Secure browsing on an insecure network with my Macbook

UPDATE: There is a much easier way to achieve a secure tunnel/proxy that doesn’t require squid to be installed. I’ve blogged it here. The method described on this page may be useful if you want to log the pages you visit. Also, if you wanted to block out ads, you could swap out sphinx for another proxy such as privoxy.

I’m currently on holiday in Avoriaz in France, and I’m browsing the Internet via an open wireless hotspot. Given how easy it is to intercept traffic on an open wlan, this could have posed a bit of a security problem as a lot of the website admin panels I access (including my blog’s wordpress admin) are in an insecure (http) area.

However, there is a solution that ensures that all my traffic (not just https) is encrypted, at least until it gets back to a more trusted part of the Internet.

The solution involves setting up a proxy server (squid) on a trusted server somwhere (e.g. a datacentre, or your home or office) and then connecting to this server via an SSH tunnel.

For this particular howto you will need the following:

  • An Apple laptop running OS X 10.5 (Leopard)
  • A Linux server (preferably running Centos / RHEL) in a trusted location

Installing Squid on your Linux Server

Firstly install squid using your desired package manager… I have a Centos 5 server, so I’m going to use yum:

[root@pablo ~]# yum install squid

Next, edit the squid config to allow any local ips that might be listening on that server:

[root@pablo ~]# vim /etc/squid/squid.conf

I added a line to allow my servers public ip. NB, at this point we aren’t permitting your laptop’s IP, only the local IP addresses on your server.

acl localhost src 127.0.0.1/255.255.255.255
acl localhost src 87.124.70.62/255.255.255.255

Now setup the runlevels for squid so that it starts when your server starts:

[root@pablo ~]# chkconfig squid on

If that worked, it should be set to on for run levels 2,3,4 and 5:

[root@pablo ~]# chkconfig --list squid
squid 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Finally start squid if it isn’t already running:

[root@pablo ~]# service squid start

Setting up your laptop to use the secure proxy

To get the laptop using our secure proxy, we must do two things. Open an ssh tunnel to the proxy, and then setup Safari (or your browser of choice) to use this proxy for any required connections.

To setup the secure SSH tunnel from port 3128 on your laptop to port 3128 on the squid server, just run the following command:

paul-macbook:~ paul$ ssh -L 3128:localhost:3128 [email protected]

Then all you need to do is configure Safari (or Firefox) to use port 3128 on your local machine as its proxy, and all traffic will be routed via this secure tunnel before being re-routed to the rest of the Internet. Of course, this won’t secure your browsing from then on, but you can at least be sure that it is not being intercepted by fellow users of the wifi hotspot.

So click on the Safari Menu at the top of the screen, and then click preferences (or press CMD + ,) This will open up the Safari preferences. Make sure you have the advanced tab open.

Safari Advanced Settings Menu

On this menu, click the Change Settings button next to Proxies. This will take you to the System Preferences Proxy menu.

OS X Leopard Proxy Settings

Select the protocols you wish to enable the proxy for (in my case I just chose HTTP), then fill out the proxy server address, which is 127.0.0.1 (localhost) and the port, 3128.

And that’s it! You should now be able to browse the web as if you were using your Linux server directly. This method has the added advantage that it can be used to bypass geographic ip based restrictions, as it makes you appear to be where you server is located.

3 thoughts on “Secure browsing on an insecure network with my Macbook”

Leave a Reply

Your email address will not be published. Required fields are marked *