May 21

Mac quickie: Tunnel your traffic using OpenSSH and launchd (aka the poor man's VPN)

If you spend a lot of time working on public networks or are worried about an unethical ISP injecting ads into your web pages, here's an easy way to keep your traffic intact and a bit more secure. OpenSSH has a handy DynamicProxy mode which allows it to provide a local SOCKS proxy: enable it and your traffic will be secure until it leaves your remote server. Besides thwarting a malicious network this is also a handy way to access intranet pages or things like scientific journals which restrict access to work/campus network addresses.

The only drawback to using this is that it requires you to keep an ssh session open all the time - this is where launchd and OS X 10.5's built-in SSH agent support come in handy. Once you've setup public-key authentication you won't be prompted each time it restarts, so there are only two steps for seamless remote working:

  1. Add this to your ~/.ssh/config file to enable keepalives, ensuring that ssh will be restarted quickly when your system resumes from sleep: 
    TCPKeepAlive yes
ServerAliveInterval 30
  2. Create a Launch Agent by storing this in ~/Library/LaunchAgents/org.openssh.dynamic-proxy.plist: 
    <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plistversion="1.0"><dict><key>KeepAlive</key><true/><key>Label</key><string>org.openssh.dynamic-proxy</string><key>LimitLoadToSessionType</key><string>Aqua</string><key>OnDemand</key><false/><key>ProgramArguments</key><array><string>/usr/bin/ssh</string><string>-D1080</string><string>-Nn</string><string>-n</string><string>-C</string><string>shell.example.org</string></array><key>RunAtLoad</key><true/></dict></plist>
  3. Tell launchd to load the agent (it will keep it loaded in the future): 
    launchctl load -w -S Aqua ~/Library/LaunchAgents/org.openssh.dynamic-proxy.plist
  4. Open the advanced section of your network preferences and enable a SOCKS proxy using 127.0.0.1 port 1080: 2512311692_4cbed5a480.jpg?v=1211401576
  5. If you use Firefox, you'll need to configure it to use the SOCKS proxy as it doesn't use the system settings.
  6. Visit whatismyip.com to confirm that your traffic appears to originate from your remote server's address