Tunneling with OS X for fun, security, and more
As an internet user used to freedom there are a number of good reasons to create tunnels. A few examples:
- You are on a public or unprotected wireless network and you don't want people spying on you (or worse, potentially grabbing personal information if you are checking email, buying things online, or logging into any website)
- You are on a network with a paranoid or unfair firewall that restricts your internet access
- You are on the network run by a pesky system admin that snoops on his lusers
So if someone is "watching" you making ordinary connections on a wireless network they will see you connecting to AOL (and probably grab your login), then maybe browse msn.com and cnn.com, etc. If someone tries to eavesdrop on your tunnel connection the most they will see is you making connections to one machine, all of which will be garbled and unreadable. In short: they'll have no idea what you are doing.
There are applications for Mac that supposedly create tunnels but they are hopelessly devoid of any form of documentation and from what I can tell, they are largely special-use tunnels for single apps.
As it was pointed out on paulstamatiou.com, all that you need to dig a tunnel is already built into OS X.
I found his method a little unsatisfying in the way that once the tunnel is open it provides you with...silence. There is no status to let you know that your tunnel is working. In reading the man file I've modified it a bit so that you can have a window that not only allows you to create your tunnel, but also gives you a realtime "pulse" for your tunnel.
In order to create a tunnel you will want to make sure you have two things:
- A Mac running OS X
- A computer to log into that is running any flavor of Unix or Linux with a static IP address. For my example I am going to create a tunnel between my MacBook Pro laptop and my Mac Pro desktop at home
Here is the walk-through:
First, to prepare the Mac Pro go into the System Preferences -> Sharing and turn on "Remote Login"
Next, on the MacBook Pro, open up a terminal window. This will start you out in your home directory. We're going to create a script that you can launch quickly whenever you need a tunnel. Type:
This will create a text document that we'll put our script in to create a tunnel to our computer. Add this to the file:
ssh -D 8080 -f -C -v -N yourname@YourIPaddressOrYourDomain.com
Hit Control-o to save the file. Then click Control-x to close pico.
to run your script type this into the terminal:
...and hit return. This will fire up your tunnel. Since you chose "verbose" mode (-v) it will return results for every command your computer sends through the tunnel. With your display colors set correctly this is the part where you confound your friends by showing them that the matrix does exist, and that you are running it on your computer.
Now there is one more step left, and that is to set your MacBook Pro to USE the tunnel we've opened up. In your System Preferences -> Network under "Location" choose "Duplicate Location" and name it the same thing with "Tunnel" at the end for easy reference.
Select this new network and choose the Advanced button...
Then choose the "Proxies" tab, check the "SOCKS Proxy" box, enter in "localhost" under SOCKS proxy server and "8080" after the colon. Basically this tells your computer to funnel ALL network requests through your tunnel which is running on your machine (localhost) through port 8080 (an alternative http port).
Click OK, make sure your new network is selected and click "Apply". Everything on your computer should be happening through your tunnel.
To test to see if this is working you can visit http://www.whatismyipaddress.com. It should give you the IP address of your REMOTE computer instead of your local network address.
Posted by Aaron R. Deutsch on May 1, 2009 8:21 PM
Have been trying to receive & send email with Mail OS X from behind my work's Proxy server with no success (Proxifier, Authoxy, etc.). Your tunneling how-to seems to be a possibility. What do you think?
Posted by: Michael Woerner at July 23, 2009 10:46 AM
Hey Michael, This should do the trick as it routes all traffic through port 8080 (web) which is presumed to be an open/unfiltered port. (Your remote computer will then initiate the email connections on ports 993, 995, 25, 465 and/or 587 and send the responses back to you via 8080)
Is there a simple way to determine my username and domain name?
The yourname@YourIPaddressOrYourDomain.com part is throwing me off, though it's probably simpler to figure out than I imagine.
Posted by: PrineSwine at August 30, 2009 8:58 PM
yourname is the login name for your home computer (or server) that you are tunneling to.
yourIPaddressOrYourDomain.com is the way to reach your home computer (or server) that you are tunneling to. Most people don't know how to set DNS for themselves so they opt for the IP address route.
ON your home computer (or server) that you are tunneling to: go to: http://whatismyipaddress.com it will give you the number to enter.
A wildly hypothetical login for you would look something like: firstname.lastname@example.org