I'm looking to set up a way to connect to my OpenWRT (7.09 kamikaze) router from work through a secure/encrypted method and anonymize/proxy my internet traffic through the router.

I don't really need a full blown tor. I've installed the privoxy package and I think I've got ssh enabled, but now I'm not sure what else I need to do, this is all new to me.

I'm looking for someone to say: You need to enable ssh by X then install the privoxy package (reboot, verify it's running by y), then configure privoxy, firewall by doing Z, Now test it all out by watermelon

You help me out with filling in the details for x, y, z and watermelon.

I'm using a normal proxy and a ssh tunnel for what you describe.

I've successfully used both tinyproxy, msocksd and srelay.

Then for tunneling, I just use putty and setup SSH Tunnels in there to match the proxy configuration.

At the moment I use Srelay on port 1080. That port is blocked in the OpenWrt firewall. So the proxy can only be used from LAN - or from WAN through a SSH tunnel.

Then at work, in my firefox I have setup a proxy, address and port is: localhost:1080

The SSH tunnel created by putty will listen to 1080 and forward it to the OpenWrt box at home on port 1080.

I am using a FireFox extension called SwitchProxy that allows to quickly switch between proxy settings and no proxy. Then if you want to surf something "private" - you can switch to proxy use easily.

To test, go to some page like http://www.myip.dk and check your IP / Hostname with and without proxy.

I installed the x-wrt webif interface and I vaguely remember (got a bad cold and taking decongestants so it's a bit fuzzy) it saying something about enabling ssh. To test ssh I just need to fire up putty and try to connect to my router from internet?

Also, it appears tinyproxy, msocksd and srelay are all types of proxy servers? So, I would only need one of those, currently I have privoxy installed but I suppose if one of the alternatives is faster then I could use it. I didn't know they existed and only knew about privoxy so I chose that. What's the advantage to the others? I'm looking for basic proxy for web that can also allow me to either use meebo through web or pidgin for IM.

Thanks for the reply.

For a normal use no need to install any kind of proxy server. If using putty just configure a dynamic tunnel and it will work as a socks proxy and at the fastest speed.

Hint: beware of dns leaks. If using Firefox (I'm using the Portable version: very handy!) just set "network.proxy.socks_remote_dns" property to true.

Let me see if I understand you, again this is all new to me so bear with me.

If I want to do it your way I need only to:

Configure Dropbear -already installed ssh server
optionally install srelay to keep the script kiddies from hammering port 22
Set-up PuTTY on my windows laptop

- Session
Hostname: openwrt.dyndns.com
Port: 22
Protocol: SSH

- Connection
   - SSH
     |Tunnels
        Forwarded Ports: D8080

Assuming I've got that right. I connect with PuTTY and set-up firefox
HTTP Proxy: localhost
Port: 8080

Which if all goes right will proxy my internet request through SSH to my router then out my router to the internet then back to my router and back to my laptop.

ssh config

Firewall Rules
Match                          Target           Port     
Destination Ports: 80    accept    
Destination Ports: 80    192.168.1.1    80
Destination Ports: 8080    accept    
Destination Ports: 8080   192.168.1.1    22

The port 80 stuff works so that I access the web interface from the WAN side, so I tried the same thing for SSH (port 8080 forwarded to 22 since work blocks port 22 inbound/outbound)
I fire up PuTTY and tell it to connect to my router using SSH (from the WAN side) I get connection refused.

Since I'm creating the firewall rules from the Webif interface is the default "block ssh from WAN" rule overriding me here?

(Last edited by beakmyn on 24 Oct 2007, 17:18)

Looking at your actual configuration, it should be:

- Session
Hostname: openwrt.dyndns.com
Port: 8080
Protocol: SSH

- Connection
   - SSH
     |Tunnels
        Forwarded Ports: D1080 (you could use any port here, but it is better to use 1080 because is the default socks port)

if you used D1080 change port to 1080.

Never used the webif interface, but I don't think it is affecting you.
This is what should be in your etc/firewall.user :

iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.1:22
iptables        -A forwarding_wan -p tcp --dport 22 -d 192.168.1.1 -j ACCEPT

(I'm assuming your router IP is 192.168.1.1)

I hope you could make it work now. Good luck!

Just slightly different tact.  I would install openvpn on home router and your laptop.  It works through http proxies, some places don't allow anything through apart from proxied http & https (& port 563).  If you setup openvpn to listen on port 563 at home you will get access from any where.

It can be setup as point to point or point to network or network to network.  works with x509 certs as well.  There are clients for windows and linux.  The only problem is you need admin rights on windows (and linux to install)

Alex

The reason I used 8080 is I talked to IT at work and they said that the firewall is open for that port. Something isn't right as I can SSH from home on the LAN but not from WAN. I may have to talk to him and take a look at the corporate firewall to see if it blocking me getting out. I created an identical rule for 443 (HTTPS) and that works to get to the web interface of the router from the WAN. He said he had 8080 open but maybe he was wrong. He will open port 22 for me for testing but I'd rather not have the router listening on port 22, since that port seems to be getting a lot of attention lately.

Looks like either should work.

Yes my router is at 192.168.1.1 for now

This appears to be similar but different then what I have. If I'm reading it correctly those rules

route WAN port 8080 to LAN port 22
Accept port 22 on LAN

What my rules did is

Accept port 8080 on WAN
Forward Port 8080 WAN to LAN port 22

My understanding is, by default, everything is blocked on the WAN side unless you open it up and forward it to the LAN.

@alexsamad
Once, I get this working I'll probably move on to OpenVPN as that's a whole other 'can of worms'. Admin rights isn't a problem, I have that on all machines involved.
I did some reading and still looking into TAP vs. TUN and what exactly needs to be done on the router besides installing OpenVPN (that's already done)

The webif interface is nice, it makes point and click configuration easy. Once I get SSH working though I'll switch back to good old CLI for configuring. Though I still want to get the proxy to work.

EDIT: got it working HOWTO forthcoming!

(Last edited by beakmyn on 26 Oct 2007, 20:08)

Hi!
I'm really interested in this howto if you get the time to write it down!