Automating SSH Proxy Connection

I wrote some time back about using the Raspberry Pi as a personal VPN tunnel and an SSH Weby Proxy. Using the VPN connection is easy; just enable the VPN from System Preferences > Network. Easier still, if you've checked the option for "Show VPN status in the menu bar", just click and connect. However, using the SSH proxy is a little more involved, requiring several steps to establish the SSH connection and reconfigure your network to tunnel traffic across it.

To streamline this process (for the wife), I created an Automator application that reduces the entire process to a few clicks and provides useful status information.

These steps are for OS X. I'm sure you can achieve the same results in Windows or Linux with different tools.

There are a couple of initial steps that need to be completed to make it possible to automate. These only need to be setup once (before using the application). After that it's click and go.

First we'll need to create a new network "Location" that uses the SSH tunnel as a proxy. Select System Preferences > Network.

  • At the top where it says Location: Automatic, click the drop-down and select Edit Locations...
  • Click the + to add a new location.
  • Give the new location a name. I used : Normal Connection over SSH via Raspberry Pi. You can use whatever you like, but you'll need it later for the Automator script.
  • Click [Done]
  • Make sure your Wi-Fi connection is selected and click [Advanced...]
  • Click the Proxies tab
  • Enable SOCKS Proxy
  • For the proxy server information use localhost as the servername and 8080 for the port.
  • For "Bypass proxy settings..." enter *.local, 169.254/16 (ensuring the proxy will not be used for internal LAN connections).

Next we'll need to edit the /etc/ssh_config file to add an SSH host. My entry looks like this:

Host webproxy
  HostName {my DynDNS hostname}
  User {my SSH username}
  DynamicForward 8080
  Compression yes

 

Again, the name can be whatever you want, but you'll need to use it again later in the Automator application.

Finally, we build the Automator application.

Start Apple Automator and create a new Application. Drag actions from the Library to the Workflow window. My application uses the following series of actions:

Ask for Confirmation > Run AppleScript > Pause > Run AppleScript > Run AppleScript.

The Ask for Confirmation steps confirms that the user wants to start the SSH proxy. Add some meaningful text to the action.

The first Run AppleScript action changes the network to use our new "Location". It's important that this match exactly with the name of the new Location you created earlier.

This will interrupt the Wi-Fi connection, so the next action is to Pause and wait for the connection to re-establish. I started with a 15 seconds pause but have found that 6 is consistently successful for me.

Our next Run AppleScript action opens a Terminal window and initiates the SSH connection via a script. This is where the name of the host from your ssh_config file that you edited above comes in.

The entire text of the AppleScript is here (sorry it's an image, I couldn't convince the blog software to not ruin the code formatting):


Our final Run AppleScript action gives the confirmation dialog and waits for the user to end the session. When the user clicks [OK], the network settings are reverted to use the default location (bypassing the proxy) and the SSH tunnel session is killed.

 

Save your application and give it a groovy icon.

The next time you're using public WiFi and can't use your VPN, double-click the automator application and go.

Happy (and secure) Surfing!

Domo arigato, Mr. Drobo

Many months ago I won a contest on Twitter (thanks to @Photojojo) and received a free Drobo.  I was super suspicious at first because I don't win things.  But, I finally realized it was legit when the Drobo arrived at my house.  I had grand plans of backups and data security for my new found friend.  Of course, I wasn't quite ready to implement those plans so he (do Drobos have gender?) sat there in the box for many... many months.

I felt guilty.  Mr. Drobo surely deserved a better life than what I was giving him.  Many friends suggested that their home was more Drobo friendly and would gladly take him off my hands for the same price I had paid.  Some even offered to purchase him for a reasonable price.  But, I knew I was just waiting for the right time to bring him into his rightful place in the family.

The right time finally came when I bought a Mac Mini to be used as our media center computer.  Now, with a machine that was always on (we're a 2-laptop family), the Drobo would have a suitable place to live.  And so it was that I ventured down to Micro Center and picked up a few 7200RPM 1.0TB drives to fill his empty stomach.  Mr. Drobo was happy.  Very happy.

Now, I've migrated our entire DVD collection onto the Drobo.  Took some time with MacTheRipper, but totally worth it to be able to access our entire library from within Plex.  He also hosts a backup of my primary iTunes and iPhoto libraries as well as a couple of user-specific folder shares for making stuff readily available on the network.

The connection is FW800 and I've never had any problem with the streaming.  Everything just works... flawlessly.  Most importantly, I've got piece of mind that in the event of a drive failure, there's data redundancy and I can simply replace a drive and carry on.  That is a HUGE win in our small network setup.  I still use a combination of Amazon S3 and Jungle Disk to make offsite backups of critical/irreplaceable things (photos mostly).  But Mr. Drobo happily sits below the television protecting all our data and serving all our media.

Domo arigato, Mr. Drobo.  Domo.

Be Safe Out There

A message for some of my less technical friends:  The news has been out for a few weeks, but I think a heads up is still in order.  If you don't know what FireSheep is, take a quick look online.  Basically, it allows someone to "hijack" your session when you use unsecured wi-fi (Starbucks, Panera, etc.).  The capability for this attack has been inherent in unsecured wi-fi, but this Firefox plug-in makes it dead simple for any knucklehead to double-click their way into your Facebook/Twitter/LiveMail & more.  An important note is that even if you login using HTTPS, the session cookie is often transferred back to you using HTTP meaning your session can still be hijacked.  Once the attacker takes over your session, they can do pretty much anything you could do that doesn't require your password (update status, change privacy settings, send messages, etc.).  The moral of the story: be careful out there and protect your data.

If you're using secured wifi, this attack won't work... even if the secured wifi uses a common password that is publicly available.

For more information here's a transcript of a Security Now episode discussing FireSheep: http://www.grc.com/sn/sn-272.htm