Aug 01 2010

autossh – or how to use tor through a central ssh proxy

Since I first set up a remote tor node on a VPS about this time last year, I have played about with various configurations (and used different providers) but I have now settled on using two high bandwidth servers on different networks. One (at daily.co.uk) allows 750 Gig of traffic per month, the other (a new player on the block called ThrustVPS) allows 1000 Gig of traffic. These limits are remarkably generous given the low prices I pay (the 1000 Gig server cost me £59.42, inc VAT, for a year. OK, that was a special offer, but they are still good value at full price) and they allow me to provide two reasonably fast exit servers to the tor network. Both suppliers know that I am running tor nodes and are relaxed about that. Some suppliers are less so.

I fund fast exit nodes as a way of paying something back to the community – but as I have pointed out before, they also allow me to have a permanent entry point to the tor network which I can tunnel to over ssh, thus protecting my own tor usage from snoopers. For some time I used a configuration based on tyranix’s notes documented on the tor project wiki. But eventually I found that to be rather limiting because it meant that I had to remember to run an ssh listener on each machine I used around the house (my laptop, netbook, two desktops, my wife’s machine etc) and to configure the browser settings as necessary. Then I hit upon the notion of centralising the ssh listener on one machine (I used the plug) in a sort of ssh proxy configuration. This meant that I only had to configure the local browsers to use the central ssh listener as a proxy and everything else could be left untouched. It also has the distinct advantage that my wife no longer has to worry about anything more complex than switching browser when she wants to use tor.

But I hit a snag when initially setting up ssh on the plug. For some reason (which I have never successfully bottomed out) the ssh process dies after an hour of inactivity. This is not helpful. Enter autossh. Using autossh means that the listener is restarted automagically whenever it dies so I can be confident that my proxy will always be there when I need it.

Here’s the command used on the plug to fire up the proxy:

autossh -M 0 -N -C -g -l user -f -L 192.168.57.200:8000:127.0.0.1:8118 tornode

That says:

– M 0 – turn off monitoring so that autossh will only restart ssh when it dies.
– N – do not execute a command at the remote end (i.e. we are simply tunneling)
– C – compress traffic
– g – allow remote hosts to connect to this listener (I limit this to the local network through iptables on the plug)
– l user – login as this user at the remote end
– f – background the process
– L 192.168.57.200:8000 – listen on port 8000 on the given IP address (rather than the more usual localhost address)
– 127.0.0.1:8118 tornode – and forward the traffic to localhost port 8118 on the remote machine called tornode

Of course “tornode” must be running ssh on a port reachable by the proxy. Again, I use iptables on tornode to limit ssh connections to my fixed IP address – don’t want random bad guys knocking on the door.

Now on tornode I have polipo listening on port 8118 on localhost. I used to use privoxy for this, but I have found polipo to be much faster, and speed matters when you are using tor. My polipo configuration forwards its traffic to the tor socks listener on localhost 9050. I also disabled the local polipo cache (diskCacheRoot = “”) because leaving it enabled means that the cache (by default /var/cache/polipo) directory will contain a copy of your browsed destinations in an easily identifable form – not smart if you really want your browsing to be anonymous (besides, my wife deserves as much privacy as do I).

The final bit of configuration needed is simple. Set your chosen browser to use the proxy on port 8000 on address 192.168.57.200. Since I use firefox for most of my browsing, I simply use opera for tor and I have that browser stripped to its basics and locked down as much as possible. Using tor is then simply a matter of firing up opera in place of firefox. This means that I always know when I am using tor or not (and just to reassure myself, the opera homepage is the torcheck page).

You can’t be too careful.

Permanent link to this article: http://baldric.net/2010/08/01/autossh-or-how-to-use-tor-through-a-central-ssh-proxy/

4 comments

Skip to comment form

    • David on 2010/08/02 at 9:26 am

    Do you have “TCPKeepAlive yes” set in the SSHD configuration file?

    • Mick on 2010/08/02 at 12:19 pm
      Author

    David

    Yes. (This is the default). And I have also played around with “ServerAliveInterval” and “ServerAliveCountMax” to no avail.)

    But I’m pretty sure “TCPKeepAlive” doesn’t do what the name implies it should. Rather it seems to mean that ssh will notice if either the route or the remote server goes down. This from the manual –

    “TCPKeepAlive – Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, this means that connections will die if the route is down temporarily, and some people find it annoying.”

    Autossh solves my problem, but somehow it doesn’t feel very elegant.

    • Rob on 2010/08/06 at 4:02 am

    ServerAliveInterval works for me.

    • Mick on 2010/08/06 at 10:57 pm
      Author

    Rob

    What interval do you use? I’ll have another look at this, but I tried the 60 seconds suggested in the man page and still found that my tunnel timed out.

    Mick

Comments have been disabled.