SSH Tunnels as an alternative to VPNs

Many people do not fully realise the power of SSH, and most who do use it just use it to login to a shell to run a few commands. Actually it can be used for a whole lot more, including securing a device or web-browser when using an un-trusted Internet connection such as public WiFi.  

This article consists of two parts; how to setup your Android device to use an SSH tunnel as a VPN and how to secure just web-browser traffic using an SSH tunnel on your Android device.

What you’ll need

• An SSH server with forwarding enabled
• The private key (or password) for a valid SSH account on the server
• An Android device (which doesn’t need to be rooted)

Most Linux distributions come with an SSH server already installed.  For the AWS images I have used an SSH server is already installed by default, but if you plan to use AWS for securing traffic from your Android device you may want to double check the settings in my article Setting up OpenSSH on Ubuntu.

If you don’t use Amazon Web Services or have a computer at home (or indeed a VM on that computer) that you want to use as an SSH server, here are instructions on setting up OpenSSH on Ubuntu 16.04.

What’s the difference between a VPN and traffic secured with SSH Tunnels?

On a high level, depending on the VPN type, both will secure your data over the network but a VPN will give you an IP address on the network you are VPN’ed into, whereas with an SSH tunnel you are not assigned an IP address on the local network.  If you just want to make sure your communication is secure on a public network you can use the SSH tunnel approach; if you need services on your device to be accessible from the network you are connecting to, a VPN would be the easiest approach.

Using SSH Tunnels on Android as a VPN (without a rooted device)

Unfortunately, many Android apps that enable you to send all your traffic through an SSH tunnel need you to root your device.  This is because root access is needed to make changes to iptables which control the flow of traffic from the device.  However this is not necessary; you can install some software that will act as a VPN by installing a virtual network adapter on your phone, connect to the SSH tunnel and direct all the traffic through the virtual device and then secure tunnel, all without needing root access.

To start, install Ki4a from the Google Play Store.

Open up Ki4a and touch the settings icon.

Fill in:

• Address
• Port
• Username

Toggle “Use Private Key” to on, and chose the key file by touching the “Private Key” option below.

Turn on:

• Enable Compression
• Enable DNS Forwarding
• Send all traffic over VPN

Use the back button to exit from the Settings screen and click the large red button on the main screen to connect.  

When the button turns green, all traffic from your device is routed through the SSH tunnel to your SSH server and out to the Internet from there!

Sending just web-browser traffic through an SSH tunnel

For some users, the VPN approach might not be necessary.  It could be that all that is needed is to be able to access non-secure HTTP webpages securely, or indeed access intranet content internal to the network where the SSH server runs.  If that’s what you’re looking for follow these instructions to achieve that!

There are a number of tools you could use to do this, but I will use Connectbot and Firefox as these are both relatively straightforward to configure.  Begin by downloading and installing them both from the Google Play Store.

Copy your key to the /sdcard folder on your Android device.  I store my key on Google Drive so I can access it from all my devices. Also Google Drive gives the option to copy the key file to /sdcard.

Open Connectbot and select Manage Pubkeys from the menu.

From the ConnectBot: Pubkeys screen, select Import from the menu.  Select the key you want to use.

Go back to the ConnectBot: Hosts screen and enter <username>@<SSH host>:<port> and press enter.

Confirm the host fingerprint (first time only).  You should now be connected - without needing to enter a password if you followed my article on setting up OpenSSH on Ubuntu.

Next, we need to setup the port forwarding.  To do this, select Port Forwards, then Add port forward from the ConnectBot: Port Forwards screen.

Set:

• A Nickname
• Select Type: Dynamic (SOCKS)
• Chose a source port.  8080 is the default proxy port but be sure to type it in as the greyed out 8080 is just a suggestion and won't be used by default.
• Destination should be left blank.

ConnectBot is pretty good and will remember all the settings for next time, so all you will need to do is select the profile when you come to use the tunnel going forward.

Next, open up Firefox.  In the address bar, type “about:config”.

To use the secure tunnel, we need to set the following Firefox properties:

• network.proxy.socks: localhost
• network.proxy.socks_port: 8080
• network.proxy.socks_remote_dns: true
• network.proxy.type: 1

The properties are saved as soon as they are changed.  You can now open up a new tab and the Firefox traffic will be routed through the SSH tunnel, appearing to the outside world to have originated from your SSH server!

So when you want to browse securely, just open up ConnectBot and connect to your server, then you can access un-secure and internal webpages securely through Firefox!

About the Author

Russell Stringer is an Ericsson Certified Associate in IP Networking currently based in San Jose, California. As a Technical Project Manager and Certified Scrum Master he enjoys helping people solve technical problems using simple solutions and readily available tools.