Subscribe to Windows IT Pro
February 28, 2007 12:00 AM

Secure Connectivity on the Road

Use OpenSSH and Squid to create a non-Microsoft VPN
M Edwards
Windows IT Pro
InstantDoc ID #94902
Rating: (1)

Connecting to the Internet while traveling can sometimes be dangerous, especially over open, unencrypted networks, such as those found at hotels, coffee shops, conventions, and sometimes even at client or business partner sites.

To give you an example, at the 2006 DEFCON 14 hacker convention in Las Vegas, hackers sniffed the public wireless network airwaves to discover all sorts of information from people who didn't bother to encrypt their network traffic. The hackers then posted those details on a "Wall of Shame" for everyone to see. As a result, a lot of people's sensitive information, including banking and business information, was compromised.

You can, of course, use a VPN to establish secure connectivity when you're mobile so that you don't fall victim to snoops. If you want a lightweight VPN solution that's easier to install and manage than other solutions, check out the OpenSSH VPN tool and the Squid for Windows proxy server (formerly SquidNT), both of which are free.

PROBLEM:
You need a way to protect the network communications of client computers when those clients are using untrusted networks.

SOLUTION:
Use OpenSSH and Squid for Windows to build a quick and simple VPN.

WHAT YOU NEED:
OpenSSH, Squid for Windows, Kraken Config, server computer, client computer

DIFFICULTY:
3 out of 5

Open SSH and Squid for Windows
OpenSSH is based on the popular Secure Shell (SSH) technology, and Squid for Windows is based on the popular Squid proxy server, both of which were originally developed for UNIX and Linux platforms. OpenSSH and Squid for Windows are versions of those tools, which have been designed specifically to run on Windows platforms. One major benefit of using these tools is their simplicity and portability. They're easy to install, require very little configuration and management, and the solution works on nearly any client OS today, which means you can install this solution on two desktops if you want, instead of needing a dedicated server platform. These benefits are, of course, not the case with other proprietary solutions. Note that any client software you use must be able to support the use of a proxy server to communicate over this VPN solution. If you want to implement this solution on another platform, such as Linux, BSD, or OS X, then simply obtain OpenSSH and Squid for those platforms and use the same principles that I provide in this article.

I'll show you how to build a VPN server and client, collectively referred to in this case as "VPN," step by step, by using the OpenSSH toolkit and Squid for Windows proxy server, which you can run on nearly any Windows system. This solution will let you move all your mobile-client traffic over an encrypted connection through the VPN and then out to the Internet or to systems on the network on which your VPN server resides.

An added benefit of this solution is that you can use it to remotely manage the server that runs OpenSSH or any systems that you have access to through the OpenSSH server (e.g., other systems on the same network). This is possible because when you connect to the OpenSSH server, you get a command-line prompt, which is actually a remote command shell running on the OpenSSH server. In that command shell, you can run any Windows commands or command-line tools that you have permission to access under the account with which you logged on. So if you want to manage other systems by using the OpenSSH connection, plan ahead by copying any tools that you might need onto the server before you head out on the road, or make sure you have access to other remote servers where any required tools might reside. If you need to manage other systems over the OpenSSH connection, you should probably use domain authentication (which Step 1 describes) so that you have proper permissions on those other systems.

How It Works
The OpenSSH/Squid for Windows solution is relatively simple. You install OpenSSH on a server and on any clients. You install Squid for Windows only on the server system. On the client side, OpenSSH connects to your OpenSSH server and opens a separate port on the client computer to listen for client traffic on the localhost address. You configure your client applications (Web browser, email client, chat client) to use a proxy server with the localhost address. The client applications then send traffic to the OpenSSH localhost port, which routes the traffic to the OpenSSH server over the encrypted connection. The OpenSSH server then receives that traffic and routes it to Squid for Windows, which in turn sends that traffic on to its destination. Although this might sound a bit complex, once you try it you'll see that it's very easy to understand and implement.

To implement this solution, you'll need one computer to use as the VPN server and at least one mobile computer to use as the VPN client. OpenSSH and Squid for Windows don't require much memory or CPU time, so you can easily run both on nearly any server that mobile computers can reach from the Internet. You could also build the VPN server on a computer on your home network, and if your company policy allows for it, build on the company network instead. Be sure to read this solution in its entirety before you implement it.

SOLUTION STEPS:

  1. Install and configure OpenSSH on the server.
  2. Install and configure Squid for Windows using Kraken Config.
  3. Install OpenSSH on the client computer.
  4. Fire up the server and connect.
  5. Configure your client applications.

Step 1: Install and Configure OpenSSH on the Server
To get started, download a copy of OpenSSH (http://sshwindows.sourceforge.net/download) and install it on your server by using the installation wizard. This is a straightforward process and doesn't require any special knowledge.

After you install OpenSSH, I recommend that you edit the default configuration so that OpenSSH runs on some port other than the default port 22. Running on a port other than 22 makes it harder for intruders to discover the OpenSSH server by performing a port scan of the machine. Intruders expect an SSH server to listen on port 22, so if you move it to another port, then they'll have a harder time figuring out what service is listening on that port. To change the default port, go to your OpenSSH installation directory and navigate to the etc subdirectory. Edit the sshd_config file and adjust the port parameter to an unused port number on your system. In this article, I use port 422. If you're unsure what ports might be available, use the netstat -an command, to view all open ports. Any port not in the list could probably be used for OpenSSH. Just be sure to remember the port number because you'll need it to log on to the OpenSSH server later.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Michael
    5 years ago
    Mar 13, 2007

    I recommend using copSSH - OpenSSH for Windows (http://www.itefix.no/phpws/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=12&MMN_position=22:22)
    It's a lot more up to date than Openssh for Windows 3.8.1p1. It include version 4.6p1 which patches a lot of security holes and is still updated regularly. I would also recommend using puTTy on the client side. No installation required. You can even run it from a removable flash drive.

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.