Using redsocks to implement a system-wide OpenSSH SOCKS proxy

[vitex]

Suppose you are using an unencrypted Wi-Fi access point and wish to protect your TCP traffic from nearby network monitors.  On the forum we have discussed using an OpenSSH SOCKS proxy to protect web browsing directly and to protect command-line programs by using tsocks or torsocks.  The redsocks extension makes it possible to force all TCP traffic to travel over an OpenSSH SOCKS proxy to a server on which you have an SSH account; there is no need to change the configuration of any application program to take advantage of this proxy.

The script that I use with redsocks is via-ssh.sh.  (Select "raw" to save a copy of the script.)  Execution of the script requires root access, OpenSSH, and iptables.  (Root access is not required on the SSH server, which may be running OpenSSH or Dropbear.)  If you execute

Code: [Select]

  ./via-ssh.sh user@example.com:port

the script will construct a temporary OpenSSH proxy using account "user" (default is the current user) and port "port" (default is 22) on server "example.com" and will build iptables rules that force all TCP traffic to go through redsocks and the OpenSSH proxy.  The script displays your visible IP address before and after it creates the proxy so you can verify that the proxy is working.  If you add the "-v" (verbose) option

Code: [Select]

  ./via-ssh.sh -v user@example.com:port

the script will also display the major commands that it executes and the debug output from redsocks.

The OpenSSH SOCKS proxy does not carry UDP (and ICMP) traffic.  In particular, the DNS queries to resolve network addresses that you contact will be visible to anyone who can monitor your network traffic.  If you need to conceal those network addresses, I recommend that you use install the pdnsd extension and activate pdnsd with

Code: [Select]

  /usr/local/etc/init.d/pdnsd start -d -mto

so pdnsd will convert all DNS queries from UDP to TCP, which will cause those queries to be carried on the encrypted connection to your SSH server.

I have tested this script on Tinycore 4.0 and Ubuntu 10.04 systems that are not using iptables to implement a firewall.  For a server, I have used an account on freeshell.de with OpenSSH as its SSH server, a router using Dropbear, and Tiny Core using both OpenSSH and Dropbear.

The script via-ssh.sh is experimental, so use it with caution.  I have tried to code the script defensively so it will not leave a system with disrupted network connectivity.  I welcome feedback.

[vitex]

your script gives all needed informations, but i'm not sure whether i understand enough to get security...

after starting pdnsd with
sudo /usr/local/etc/init.d/pdnsd start -mto -g
also
./via-ssh.sh -v -d myhost:mysshport
works fine, the dns-resolution works and the messages of pdnsd are looking fine...

where do you see dangerous misconfigurations or wrong usage of these two packages?

The script performs essentially all of the configuration for you: it builds the configuration file for redsocks, builds the iptables rules, and starts the programs.  If you decide to use pdnsd to protect your DNS queries, the script uses the default configuration with the -mto option.  (You may want to change the default name servers in /usr/local/etc/pdnsd.conf.)

If I decide that I need to protect my DNS queries, then I start pdnsd as a daemon using

Code: [Select]

sudo /usr/local/etc/init.d/pdnsd start -d -mto

I normally do not turn on debug output since the actions of pdnsd are visible in the verbose output from via-ssh.sh.  (The DNS cache that pdnsd maintains is useful even when the proxy is not active.)

I normally use

Code: [Select]

./via-ssh.sh -v user@example.com:22

to activate the proxy with an added "-d" option if I am using pdnsd to protect DNS queries.  I use the output to verify that the expected IP address is visible when the proxy is activated.  I watch the debug output from redsocks to verify that TCP transactions are being passed to redsocks.  I typically use

Code: [Select]

wget -qO- http://tnx.nl/ip ; echo

for testing since it returns the visible IP address.  If pdnsd is active, you should see DNS traffic to name server IP addresses ending :53, although you may need to execute

Code: [Select]

sudo pdnsd-ctl empty-cache

to empty pdnsd's cache.

You can use

Code: [Select]

sudo iptables -t nat -L -n

to examine the iptables rules that are being used.

One vulnerability is forgetting to activate pdnsd to protect DNS queries.

Another vulnerability is executing a program that communicates with the outside world using some protocol other than TCP; traffic from such a program would not be protected by the proxy.  The torsocks developers block all UDP traffic to protect against such a program.  If there is any demand, I could add an option to do the same with an iptables rule.

Of course there is always the possibility that I have made a serious implementation error.

[netnomad]

hi vitex,

your script via-ssh combined with redsocks and pdnsd is a great piece of work!!!
i heavily tested it and it's now one of my favorite tools...
it's so easy to use and it's much more comfortable than other solutions i tried,
thank you, for your coding and that you share this script with us.
i hope many people will notice the impact of this script and will enhance their security in open networks that can be so easily suspicious environments...

i used your script with pdnsd and  i can confirm that browsing is much faster than over tsocks or a manually established tunnel over >ssh -D 12345 host<...
i like to watch the log over >sudo /usr/local/etc/init.d/pdnsd start -mto -g<, cause it's so unbelievable what different communication partners are used just while establishing one single connection.
sometimes there are domains that i usually ban, but over dns-request, they get involved over a kind of officially used backdoor called dns...

you could do us a great favor:
do you see there a chance to include pdnsd in your script?
i think it would be a great and useful enhancement , f.e. used as an option for the via-ssh command to load pdnsd,
to start the daemon during the use of via-ssh and to stop it after the use of via-ssh...
(a nice candy could be a further option to open a log-terminal, that shows the communication established by pdnsd

Another vulnerability is executing a program that communicates with the outside world using some protocol other than TCP; traffic from such a program would not be protected by the proxy.  The torsocks developers block all UDP traffic to protect against such a program.  If there is any demand, I could add an option to do the same with an iptables rule.

i don't know these basics entirely, but is it perhaps possible to route or to nat UDP over the ssh-tunnel-host?
does it makes sense or is it even possilble?
to block all UDP is perhaps only one solution...
but i'm not sure what further consequences this block will cause...
otherwise it would be great, if you could just add such an iptables rule.

you did such a clear and easy to read coding that it would be great, if you could incorporate these few ideas.
thank you for your help.

[vitex]

you could do us a great favor:
do you see there a chance to include pdnsd in your script?
i think it would be a great and useful enhancement , f.e. used as an option for the via-ssh command to load pdnsd,
to start the daemon during the use of via-ssh and to stop it after the use of via-ssh...
(a nice candy could be a further option to open a log-terminal, that shows the communication established by pdnsd

I am reluctant to add more complexity to the script.  I personally never stop pdnsd once I start it since its DNS cache is so useful.  Activating pdnsd with the script /usr/local/etc/init.d/pdnsd modifies /etc/resolv.conf so pdnsd is used for all DNS queries.  If instead you start pdnsd (e.g., in /opt/bootlocal.sh) with

Code: [Select]

sudo pdnsd -d -mto

then pdnsd runs as a daemon listening on 127.0.0.1:53 but is not used for normal DNS queries since /etc/resolv.conf has not be changed.  When via-ssh.sh is started with the "-d" option, DNS queries will temporarily be routed to pdnsd and converted from UDP to TCP.  If you add the "-g" option, you can see the debug output in the file /var/cache/pdnsd/pdnsd.debug.  (If you activate pdnsd this way, you can execute
 

Code: [Select]

sudo pkill pdnsd

to deactivate it.) 

Another vulnerability is executing a program that communicates with the outside world using some protocol other than TCP; traffic from such a program would not be protected by the proxy.  The torsocks developers block all UDP traffic to protect against such a program.  If there is any demand, I could add an option to do the same with an iptables rule.

i don't know these basics entirely, but is it perhaps possible to route or to nat UDP over the ssh-tunnel-host?
does it makes sense or is it even possilble?
to block all UDP is perhaps only one solution...
but i'm not sure what further consequences this block will cause...
otherwise it would be great, if you could just add such an iptables rule.

It is not possible to send general UDP over an OpenSSH SOCKS proxy.  (I believe that it is possible to do so over an OpenSSH "-w" tunnel, but that is really complex to set up and requires OpenSSH and root access on the server.)  If you look at /etc/services, you can see some of the services that may use UDP.

DNS and UDP are only a potential problem if one is concerned about the possibility of a local monitor observing which locations are being contacted over the encrypted proxy.  Does anyone really care about that?