[Noisebridge-discuss] Systemwide ssh/socks proxying on OSX

Sai Emrys noisebridge at saizai.com
Fri Dec 25 15:04:46 UTC 2009


Just looked into this, figured it might help someone else.

Problem: Ensure that ALL traffic from your laptop goes over your
proxy. Including apps that don't take proxy config, like Skype.

Answer:
0. ping yourserver.com; note its ip [we're going to tunnel DNS in a
sec, don't want a catch-22]

1. ssh -C2fND 9999 yourserverip

The flags are: compressed, ssh v2 only, go into background and don't
do anything on the remote other than proxy, and open up port 9999 as a
socks proxy.

AFAICT this doesn't require root on either client or server. (Real
tunnel devices do, on both. I wasn't able to get a tunnel device [ssh
-w any:any] working on my VPS.)

2. install http://www.proxifier.com/mac

3. launch it and configure in 'options' menu:
- proxy settings: 127.0.0.1 port 9999 socks 5
- proxification rules: add; rule name: your server name; ip range:
your server ip (NOT dns); click 'add' next to IP entry; ok. Most of
the fields left blank.
 - these are the *exceptions*, by default - there's a radio button to
invert that. Obviously we can't tunnel the ssh tunnel over itself,
which is why we're making it an exception. :-P
 - add more exceptions if you want to access something on the LAN
- name resolution: enable

The end. It also supports proxy chaining if you want to be fucking
paranoid - in proxy settings just set it up from the perspective of
each successive hop.


Just tested it, works perfectly. Might have some holes (e.g. low level
stuff?), but I'm not seeing anything on local iftop other than LAN
stuff and incoming direct connections.

It's a lot easier to use than tsocks, and more respected than merely
setting a proxy in system settings / network / proxies (which e.g.
Skype ignores).

If you run plain ssh commands now, they'll first get proxied - e.g.
"ssh pony.noisebridge.net" will go via the proxy without any further
config. Ditto everything else that's not in proxifier's exception
list.

I suggest installing (via macports) iftop or the like on both
machines; it's a nice tool to watch what's happening.

HTH,
- Sai



More information about the Noisebridge-discuss mailing list