setup_tunnel.sh my terminal window opens and closes really quickly…it’s a flash in the blink of an eye and it’s gone. Is that normal? How can I tell that this worked?


  8. Rahim Sonawalla on November 28, 2010

    By default, ssh uses ~/.ssh/id_dsa (or ~/.ssh/id_rsa). You’ll need to do ssh -i and specify the path to your tomato key. (Type “man ssh” at the command prompt for more information.)

    The easiest way to test if everything is working is to visit a site like http://www.whatismyip.com when you’re away from home and see if the IP reported is that of your router. If it is, then your tunnel should be setup and working properly.


  9. Thenameisbam on December 13, 2010

    i was wondering if you could go into a little more detail.
    -fND 8887 what did this part of the command do?

    also once i’m connected to my tomato router if i want to then connect to a computer on the network, what is the command to see which computers are there and then connect to one of them. would i need to set up another connection outside the first?


  10. Rahim Sonawalla on December 18, 2010

    Bam, basically they’re extra instructions that tell SSH to:

    1) run in the background (-f & -n)
    2) listen on port 8887 (-D). So when a connection comes in on that port, it’ll forward the data–through the secure tunnel–to the router.

    I’m not too sure which command would show you the list of connected computers. You might be able to find the answer in the Tomato docs: http://en.wikibooks.org/wiki/Tomato_Firmware


  11. Paisa on November 2, 2011

    I have followed your instructions and I got an error when I tried to connect externally.

    channel_setup_fwd_listener: cannot listen to port: 8887
    Could not request local forwarding.

    Why can’t it listen to port 8887? Also, is my computer listening or is it the router that is doing this?


  12. Rahim Sonawalla on November 3, 2011

    Hi Paisa,

    Looks like that port is already in use on your computer. You can either try using another port, or you can try to find out what application is using port 8887 (use lsof on Mac or netstat on Linux).

    It’ll be your computer that listens for the connections and then tunnels the data securely to your router over SSH.


  13. Den on April 2, 2013

    I don’t know. This setup looks highly insecure. Using the admin account to create a reverse tunnel is like putting your keys under the mat in front of your house door.

    In order to do this relatively safely, you would need to create a new user on tomato (see http://tomatousb.org/tut:adding-your-own-users) and restrict the user’s access in a way to only reverse tunnels are possible. At the very least, this user shouldn’t have direct access to the router (i.e. no interactive/read/write access).

    You can also add various access restrictions at the end of the authorized key (´man sshd´ for more information on that) and e.g. make it only possible for certain IPs to initiate the connection.


  14. Den on April 2, 2013

    Ok… this wasn’t about a reverse tunnel… just normal IP forwarding. I was obviously switching browser tabs too quickly. :DD
    Anyway, the point is still valid (even more so, as you’re trying to access your LAN from open networks).
    Lose your phone/laptop etc. with your private key on it and the thief can gain access to your router and any online computer in your LAN. Or even worse, someone steals the private keys without you noticing anything.
    Prevent any access to the router and your LAN, and this should be fine. Otherwise, you’ll be fair game for the average hacker sitting in public networks who doesn’t need Firesheep for his hobby.


  15. Rahim Sonawalla on April 5, 2013

    Den, you bring up a good point about restricting access to the router itself. I’d add (as mentioned in the blog post) that your private key should have a password/passphrase so that even if your laptop were stolen, the thief wouldn’t be able to access your home network since they wouldn’t know the passphrase. This is generally good practice for any private key you create.