DD-WRT + SSH Server = Easy Secure Browsing Over Public WiFi
- Being hacked
- Paying for a VPN service
- Transforming into a Brainiac just to set up OpenVPN
You’re not helpless. You’ve already set up DD-WRT on your home router and you feel proud of yourself. You should. It’s not easy to find the correct release, install it properly, and update it when necessary. OpenVPN is not terribly difficult to install and configure, but it requires a lot of work involving programs and concepts you’ve probably never been exposed to before.
It’s not especially difficult to configure secure SSH on your DD-WRT router. It’s not especially difficult to install and configure PuTTY on your laptop. It’s not especially difficult to configure your browser to pass through your home router via public WiFi, securely, using PuTTY. It’s far less difficult to install than OpenVPN. I have the pictures to prove it.
If It’s So Good, Why Do People Use OpenVPN?
To be blunt, OpenVPN does a better job securing your remote browsing. A SSH tunnel will secure your browser and your email program if you configure them to use the tunnel provided by PuTTY. OpenVPN will secure everything that goes out over the internet without configuring anything other than OpenVPN.
OpenVPN also permits you to point to a DNS server of your choice. SSH generally requires you to use the DNS server chosen by your public internet provider. In most cases, that’s not a problem. DNS is the service that associates the URL you entered with the IP address that takes you there. DNS servers reside in distant places. At home, your ISP may maintain one of their own or may link you to one somewhere else.
When you enter Google.com, a quick look-up on a distant DNS server cross references Google.com with its IP address and instantly returns it to your PC so it can complete your request for Google’s home page.
If a hacker changed the IP address for the DNS server used by the public WiFi to one it has altered, you may be in for trouble. You might end up at a spoofed bank site. OpenVPN allows you to maintain control over the DNS server you ultimately use. SSH uses the one at hand, just like normal public WiFi … unless you manage a successful override.
A simple modification to the PC network adapter is said to allow you to use a DNS server of your choice. (The DNS servers below point to Google’s public DNS servers. There are others.) Various utility programs are also said to provide override DNS services. I haven’t tried any.
OpenDNS provides instructions about how to override your DNS server for a variety of devices.
Always enter ipconfig /flushdns in a command window after changing DNS providers. Otherwise you may link to addresses it has stored within, and not to those from your chosen provider.
Some WiFi Providers Don’t Like You To Get Fancy On Them
Internet mythology states that SSH is less likely to be blocked by a remote internet provider than OpenVPN. That is a point in favor of SSH. Some public WiFi providers don’t want their users to use their internet for anything other than browsing and email. Your computer uses ports to keep track of what it sends out onto the internet. A port is like a TV channel. Your PC has over 65,000 of them. Port 80 is commonly used for normal internet browsing. Port 443 is universally used for HTTPS, or secure, encrypted browsing. Port 22 is normally associated with SSH and 1194 is commonly associated with OpenVPN. Internet communication also uses transmissions methods called TCP and UDP. TCP includes error checking and makes sure everything arrives correctly and in the right order. UDP just sends it out and doesn’t care if it gets there or not. Sometimes UDP makes more sense for lots of good reasons. Most of the internet uses TCP.
Your public WiFi provider may get fussy if you try to do anything that goes out over ports other than 80, 443, or the ports commonly associated with email clients. They won’t tap you on the shoulder and ask you to leave. They will simply block your internet usage until you get with the program.
But you have a trick up your sleeve. Both SSH and OpenVPN can be configured to use port 443 TCP and not the ports typically associated with them. Most public WiFi providers are fooled by this and think you’re possibly on an internet shopping site using HTTPS. A smart few aren’t fooled. They have great equipment installed that closely inspects the outgoing traffic for the tiny differences between normal HTTPS and encrypted OpenVPN or encrypted SSH using port 443. If they find it, you will be blocked. Some can even detect and block a Tor browser. Internet mythology states SSH is less likely to be blocked than OpenVPN if both are using port 443.
Got It. How Do I Set Up Secure SSH?
Here’s the steps. The details follow.
- Associate a DDNS name with your home router. Unless you have a static IP address, you may as well stop here until you get DDNS set up.
- Download PuTTY and PuTTYgen. They’re both free. PuTTY has been around forever and is well known and reputable.
- Use PuTTYgen to create a public and private key. Save them on your PC.
- Turn SSH on in DD-WRT, associate it with port 443, and paste the public certificate into a textbox.
- Use PuTTY to configure a SSH session that points to the private key you generated earlier and your DDNS url. Save it so all it takes is a double click to start it.
- Start the SSH tunnel.
- Tell your browser to use the tunnel.
The certificates that PuTTYgen creates are the magic that makes your SSH implementation secure and keeps common hackers out of your DD-WRT SSH server. The public key goes on the SSH server. The private key stays with you. The server won’t connect unless your private key properly matches the public key on the server. If someone gets your public key … and it’s quite easy to get a copy of it … no big deal. The private key encrypts your browser session and PuTTY uses SSH to send it to your router. The public key associated with the private key un-encrypts the data and your router forwards it out to the world as you intended. Two public keys can’t work together. Additionally, the world thinks your current IP address is your home IP address, just like with OpenVPN.
You decide to be clever. You install OpenVPN and associate it with port 443 TCP. You then set up secure SSH and associate it with port 443. Both servers are turned on at the DD-WRT router. You think you’re ready for anything.
Unfortunately, SSH beats OpenVPN with respect to port 443. If both servers are enabled and both are associated with the same port (443 in this example) OpenVPN will not connect from your PC. If you want both servers to be active at the same time, they need to be linked to different ports.
How To Do It – Certificates
Download PuTTY and PuTTYgen.
Use PuTTYgen to create the public and private certificate.
Generate the keys.
Save them in files. DO NOT save the public certificate via the form button. Copy and paste the one from the text box into notepad. Save the notepad file. It has the correct format for DD-WRT. The one from the button will not work in DD-WRT and your connection attempts will fail. Copy all of it. Do not add spaces or form feeds. The private key is fine as is. Just use the button.
You’re done with PuTTYgen.
How To Do It – DD-WRT
Log on to your router. Navigate to the Services / Services tabs.
Enable Secure Shell. Disable Password Login. With certificates, password login won’t work anyway. Change the port to 443 or whatever port you intend to use. Paste the public certificate into the textbox. Apply Changes. You’re done with the router.
How To Do It – PuTTY
Start PuTTY. Type your URL or IP address into the box. Enter the port DD-WRT will listen on.
Go to Connections / Data. Your name is root. Seriously, that’s the name all DD-WRT routers expect to see if you sign in and don’t use the main router screen.
Go to Connection / SSH / Tunnels. Enter 8080 in Source Port. Check Auto and Dynamic. Click Add. Your screen should look like this when done. FYI, your browser will communicate with PuTTY using port 8080. PuTTY will send and receive using port 443 (or whatever port you use). The port on this screen links PuTTY and your browser together … after you tell your browser to also use port 8080. There’s nothing special about port 8080. It seems to be the convention for SSH tunnels.
Go to Connection / SSH / Auth. Link PuTTY to the private key file you saved earlier.
Go back to the main screen by clicking Session. Give the Session a name and click Save.
You’re done configuring PuTTY. To start your SSH session, double click the session name you saved.
If successful, you will see this screen. If asked about accepting a certificate, say Yes. It should do this only once. PuTTY is bringing in a copy of the public key from the SSH server on DD-WRT. If it doesn’t match the private key you told PuTTY about, you won’t connect.
Every time you decide to browse using the SSH tunnel, you will first start the PuTTY session. Then you will start your browser. If it has been told to use the port you entered into PuTTY, your session will be encrypted and appear to originate from your home router.
How To Do It – Firefox
Find Options on the main menu. Go to Advanced/ Network. Click Settings under Connection.
Select Manual proxy configuration. Type localhost and your port 8080 as illustrated below. Click OK. and OK again as you backtrack through the screens.
Refresh your browser screen. If successful, your screen should look no different. To verify the connection was successful, go to Whatismyip.com. It should present your home IP address, not the IP address of your local session. Make sure to do this last test away from home … perhaps at a local coffee shop like I did.
If unsuccessful, your screen will look like this.
To disconnect your browser from SSH, return to the options screen where to told Firefox about port 8080 and select the No Proxy button. Press OK all the way out. Refresh your browser. It should look normal. If not, you might have missed an OK button along the way out.
Return to the PuTTY window and either type exit and press ENTER or close the window. This will end the SSH session.
A little Google research should tell you how to configure other browsers and email clients to connect via PuTTY. Query SSH and ___________ with the other program in the blank space. It should be no more difficult than Firefox.
There you have it. It’s probably the easiest home brew VPN server you can make, assuming you’re using DD-WRT on your home router. It’s not perfect due to the DNS spoofing issue that was mentioned earlier. But if DNS spoofing were a problem, then not using SSH wouldn’t make a difference. All in all, it’s a pretty good way to safely browse the internet and bypass most firewalls that try to stop you from doing your stuff as you like.