What you'll need:
* A spare Mac
* A dedicated Internet connection
* The ability to change network settings on both Macs (We recommend Meerkat, which costs $19.95.)
Protecting your privacy online is no easy task, and it's doubly difficult when surfing from work or your favorite coffee shop. Be not afraid. If you have a spare Mac and a high-speed Net connection, you can thwart both identity thieves and the snoops in your office IT department with an SSH proxy.
How it works
Essentially, an SSH proxy creates a dedicated connection between your local and remote Macs so the remote machine can serve as a stand-in for all of the local machine's network requests. Properly configured, this setup offers two levels of protection. First, anyone monitoring the local machine's connections will see only the connection to the proxy. And second, all traffic moving over SSH is encrypted. So even if it's intercepted, it can't be read.
Here's how to do it:
Mac OS X comes with with an SSH proxy server built in. We just have to turn it on.
1. Enable SSH on the remote machine.
First, let's configure the Mac that will serve as our proxy. Open System Preferences, click the Sharing pane, and check the box next to "Remote login." When the light turns green, SSH is running. Oh, and while we're in System Preferences, head to the Energy Saver pane, and set the sleep slider to Never. (No naps allowed for our proxy server.)
IP addresses are like phone numbers--they're unique to each machine on the Web.
2. Get the proxy machine's IP address.
In order to connect to the proxy, we'll need that Mac's IP address--that is, its unique Internet "address." Open your Web browser and go to checkmyip.com. The site will display your IP address at the top of the page. Note that this number might be different from the internal IP address displayed by your Mac if you connect to the Internet through a wireless router or other home network. If that's the case, the number shown on checkmyip.com is the one you want. Write it down--you'll need it in a minute.
Be glad you spent the extra money for an Apple router. Port mapping can be a pain on some third-party routers.
3. Configure your router for SSH.
The Mac's built-in firewall will automatically allow SSH traffic when remote log-in is enabled, but wireless routers will not. (If you don't connect through a router, skip this step.) To configure your Airport Express, open the Airport Utility (Applications > Utilities > Airport Utility). Select your router from the list on the left, and click Manual Setup. Click the Advanced button, then the Port Mapping tab, and the plus symbol to add a new entry. Enter 22 for the public and private port numbers. Now, for the private IP address, we want the proxy Mac's IP address as it appears within your home network --not the address displayed earlier at checkmyip.com. To find the internal IP address, open System Preferences and click the Sharing pane. Select Remote Login from the list on the left, and look at the log-in instructions listed on the right. The numbers after the @ symbol are what you're looking for. Enter them in the private IP address field. Finally, click OK and Update to save the new settings and restart the router.
If you use a third-party router, check your documentation for how to enable port mapping.
If you use a third-party firewall, be sure to allow incoming connections on port 22.
Command-line junkies can create SSH tunnels for free with The Terminal app, but we prefer the ease of using Meerkat.
4. Create your SSH tunnel with Meerkat.
Now we're ready to move to the local Mac--the one that will connect to our proxy. If you haven't already, download Meerkat and install it by dragging its icon to your Applications folder. Run the app, and you'll be prompted to add a new SSH account. First choose a nickname for the account. For the username, enter your log-in name from the proxy Mac. For the server, enter the proxy Mac's IP address from step 2.
Click Save Account, and you'll be prompted to run the Tunnel Setup Assistant. Select "Dynamic service available locally" for the tunnel type, and enter 8080 for the local port number. Enter a nickname for your new tunnel, and click Create to save your settings. To activate your new tunnel, click the Tunnels tab, and check the box in the Active column. Meerkat will prompt you for your password. Enter your login password for the remote Mac, and the two machines will connect.
The local Mac is now a cruel, commanding Jabba-the-Hut to the the remote Mac's svelte Princess Leah. Okay, not really.]
5. Point to your proxy server.
At this point, an SSH tunnel has been established on port 8080, but we still aren't routing traffic through it. Open System Preferences, select the Network pane, and click the Advanced button. Select the Proxies tab, and check the box next to SOCKS Proxy. Select Manually from the drop-drown menu. In the text field under SOCKS Proxy Server, type localhost, and enter 8080 in the field to the right. Click OK and Apply to save the changes.
6. Verify the proxy is working.
Your proxy should now be working. To make certain, open your Web browser and return to checkmyip.com. The IP address displayed should be the same as your remote computer's IP from step 2. To enable proxy surfing from now on, simply check the box next to Active in Meerkat's host list, and repeat step 5. (To turn off proxy surfing, uncheck the box in MeerKat, and remove the proxy settings from step five.)
7. Change your DNS servers.
Unfortunately, using a second Mac as a proxy server leaves one part of your Web activity vulnerable to detection--your connection to the network's DNS server. The DNS server is responsible for taking each domain name that you request (google.com, for instance), and connecting you to the associated Web server. Obviously, the logs kept by these servers can reveal a lot about your surfing habits.
To give yourself some anonymity, open System Preferences, click the network tab, and select your connection method from the list on the left. Click Advanced, and click the DNS tab. Replace any existing entries with 208.67.222.222 and 208.67.220.220. Click OK and Apply to save the changes. (For more information and detailed instructions, check out opendns.com.)
Caveats and Disclaimers
* The steps above will provide you with a degree of privacy on unfamiliar or unfriendly networks, but privacy is never guaranteed. In some office environments, a connection to an SSH tunnel alone might arouse suspicion--and especially if you're using it to watch 3GBs of YouTube videos every week.
* If you're unable to connect to your host Mac from some locations, it's probably because that network blocks the port number that SSH uses (22 by default).
* Surfing through a proxy will probably result in a slower connection, though with broadband connections the difference should be slight.
** These steps enable proxy surfing for all applications that use the network settings from System Preferences. Some non-native Mac apps, including Firefox, use their own settings, and must be configured separately.
