SSH as a Poor-Man's VPN

CIS has software that allows a remote user to connect to a server at the college so their machine can appear to be running from within the college's network. Using this “Virtual Private Network” (VPN) connection allows you to access services that are restricted to machines within the college's network or that authenticate your access based on your machine being on the college's network. Examples include using various databases at the Claremont Colleges' Libraries and MathSciNet, as well as allowing you to run software that queries a license server for a license.

On Mac OS X, the software has a bad reputation, so we generally shy away from installing it on department computers unless there's a clear need. And, as it happens, most of the things that the VPN software supports can be done without installing additional software.

SSH as a SOCKS Proxy Server

The secure shell, SSH, can perform “port forwarding”, allowing a TCP or UDP network port on your machine to be connected to a port on another machine. So you can forward a local port to one on a remote server, and your local application will act as though it was connected to the remote server.

Even better, SSH supports “dynamic port forwarding”, where you don't have to specify the ports to be forwarded and your computer figure out what to do on its own—it acts as a SOCKS server.

Setting up SOCKS on Mac OS X

Mac OS X supports multiple network configurations it calls “Locations”. Each location can have a different set of active network devices, as well as different IP addresses or methods of obtaining an IP address. In general, the default location, “Automatic”, handles everything dynamically—it uses the Airport wireless network or a hardwired Ethernet network, obtains addresses via DHCP or by self-assignment, and switches to the fastest working network, all on its own.

But by creating locations, you can take more control over the networking behavior of the machine. These options are especially useful if you're traveling and need to use information provided to you by your hosts and don't want to disrupt your default settings.

Configuring a Network Location

For our “poor-man's VPN”, we'll set up a new network location that uses Mac OS X's SOCKS proxy support. When we need to use the SOCKS proxy, we'll switch to this location, when we don't, we can switch back to Automatic or some other appropriate location configuration.

The Network preferences icon in System Preferences Start by opening the System Preferences application (in your Applications folder or by choosing Apple menu->System Preferences...). There you'll see an icon labeled Network; double-click it to open the Network preference pane.

Add a New Location

The
Network Preferences Pane Choose Edit Locations... from the drop-down Locations menu at the top of the dialog.

Duplicating the Automatic location Select the Automatic location, then click on the gear menu and choose Duplicate Location to create “Automatic Copy”.

Renaming our new location Click on the “Automatic Copy” location to rename it to “Automatic, Through Proxy” or something else meaningful.

Open the Advanced Configuration Options

The Advanced configuration button Next, click the Advanced... button to get to the detailed network configuration.

Configure the SOCKS Proxy

Configuring the SOCKS proxy Choose the Proxies tab. In the drop-down menu next to Configure Proxies, choose “Manually”, which will open new panes in the dialog. Click the check box next to SOCKS Proxy in the leftmost pane, then, in the text-entry field below the SOCKS Proxy Server label on the right, enter localhost in the first box, and 1080 in the smaller box following the colon. These settings tell the machine to use port 1080 on your machine as the SOCKS proxy port.

Click the OK button to return to the Network dialog.

Apply Changes

Click the Apply button to save your changes and make your new location the active location.

Test the Connection

$Using SSH as a SOCKS proxy$ Now you can open a Terminal window and SSH into a math machine (or another machine on another network where you have an account). Be sure to include the -D 1080 arguments in your command; these arguments tell SSH to run as a SOCKS proxy on port 1080 of your machine.

Change Locations

Changing locations While you can change locations by opening the Network preference pane, Apple provides a convenient shortcut in the Location menu in the Apple menu. When you're not using the proxy server, you'll want to change locations back to Automatic or another location.

Troubleshooting

You may have problems accessing local resources (e.g., a network printer in your home) while using the SOCKS proxy, as all connections will be forwarded through the remote machine.

When logging out of the remote machine, you may sometimes need to type Control-C to completely close the connection.

When your SSH connection is not running, you will not be able to use networked applications (such as web browsers) until you either make a connection (with port forwarding) or you change to a location without a configured proxy.