OpenSSH is amazing. It's the Swiss Army Knife of network tools. Using this simple little program you can:
- connect securely to a remote machine using an encrypted connection
- create a VPN like service without all the fuss of OpenVPN
- access your UNIX/Linux programs from your Windows and Mac machines
- get around port blocks that your ISP enforces (think: port 25)
The 'blah' stuff: connecting to a remote machine using OpenSSH
This is probably the way most of us have used OpenSSH in the past. We've got a remote server at work, home, or a VPS and we want to connect to it and manage it securely. Doing that is incredibly simple:
That's all it takes and you'll be presented with a login prompt (or asked for your SSH key passphrase, depending on how you've set things up). From then on, everything you do over that connection will be encrypted and completely safe from prying eyes.
I want my own personal VPN but OpenVPN is too hard to set up!
No problem, OpenSSH can give you VPN-like functionality without all the fuss that OpenVPN entails. I've set up OpenVPN in the past and it's not a fun task. And it's a complete waste of time if all you want to do is browse the web and check email without your ISP or anyone else knowing what you're doing. OpenSSH makes it easy using the -D option:
First, establish a secure connection with the remote SSH server using the -D command line option. You will pass only one additional thing: the local port you want your proxy listening on. This is the port you will tell your local applications to connect to in order to route traffic through your remote system:
ssh -D local_port_to_listen_on remote_username@remote_hostname.com
As before, you will either be presented with a prompt asking for your password for the remote machine or your passphrase to your SSH key. Provide this and you will be logged into the remote machine as normal. But here's the cool thing: OpenSSH is now listening on a port on your LOCAL machine too, ready for you to route traffic through that port. When you do, it will send it over the encrypted connection to the remote machine, where it will exit onto the Internet. ANY application that can use SOCK5 can route its traffic this way. This includes Firefox, Thunderbird, most IRC program, and most other major internet programs.
Anyone watching your connection will see you emerge from the remote machine and not your local one. Also, your ISP will have no idea what you are doing. Take that AT&T!