If you work on the go fairly often, you've probably hopped on a public wireless network at least once or twice. You should have also figured out how to keep your data safe when you're on such a network, by taking precautions such as using your company's virtual private network, if available, or an encrypted web tunnel such as Hotspot Shield.
If you don't have a company VPN and you don't want to deal with Hotspot Shield's banner ads, however, you can still secure your wireless traffic without breaking the bank by setting up your own VPN and gaining a private, encrypted Internet connection free from eavesdroppers.
Tunneling Your Traffic
Whether the public wireless network you use is password-protected or pay-per-minute, anyone who connects to the network could spy on your HTTP traffic, restaurant patrons, other people in your airport concourse, or other paying subscribers of a commercial hotspot provider.
You can fix this problem by creating an encrypted tunnel through which you can send web traffic that originates at your laptop and ends at a known location (the tunnel "endpoint"). From there, the tunnel routes your web requests to the public Internet. Of course, once the traffic is outside the tunnel, it's subject to the usual potential scrutiny, from ISPs, law enforcement or the like, but while your data is travelling through the public-access Wi-Fi hotspot, your web surfing is secure.
In the diagram above, regular users of the coffee shop's wireless hotspot take the direct route to a website (in red), but you use an encrypted tunnel (in blue) to shield yourself in the hotspot network. Once you are at your tunnel endpoint, your web traffic travels through the Internet via regular unencrypted methods (again, in red) to arrive at the destination website.
Easy, Cheap Security via SSH
The easiest way to set up your own VPN starts with paying a monthly fee for a hosting company to do all the difficult work of obtaining a server, installing an operating system, and making sure the server stays online 24 hours a day with plenty of backup generator power. I prefer this approach because you don't have to fuss with any firewalls back at home, and you don't have to leave a computer running when you're on the road.
Any inexpensive shared hosting provider will do for your purposes, as long as the company provides access to a secure shell (SSH) server. SSH was created as an encrypted version of telnet, one of the Internet's original protocols, used to send character information between computers. (If you've ever seen a Hollywood computer thriller showing a green screen and hackers typing away furiously, they're probably using SSH or telnet, depending on how well the screenwriters did their research.)
I personally prefer HostGator, which has a large data centre in Houston. The company's basic "Hatchling" hosting package is almost $5 per month, so for three nickels a day you can have your own secure tunnel. Once HostGator creates your account, you receive your login information and your assigned server. From there, you can set up an impromptu web proxy by issuing SSH commands. I'll demonstrate both OS X and Windows versions; Linux users can follow along and make minor adjustments where necessary.
Get an SSH Client
OS X ships with a command-line SSH client, so all you need to do is open Terminal (located in the Utilities folder within your Application folder). You will see a command prompt that has your username and your computer's name, followed by the $ symbol. All of the commands in the following sections will be things that you type just beside that symbol.
On Windows, you need to download an SSH client. You have many to choose from, but a popular freeware client is PuTTY.
Test Your SSH Server
Using the login information from your hosting provider, you can open an SSH session on OS X by entering the portion shown below in bold after the $ symbol:
$ ssh [email protected]
On a Windows machine, start PuTTY and enter the server name that your hosting provider gave you. Select the SSH radio button under 'Protocol'. The Port field should be set to 22 (the default SSH port). Click the Open button.
Since this is the first time you're connecting to this server, both OS X's client and PuTTY will display an alert and prompt you to confirm the host's fingerprint. (This should happen only once; thereafter, your SSH client will confirm that the fingerprint hasn't changed. If it does change, that could indicate that your connection has been tampered with.) You'll see text similar to the following:
The authenticity of host 'server.websitewelcome.com' can't be established. RSA key fingerprint is 11:22:33:44:55.
Are you sure you want to continue connecting? Yes
Once you confirm the fingerprint, PuTTY will prompt for your username and password. OS X will prompt for the password only, because you provided the username on the command line already. After you're logged in, you should see a prompt showing that you are now connected to the command line of the remote server; notice that the server name preceding the $ has changed to reflect the remote system:
login as: username
Using keyboard-interactive authentication.
Last login: Fri Jan 01 02:03:04 2010 from 18.104.22.168
Now that you know you have a working SSH server, you can continue to set up your tunnel. Type the command exit to close your SSH session.
Local Listeners and Remote Endpoints
Here's where things get a bit confusing, so read carefully. You need to configure a port on your local computer (a "listener") that will take any packets you throw at it and stuff it into an SSH encrypted session. At the other end of the tunnel, the traffic will dump out on your SSH server. In the following sections, I'll show you how to configure your Web browser to proxy your traffic through this local listener. Even though conceptually it seems that you would want to point the Web browser to the remote server, you will technically be pointing it at "localhost," which is a special name for your local computer.
You'll need to tell your SSH client to connect to the SSH server and open a tunnel that begins on your laptop (localhost) on port 8888 and terminates at the SSH server, where the data will then be forwarded to the final destination website.
Create Your SSH Tunnel
The process is straightforward on OS X and can be represented in one command:
$ ssh -ND 8888 [email protected]
The 'N' option tells the SSH client that you do not want an interactive session (a command prompt), because you just want to set up a tunnel. The 'D 8888' option tells the SSH client to set up a "dynamic" port-forwarding tunnel on port 8888. The tunnel is dynamic because the destination website will change depending on where you are surfing; other port-forwarding tunnels have static rules, but for web browsing you want the dynamic version. After issuing the command, you will be prompted for a password and then... nothing will happen. Actually, if the command works, the port will be open, but you will not receive any confirmation within Terminal. OS X folks can proceed to the next section.
For Windows, start PuTTY again, scroll down the 'Category' listing on the left to 'Connection', and expand the 'SSH' category to select Tunnels. Select the Dynamic radio button, enter 8888 for 'Source port', and then click Add.
Now click the Open button. After you enter your password, your tunnel should be created. No confirmation message will display within the command prompt.
Try Out Your New Tunnel
Now it's time to test things out. Fire up your web browser, visit What Is My IP Address, and take note of the IP address displayed. This is the public IP address that the rest of the world sees when you connect from your current location (home, work, school, or the coffee shop). Once you change your web proxy settings, you'll need to come back to this site to verify that the Internet believes you are visiting "from" your SSH server, confirming that your web browsing is secure from eavesdropping by other Wi-Fi hotspot users.
Internet Explorer users should go to the Tools menu and select Internet Options. From this dialog box, select the Connections tab (fifth from the left) and click the LAN Settings button at the bottom. In that pop-up dialog box, select the checkbox next to Use a proxy server for your LAN. Now click on Advanced. Next to 'SOCKS' enter localhost for the address and 8888 for the port; leave all the other fields blank. Click OK three times and go to What Is My IP Address again. Your IP address should now reflect that of the SSH server.
Mozilla Firefox users on Windows should go to the Tools menu and select Options, while OS X Firefox users should go to the Firefox menu and select Preferences. Thereafter, users on either platform should select the Advanced category (a gear icon) and then the Network tab (second from left), and click the Settings button.
Select Manual Proxy Configuration. Next to 'SOCKS Host', enter localhost for the address and 8888 for the port; leave all the other fields blank. Choose the SOCKS5 radio button if it isn't already selected. On Windows, click OK twice; on OS X, simply close both preferences windows. Visit What Is My IP Address again. Your IP address should now reflect that of the SSH server.
Safari users on OS X should go to the Safari menu and select Preferences. Select the Advanced category (a gear icon) and then click the Change Settings button next to 'Proxies'. This will open System Preferences for your current network connection. On the Proxies tab, select the checkbox next to SOCKS Proxy and then enter localhost for the address and 8888 for the port. Click OK, Apply and then close System Preferences. Visit What Is My IP Address again. Your IP address should now reflect that of the SSH server.
Run Your Own SSH Server
Congratulations: You now have a secure tunnel through which you can use public Wi-Fi securely. But what if you ignore my advice and you don't want to pay a monthly fee to a hosting company? You can run your own SSH server. This approach isn't for everyone, however, don't continue with the following steps unless the previous sections were very easy for you to understand. You will also need to know how to allow a connection through your home DSL/cable router (or, if you're at the office, how to alter your firewall).
This approach will also make your connection interesting to network scanners that look for open ports on the Internet. Additionally, you will have to keep the computer you use for the server running all the time back at home, which may rack up more electricity usage and more noise pollution than your significant other or roommates will tolerate.
I strongly suggest using a hosting provider, but if you truly understand the risks involved and you want to run your own SSH server, continue reading. This is what your configuration will look like:
OS X users are in luck: An SSH s erver is built in to the operating system. Simply open System Preferences and open the Sharing category. Under the Services tab, select the checkbox next to Remote Login (aka SSH Server). That's all! You can skip down to the next section.
For Windows users, a number of free and inexpensive SSH servers are available (sometimes referred to as SSHD, the "D" is for daemon, which is a way of saying "server" in geek-speak). The one I'll use in this example is WinSSHD version 5 from Bitvise; it's available at no cost for personal use. Run the installer and select the Personal Edition (for companies, the Standard Edition is an excellent and inexpensive choice). The control panel will load after installation and show the Easy Settings wizard. All of the defaults are appropriate for your purposes right now, so just click Cancel. Click the Start WinSSHD link highlighted in blue to start the SSH server.
Test Your SSH Server
I won't go into detail about properly disabling your local laptop firewall or your network firewall to allow port 22 to receive incoming connections, if you've read this far, you're an advanced user who knows how to do that already. Your next step is to test your SSH server, so you'll use some of the commands described in previous sections. OS X users should enter the following command:
$ ssh [email protected]
Windows users should start up PuTTY and enter localhost for the server address. You can use your own password that you use to log in to your laptop. Remember that this is a new connection, so you will likely see a fingerprint-verification prompt. If it doesn't work, double-check your firewall or other security software that might be blocking your connection.
Next, try to connect from the outside back to your SSH server. Create a test account on your local computer and ask a friend to test the connection using the password for this test account. Your friend should follow the same steps in configuring the SSH client software and his or her Web browser as presented in the previous sections.
Never Surf Naked
Now you've seen how easy it is to use a secure tunnel for your web browsing when you are on a public-access Wi-Fi hotspot. Use the free Hotspot Shield service, set up your own SSH server at home, or use an inexpensive hosting provider, but never, ever surf "naked" again!