Connecting to the Internet while traveling can sometimes be dangerous, especially
over open, unencrypted networks, such as those found at hotels, coffee shops,
conventions, and sometimes even at client or business partner sites.
To give you an example, at the 2006 DEFCON 14
hacker convention in Las Vegas, hackers sniffed the
public wireless network airwaves to discover all sorts of
information from people who didn't bother to encrypt
their network traffic. The hackers then posted those
details on a "Wall of Shame" for everyone to see. As a
result, a lot of people's sensitive information, including banking and business information, was compromised.
You can, of course, use a VPN to establish secure connectivity when you're
mobile so that you don't fall victim to snoops. If you want a lightweight VPN
solution that's easier to install and manage than other solutions, check out
the OpenSSH VPN tool and the Squid for Windows proxy server (formerly SquidNT),
both of which are free.
|
PROBLEM:
You need a way to protect the network communications
of client computers when those clients are using untrusted networks.
SOLUTION:
Use OpenSSH and Squid for Windows to build a quick and
simple VPN.
WHAT YOU NEED:
OpenSSH, Squid for Windows, Kraken Config, server
computer, client computer
DIFFICULTY:
3 out of 5
|
Open SSH and Squid for Windows
OpenSSH is based on the popular Secure Shell (SSH) technology, and Squid for
Windows is based on the popular Squid proxy server, both of which were originally
developed for UNIX and Linux platforms. OpenSSH and Squid for Windows are versions
of those tools, which have been designed specifically to run on Windows platforms.
One major benefit of using these tools is their simplicity and portability.
They're easy to install, require very little configuration and management, and
the solution works on nearly any client OS today, which means you can install
this solution on two desktops if you want, instead of needing a dedicated server
platform. These benefits are, of course, not the case with other proprietary
solutions. Note that any client software you use must be able to support the
use of a proxy server to communicate over this VPN solution. If you want to
implement this solution on another platform, such as Linux, BSD, or OS X, then
simply obtain OpenSSH and Squid for those platforms and use the same principles
that I provide in this article.
I'll show you how to build a VPN server and client, collectively referred to in this case as "VPN," step
by step, by using the OpenSSH toolkit and Squid for
Windows proxy server, which you can run on nearly
any Windows system. This solution will let you move
all your mobile-client traffic over an encrypted connection through the VPN and then out to the Internet
or to systems on the network on which your VPN
server resides.
An added benefit of this solution is that you can use it to remotely manage
the server that runs OpenSSH or any systems that you have access to through
the OpenSSH server (e.g., other systems on the same network). This is possible
because when you connect to the OpenSSH server, you get a command-line prompt,
which is actually a remote command shell running on the OpenSSH server. In that
command shell, you can run any Windows commands or command-line tools that you
have permission to access under the account with which you logged on. So if
you want to manage other systems by using the OpenSSH connection, plan ahead
by copying any tools that you might need onto the server before you head out
on the road, or make sure you have access to other remote servers where any
required tools might reside. If you need to manage other systems over the OpenSSH
connection, you should probably use domain authentication (which Step 1 describes)
so that you have proper permissions on those other systems.
How It Works
The OpenSSH/Squid for Windows solution is relatively simple. You install OpenSSH
on a server and on any clients. You install Squid for Windows only on the server
system. On the client side, OpenSSH connects to your OpenSSH server and opens
a separate port on the client computer to listen for client traffic on the localhost
address. You configure your client applications (Web browser, email client,
chat client) to use a proxy server with the localhost address. The client
applications then send traffic to the OpenSSH localhost port, which routes
the traffic to the OpenSSH server over the encrypted connection. The OpenSSH
server then receives that traffic and routes it to Squid for Windows, which
in turn sends that traffic on to its destination. Although this might sound
a bit complex, once you try it you'll see that it's very easy to understand
and implement.
To implement this solution, you'll need one computer to use as the VPN server
and at least one mobile computer to use as the VPN client. OpenSSH and Squid
for Windows don't require much memory or CPU time, so you can easily run both
on nearly any server that mobile computers can reach from the Internet. You
could also build the VPN server on a computer on your home network, and if
your company policy allows for it, build on the company network instead. Be
sure to read this solution in its entirety before you implement it.
|
SOLUTION STEPS:
- Install and configure OpenSSH on the server.
- Install and configure Squid for Windows using Kraken Config.
- Install OpenSSH on the client computer.
- Fire up the server and connect.
- Configure your client applications.
|
Step 1: Install and Configure OpenSSH on the Server
To get started, download a copy of OpenSSH (http://sshwindows.sourceforge.net/download)
and install it on your server by using the installation wizard. This is a straightforward
process and doesn't require any special knowledge.
After you install OpenSSH, I recommend that you edit the default configuration
so that OpenSSH runs on some port other than the default port 22. Running on
a port other than 22 makes it harder for intruders to discover the OpenSSH server
by performing a port scan of the machine. Intruders expect an SSH server to
listen on port 22, so if you move it to another port, then they'll have a harder
time figuring out what service is listening on that port. To change the default
port, go to your OpenSSH installation directory and navigate to the etc subdirectory.
Edit the sshd_config file and adjust the port parameter to an unused port number
on your system. In this article, I use port 422. If you're unsure what ports
might be available, use the netstat -an command, to view all open ports. Any
port not in the list could probably be used for OpenSSH. Just be sure
to remember the port number because you'll need it to log on to the OpenSSH
server later.
Previous
It's a lot more up to date than Openssh for Windows 3.8.1p1. It include version 4.6p1 which patches a lot of security holes and is still updated regularly. I would also recommend using puTTy on the client side. No installation required. You can even run it from a removable flash drive.
quillinanm March 13, 2007 (Article Rating: