[TriLUG] sshd and tunnelling
cmp at cmpalmer.org
Wed Jan 27 23:03:08 EST 2010
On Wed, Jan 27, 2010 at 4:42 PM, Ralph Blach <chipperb at nc.rr.com> wrote:
> My son is deployed over seas, and has wifi access. Unfortuately,
> his DNS is unreliable.
> He as a windows laptop, and I have a linux server with sshd.
> How do I configure my ssh server, for tunnelling,
There's nothing special/non-default you need to do to the server to
enable tunneling, but there are some changes you should probably make.
More on that below.
> and how does he
> configure his laptop to tunnel through my machine so that he
> has reliable dns look.
A lot of of proxy systems don't tunnel DNS because of the performance
hit (and because it's not required by the spec), so pay special
attention to the client software that will be talking to the tunnel,
since it may still fail (DNS-wise) even if the tunnel is up and
working properly. The really easy way is to use FoxyProxy (a firefox
plugin) if all you're concerned with is web browsing.
Step one is to set up your SSH server with a static IP address,
because he's going to want to use the bare IP if you're having DNS
issues. Step two is to put your sshd on a non-standard port he knows
he can hit. In the past I've successfully used 443, but you might have
luck with some quasi-random high port like 4242. Note that you can
have your sshd listen on multiple ports, so you might as well open
several in case one gets blocked. Step three is to make sure he has an
SSH client and ideally SSH keys that work with your server. PuTTY has
worked for me in the past, but I have not used it in quite some time
and have recently heard complaints; ymmv. If you use another app that
doesn't give you a GUI menu to set up a tunnel, here's a string you
ssh -ND 3232 -p 443 USERNAME at XX.XX.XXX.XX
Where USERNAME is the username you've given him, and the XXs are your
ssh server's IP. That means that you'll point FoxyProxy at localhost
and port 3232. BE SURE to tick the little box that tells FoxyProxy to
route all DNS requests through the tunnel.
> Being able to browse the web with a reliable dns would be nice,
Again, long round trip times are going to mean a noticeable
performance hit, especially if he has a smallish pipe to begin with.
If that gets painful, the next thing to try is to set up a caching DNS
server (such as dnsmasq, but I don't know if there's a windows port
for that) local to his windows machine and have that talk over a VPN
back to your server. OpenVPN is more complicated than what I've given
you above, but not by terribly much. If you run into trouble, I'm sure
there are folks on the list who would be happy to help.
Cristóbal M. Palmer
cdla.unc.edu research assistant
More information about the TriLUG