Friday, September 20, 2019

How to Tunnel Firefox Traffic via SSH

January 29, 2008 by · 6 Comments 

Establish the SSH connection

Randomly select a port that is currently unused in your client machine. In this article we will refer to it as $PORT. If you don’t know which port to pick, pick a random number between 10.000 and 20.000, chances are it won’t be in use in your client machine.

Establish your SSH connection to your server as you usually would, but pass a -fND $PORT option. For example:

ssh -D localhost:$PORT youruserid @ yourserver. com

Once you log in, the tunnel will be established.

Note that although the localhost: part in the SSH command is optional, you should specify it to restrict the tunnel to processes running in your machine. Otherwise other users of your local network who knew about your tunnel would be able to use it.

Configuring Firefox to use the Tunnel

In Firefox click on the menus Edit > Preferences. Pick the Advanced tab and click on Settings next to Configure how Firefox connects to the internet. Select Manual proxy configuration, enter localhost in the SOCKS Host text field and enter the port you used for your tunnel. Close the dialog to apply the settings.

At this point most the traffic from Firefox will go to the port selected, where the SSH process will pick it and send it encrypted to your SSH server, which will in turn establish the actual connections to the web servers. There are two exceptions:

  • Hosts listed in the No proxy for setting. By default this setting lists localhost and 127.0.0.1. You could add other hosts or IP addresses if you want Firefox to connect to them directly (instead of using the tunnel).
  • Firefox will still do DNS lookups for the hostnames.

Configure Firefox to use the Tunnel also for DNS

You may want to have Firefox send DNS traffic through the Tunnel instead of sending DNS requests through the local network for the following two reasons:

  • Although other users in your local network won’t be able to see your actual web traffic, they can still see the hostnames of the sites you are connecting to.
  • Your web content may have many URLs such as http://www/foo.htm, where your SSH server will be able to correctly resolve the hostname but, for different reasons, your client may not.

To prevent Firefox from doing NS lookups enter about:config in the URL text field and double click on the network.proxy.socks_remote_dns to set it to true.

Voila, at this point Firefox will be sending all its traffic (except, again, for the No proxy for servers) through your SSH tunnel.

Many thanks to Alejandro Forero Cuervo’s blog for helping us all out on this one.

Comments are closed.