User Level VPN with Leopard
Posted in Leopard, Shell, Solution, System Administration on 11/04/2007 11:14 am by jmccune
One of the small, but incredibly useful features for me in Leopard is that ssh-agent is automatically running for each user account. This relatively small change allows me to log into remote machines without entering my password each time.
Using the SOCKS proxy built into ssh, we’re also able to setup a quick and easy secure tunnel. I wanted to check some sensitive information this morning, but I’m at a coffee shop that doesn’t pass VPN traffic, so I quickly hacked together the following:
Setup a new Location in the Network System Preference Pane to configure the SOCKS proxy at 127.0.0.1, port 4088. This connects most Apple applications to the secure and encrypted tunnel.
Next, I configured ssh to automatically setup the SOCKS proxy whenever I type “ssh ford”, which is an alias for my workstation back at the office.
# ~/.ssh/config host ford User mccune HostName ford.math.ohio-state.edu # Handle sleep/wake robustly with TCPKeepAlive TCPKeepAlive no Port 22 # DynamicForward is a SOCKS proxy server. DynamicForward 4088 ForwardX11 no
With this configuration, I’m able to load my SSH public key into the ssh-agent running by default on Leopard, type “ssh ford” to setup the encrypted SOCKS proxy, then change location to “SSH Socks Proxy” to automatically have Mail.app, iChat, Safari and Camino use the secure proxy.
An easy way to verify the proxy is working is to add an IP Address gadget to your personal google home page:
Finally, with the Network Location module for Quicksilver, you can easily switch back and forth between the encrypted proxy.
11/08/2007 at 7:41 pm
Does this actually work with iChat on your system? It used to work with 10.4 but now fails with an error claiming that the proxy server rejected the connection; other apps (Adium, Safari, etc.) work as expected.
11/26/2007 at 3:00 am
Neat, thanks for pointing this out. I have been forwarding individual ports with ssh up until now
02/18/2008 at 7:45 pm
I haven’t tried with iChat, honestly. I mostly use it to browse Safari TechBooks Online as if I were on the OSU Campus…
That’s wise though, using it to secure your IM traffic on public wireless networks.
05/14/2008 at 1:01 pm
Following up on my own question, iChat did not use SOCKS proxies - Apple has an open bug report (rdar://3548652).
I also just opened a new one for Screen Sharing, which also ignores the proxy settings (rdar://5935324).
09/14/2008 at 12:11 am
Great writeup, thanks for putting this together! I’m at a hotel for business, which is scary for sensitive data transfer. Works like a charm! (And cool trick about the SSH config, I didn’t know about that, but I’ll be using it from now on).