If you spend a lot of time working on public networks or are worried about an unethical ISP injecting ads into your web pages, here's an easy way to keep your traffic intact and a bit more secure. OpenSSH has a handy DynamicProxy mode which allows it to provide a local SOCKS proxy: enable it and your traffic will be secure until it leaves your remote server. Besides thwarting a malicious network this is also a handy way to access intranet pages or things like scientific journals which restrict access to work/campus network addresses.
The only drawback to using this is that it requires you to keep an ssh session open all the time - this is where launchd and OS X 10.5's built-in SSH agent support come in handy. Once you've setup public-key authentication you won't be prompted each time it restarts, so there are only two steps for seamless remote working:
- Add this to your
~/.ssh/configfile to enable keepalives, ensuring that ssh will be restarted quickly when your system resumes from sleep:
TCPKeepAlive yes ServerAliveInterval 30
- Create a Launch Agent by storing this in
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>KeepAlive</key> <true/> <key>Label</key> <string>org.openssh.dynamic-proxy</string> <key>LimitLoadToSessionType</key> <string>Aqua</string> <key>OnDemand</key> <false/> <key>ProgramArguments</key> <array> <string>/usr/bin/ssh</string> <string>-D1080</string> <string>-Nn</string> <string>-n</string> <string>-C</string> <string>shell.example.org</string> </array> <key>RunAtLoad</key> <true/> </dict> </plist>
- Tell launchd to load the agent (it will keep it loaded in the future):
launchctl load -w -S Aqua ~/Library/LaunchAgents/org.openssh.dynamic-proxy.plist
- Open the advanced section of your network preferences and enable a SOCKS proxy using
- If you use Firefox, you'll need to configure it to use the SOCKS proxy as it doesn't use the system settings.
- Visit whatismyip.com to confirm that your traffic appears to originate from your remote server's address