What is the easiest/best way create a secure tunnel or VPN connection back to my home network to act as a relay for private interneting?
March 19, 2007 7:36 AM Subscribe
What is the easiest/best way create a secure tunnel or VPN connection back to my home network to act as a relay for private interneting? Is it possible to do this using just a router that would be on anyway so I don't have to have a computer running all the time just to act as a relay?
I'm reasonably computer aware, but I'm not a networking guy or a linux guy by any stretch, so feel free to assume I'm clueless about everything.
My Home Network
I currently have a D-Link dl-524. It would be great if I could do it with that, but if I should consider buying a different router for this, which one should I get. (If there are several, one that could also facilitate some kind of NAS system would be good, but that's a VERY, VERY, VERY low priority compared to cost or power usage).
The dl-524 has a configuration for VPN Pass-through using PPTP and/or IPSec, but it looks like that's more about allowing internal clients out as opposed to providing some kind of relay for external clients.
At home, I have a dynamic IP address assigned by a cable modem. I assume that means I'll need to set up some kind of dynamic DNS so I always know how to address my network. My current router supports that, but is there a best choice for where and how to do that?
My Client Machine
I'm generally going to be using a MacBook Pro connecting over a WiFi router (of various configurations).
I'm probably already going through some kind of proxy server to make my internet connection, so if I need to configure a proxy, I need some way to relay through a few of them.
My goals are to secure what I'm doing from prying eyes and use potentially restricted services like AIM (iChat) or POP3 (Entourage) or HTTP (Firefox) to potential restricted sites. It would be great if it was easy to bypass this setup so that I could also access internal network resources easily.
If there's a commercial service out there that I might consider instead, please let me know about that as well.
I'm reasonably computer aware, but I'm not a networking guy or a linux guy by any stretch, so feel free to assume I'm clueless about everything.
My Home Network
I currently have a D-Link dl-524. It would be great if I could do it with that, but if I should consider buying a different router for this, which one should I get. (If there are several, one that could also facilitate some kind of NAS system would be good, but that's a VERY, VERY, VERY low priority compared to cost or power usage).
The dl-524 has a configuration for VPN Pass-through using PPTP and/or IPSec, but it looks like that's more about allowing internal clients out as opposed to providing some kind of relay for external clients.
At home, I have a dynamic IP address assigned by a cable modem. I assume that means I'll need to set up some kind of dynamic DNS so I always know how to address my network. My current router supports that, but is there a best choice for where and how to do that?
My Client Machine
I'm generally going to be using a MacBook Pro connecting over a WiFi router (of various configurations).
I'm probably already going through some kind of proxy server to make my internet connection, so if I need to configure a proxy, I need some way to relay through a few of them.
My goals are to secure what I'm doing from prying eyes and use potentially restricted services like AIM (iChat) or POP3 (Entourage) or HTTP (Firefox) to potential restricted sites. It would be great if it was easy to bypass this setup so that I could also access internal network resources easily.
If there's a commercial service out there that I might consider instead, please let me know about that as well.
Yep, Hamachi is easy to setup and get going. To make it free, you would want to set up Hamachi and a proxy server.
posted by bigmusic at 8:16 AM on March 19, 2007
posted by bigmusic at 8:16 AM on March 19, 2007
Best answer: Tinyproxy is the proxy I used to do this in the past. Setup an stunnel from your host to the remote proxy (i.e. home PC), and then configure your browser to use localhost talking over the stunnel to the remote proxy. You're encrypted all the way from client to proxy, and it's a relatively simple setup.
To do it without a remote PC, it's possible you could configure a router running DD-WRT or OpenWRT (linux-based firmware) to run tinyproxy and stunnel. The best router for these types of projects is typically the Linksys WRT54GL, which goes for about $60.
posted by knave at 8:58 AM on March 19, 2007
To do it without a remote PC, it's possible you could configure a router running DD-WRT or OpenWRT (linux-based firmware) to run tinyproxy and stunnel. The best router for these types of projects is typically the Linksys WRT54GL, which goes for about $60.
posted by knave at 8:58 AM on March 19, 2007
Response by poster: Is it possible to use Hamachi without a computer running on my home system (i.e. using a router or some 3rd party system)?
Also, I can't seem to get Hamachi running on my client machine (MacBook Pro).
When I go to install it, I get the following error:
./install: line 21: make: command not found
It then reports that Hamachi is installed, but when I go to sudo /sbin/tuncfg
... I get sudo: /sbin/tuncfg: command not found
I was able to get ./hamachi-init to generate the crypto identity.
However, hamachi start produces [ 0] [ 366] tap: connect() failed 2 (No such file or directory)
I have installed the TUN/TAP device driver (although I was pretty leery of doing that as the author reports it is unstable on intel-based Macs.
posted by willnot at 10:09 AM on March 19, 2007
Also, I can't seem to get Hamachi running on my client machine (MacBook Pro).
When I go to install it, I get the following error:
./install: line 21: make: command not found
It then reports that Hamachi is installed, but when I go to sudo /sbin/tuncfg
... I get sudo: /sbin/tuncfg: command not found
I was able to get ./hamachi-init to generate the crypto identity.
However, hamachi start produces [ 0] [ 366] tap: connect() failed 2 (No such file or directory)
I have installed the TUN/TAP device driver (although I was pretty leery of doing that as the author reports it is unstable on intel-based Macs.
posted by willnot at 10:09 AM on March 19, 2007
Best answer: >My goals are to secure what I'm doing from prying eyes and use potentially restricted services like AIM (iChat) or POP3 (Entourage) or HTTP (Firefox) to potential restricted sites.
First off, youre not going to outsmart your IT department. Someone is going to see your SSH or whatever traffic and ask you what you are doing. If there are restrictions at your place of work, a little networking magic isnt foolproof.
That said, I see two solutions here. One is using ssh as a SOCKS server (or as a tunnel) or using something like remote desktop or VNC. The first solution will get you on your network at home and encrypt your data. This solution involves reading a few howtos on getting the tunnel setup correctly or configuring your applications to use the tunnel or SOCKS proxy. All SSH servers are also SOCKS proxies. A SOCKS proxy is easier to do than tunneling/port forwarding. You'll find much documentation on how to do this on the web.
Now you can access your computer from home using remote desktop or VNC. This will be slower and will require you to run a PC at home 24/7 but its much simpler to setup. Just tell your router to forward the port and pick a decent password.
Lastly, you may want to setup Tor instead. I dont believe its encrypted but it will anonymize your data.
posted by damn dirty ape at 10:20 AM on March 19, 2007 [1 favorite]
First off, youre not going to outsmart your IT department. Someone is going to see your SSH or whatever traffic and ask you what you are doing. If there are restrictions at your place of work, a little networking magic isnt foolproof.
That said, I see two solutions here. One is using ssh as a SOCKS server (or as a tunnel) or using something like remote desktop or VNC. The first solution will get you on your network at home and encrypt your data. This solution involves reading a few howtos on getting the tunnel setup correctly or configuring your applications to use the tunnel or SOCKS proxy. All SSH servers are also SOCKS proxies. A SOCKS proxy is easier to do than tunneling/port forwarding. You'll find much documentation on how to do this on the web.
Now you can access your computer from home using remote desktop or VNC. This will be slower and will require you to run a PC at home 24/7 but its much simpler to setup. Just tell your router to forward the port and pick a decent password.
Lastly, you may want to setup Tor instead. I dont believe its encrypted but it will anonymize your data.
posted by damn dirty ape at 10:20 AM on March 19, 2007 [1 favorite]
Also note Hamachi goes through an untrusted third party to setup connections and god knows what else. I would consider it a last resort and unsecure.
posted by damn dirty ape at 10:21 AM on March 19, 2007
posted by damn dirty ape at 10:21 AM on March 19, 2007
I dont believe its encrypted but it will anonymize your data.
clarification: Tor will only encrypt your data and anonymize your path. It will not (without privoxy) remove cookies and other non-anonymous data.
posted by philomathoholic at 10:26 AM on March 19, 2007
clarification: Tor will only encrypt your data and anonymize your path. It will not (without privoxy) remove cookies and other non-anonymous data.
posted by philomathoholic at 10:26 AM on March 19, 2007
SSH as SOCKS proxy
Of course you'll still need a computer to connect to on the other end. You probably won't find any router for the home market (< $500) that includes an ssh or vpn server it by default. you could of course get a linksys wrt54gl (note the l - important) and install the open source firmware a href="http://www.dd-wrt.com/dd-wrtv2/index.php">DD-WRT on it, which lets you run a PPTP VPN server on the router (this is what I use).>
posted by chundo at 10:54 AM on March 19, 2007
Of course you'll still need a computer to connect to on the other end. You probably won't find any router for the home market (< $500) that includes an ssh or vpn server it by default. you could of course get a linksys wrt54gl (note the l - important) and install the open source firmware a href="http://www.dd-wrt.com/dd-wrtv2/index.php">DD-WRT on it, which lets you run a PPTP VPN server on the router (this is what I use).>
posted by chundo at 10:54 AM on March 19, 2007
Response by poster: Thanks Everyone.
SSH as a SOCKS proxy worked great with one exception. Even though iChat has built in support for connecting via a SOCKS proxy (and can even be made network location aware), it doesn't seem to want to connect via a SOCKS proxy for anything. I'm not the only person with that problem, there are several people on the Apple forums complaining of the same issue.
The fix as far as I can tell is to use Adium instead of iChat.
Next up, I'll try putting a Linksys WRT54GL router into the mix so I don't need to keep my home computer running.
posted by willnot at 1:46 PM on March 21, 2007
SSH as a SOCKS proxy worked great with one exception. Even though iChat has built in support for connecting via a SOCKS proxy (and can even be made network location aware), it doesn't seem to want to connect via a SOCKS proxy for anything. I'm not the only person with that problem, there are several people on the Apple forums complaining of the same issue.
The fix as far as I can tell is to use Adium instead of iChat.
Next up, I'll try putting a Linksys WRT54GL router into the mix so I don't need to keep my home computer running.
posted by willnot at 1:46 PM on March 21, 2007
This thread is closed to new comments.
posted by Benny Andajetz at 7:46 AM on March 19, 2007