Web Surfing Under the Radar With Proxies
What you'll need:
* A spare Mac
* A dedicated Internet connection
* The ability to change network settings on both Macs (We recommend Meerkat, which costs $19.95.)
Protecting your privacy online is no easy task, and it's doubly difficult when surfing from work or your favorite coffee shop. Be not afraid. If you have a spare Mac and a high-speed Net connection, you can thwart both identity thieves and the snoops in your office IT department with an SSH proxy.
How it works
Essentially, an SSH proxy creates a dedicated connection between your local and remote Macs so the remote machine can serve as a stand-in for all of the local machine's network requests. Properly configured, this setup offers two levels of protection. First, anyone monitoring the local machine's connections will see only the connection to the proxy. And second, all traffic moving over SSH is encrypted. So even if it's intercepted, it can't be read.
Here's how to do it:
Mac OS X comes with with an SSH proxy server built in. We just have to turn it on.
1. Enable SSH on the remote machine.
First, let's configure the Mac that will serve as our proxy. Open System Preferences, click the Sharing pane, and check the box next to "Remote login." When the light turns green, SSH is running. Oh, and while we're in System Preferences, head to the Energy Saver pane, and set the sleep slider to Never. (No naps allowed for our proxy server.)
IP addresses are like phone numbers--they're unique to each machine on the Web.
2. Get the proxy machine's IP address.
In order to connect to the proxy, we'll need that Mac's IP address--that is, its unique Internet "address." Open your Web browser and go to checkmyip.com. The site will display your IP address at the top of the page. Note that this number might be different from the internal IP address displayed by your Mac if you connect to the Internet through a wireless router or other home network. If that's the case, the number shown on checkmyip.com is the one you want. Write it down--you'll need it in a minute.
Be glad you spent the extra money for an Apple router. Port mapping can be a pain on some third-party routers.
3. Configure your router for SSH.
The Mac's built-in firewall will automatically allow SSH traffic when remote log-in is enabled, but wireless routers will not. (If you don't connect through a router, skip this step.) To configure your Airport Express, open the Airport Utility (Applications > Utilities > Airport Utility). Select your router from the list on the left, and click Manual Setup. Click the Advanced button, then the Port Mapping tab, and the plus symbol to add a new entry. Enter 22 for the public and private port numbers. Now, for the private IP address, we want the proxy Mac's IP address as it appears within your home network --not the address displayed earlier at checkmyip.com. To find the internal IP address, open System Preferences and click the Sharing pane. Select Remote Login from the list on the left, and look at the log-in instructions listed on the right. The numbers after the @ symbol are what you're looking for. Enter them in the private IP address field. Finally, click OK and Update to save the new settings and restart the router.
If you use a third-party router, check your documentation for how to enable port mapping.
If you use a third-party firewall, be sure to allow incoming connections on port 22.
Command-line junkies can create SSH tunnels for free with The Terminal app, but we prefer the ease of using Meerkat.
4. Create your SSH tunnel with Meerkat.
Now we're ready to move to the local Mac--the one that will connect to our proxy. If you haven't already, download Meerkat and install it by dragging its icon to your Applications folder. Run the app, and you'll be prompted to add a new SSH account. First choose a nickname for the account. For the username, enter your log-in name from the proxy Mac. For the server, enter the proxy Mac's IP address from step 2.
Click Save Account, and you'll be prompted to run the Tunnel Setup Assistant. Select "Dynamic service available locally" for the tunnel type, and enter 8080 for the local port number. Enter a nickname for your new tunnel, and click Create to save your settings. To activate your new tunnel, click the Tunnels tab, and check the box in the Active column. Meerkat will prompt you for your password. Enter your login password for the remote Mac, and the two machines will connect.
The local Mac is now a cruel, commanding Jabba-the-Hut to the the remote Mac's svelte Princess Leah. Okay, not really.]
5. Point to your proxy server.
At this point, an SSH tunnel has been established on port 8080, but we still aren't routing traffic through it. Open System Preferences, select the Network pane, and click the Advanced button. Select the Proxies tab, and check the box next to SOCKS Proxy. Select Manually from the drop-drown menu. In the text field under SOCKS Proxy Server, type localhost, and enter 8080 in the field to the right. Click OK and Apply to save the changes.
6. Verify the proxy is working.
Your proxy should now be working. To make certain, open your Web browser and return to checkmyip.com. The IP address displayed should be the same as your remote computer's IP from step 2. To enable proxy surfing from now on, simply check the box next to Active in Meerkat's host list, and repeat step 5. (To turn off proxy surfing, uncheck the box in MeerKat, and remove the proxy settings from step five.)
7. Change your DNS servers.
Unfortunately, using a second Mac as a proxy server leaves one part of your Web activity vulnerable to detection--your connection to the network's DNS server. The DNS server is responsible for taking each domain name that you request (google.com, for instance), and connecting you to the associated Web server. Obviously, the logs kept by these servers can reveal a lot about your surfing habits.
To give yourself some anonymity, open System Preferences, click the network tab, and select your connection method from the list on the left. Click Advanced, and click the DNS tab. Replace any existing entries with 208.67.222.222 and 208.67.220.220. Click OK and Apply to save the changes. (For more information and detailed instructions, check out opendns.com.)
Caveats and Disclaimers
* The steps above will provide you with a degree of privacy on unfamiliar or unfriendly networks, but privacy is never guaranteed. In some office environments, a connection to an SSH tunnel alone might arouse suspicion--and especially if you're using it to watch 3GBs of YouTube videos every week.
* If you're unable to connect to your host Mac from some locations, it's probably because that network blocks the port number that SSH uses (22 by default).
* Surfing through a proxy will probably result in a slower connection, though with broadband connections the difference should be slight.
** These steps enable proxy surfing for all applications that use the network settings from System Preferences. Some non-native Mac apps, including Firefox, use their own settings, and must be configured separately.
Related Articles
codex
April 20, 2010 at 7:30am
Thanks so much for this! This is exactly what I was looking for
sohbet sohbet odaları chat odaları sohbet odası bedava chat sohbet siteleri bedava chat chat turkchat aşk sözleri sohbet odaları
yleijojof
March 30, 2010 at 9:05pm
You probably spent quite cheap uggs a bit of money on your ugg boots,uggs, so it? simportant classic mini ugg boots classic tall ugg boots bailey button ugg sale take care of them properly to ensure they ugg boots womens last for a long time.ugg boots sale No one ugg boots wants to run around bailey button ugg boots in uggs boots a pair of boots that look classic tall cheap ugg boots and ugg australia, so here are a few classic short winter boots you can do to make sure your discount ugg boots sale keep that brand new look for as wedding dresses long as possible.classic cardy ugg ultra short ugg boots boots ugg australia 2010 Do NOT wash your cheap cheap uggs. If you should find metallic sheepskin ugg boots sheepskin boots uggs on sale been stained ugg boots you should attempt australia ugg metallic ugg boots boots spot treat ugg boots sale them before you nightfall ugg boots do anything cheap ugg boots metallic uggs boots. You may need to classic cardy ugg boots scrub the entire winter bailey button ugg boots if spot treatments do not work, but this is not something sundance ii ugg boots you should do on lace wigs classic short ugg boots regular basis. Are you looking a discount ugg boots online? There are various places an individual can purchases discount ugg boots sundance winter boots ugg sale ii ugg boots 2010 ugg boots. The most popular is to purchase ugg boots 2010 online. There ed hardy are a ultra tall uggs of popular websites that cheap ugg australia preferred amongst users ultra tall ugg boots due to its womens ugg boots reliability. ultra short ugg uggs boots can also could be worn by classic short ugg boots older children. Many kinds of colours of ugg australia on uggs on sale sale are available for kids. sheepskin boots sheepskin ugg boots womens uggs australia ugg boots
benet
November 10, 2009 at 7:51pm
Every little chat Salon 1000 ah!replica watchYou are my best's buddy
jdqdj
montana2ny
October 28, 2008 at 5:24pm
I use Hotspot Shield when surfing in public places. Don't know how effective it would be in the office.
http://www.hotspotshield.com/
incanus
October 27, 2008 at 5:04pm
I'm the author of Meerkat. Thanks for the write-up.
I'm also a UNIX & OS X sysadmin, so I can certainly appreciate the free and/or command line ways to do web proxying. I thought that I would add two bits of info that explain how Meerkat could make this scenario easier.
First, reconfiguring: Meerkat automatically responds to network changes such as system sleep or IP address change. This beats Terminal solutions hands down.
Second, check out NetworkLocation, for which I've written a Meerkat plugin. This tool can automatically detect where you are, physically or network-wise, and configure your system proxy settings accordingly. Combine this with Meerkat and you can automatically have secure proxy serving up and running when you wake you computer on the networks that require it.
ecrist
October 22, 2008 at 8:49am
I've documented the free way, with terminal, to do secure web browsing. The requires you have access to a remote SSH system. Check out rootshell.be for one host that offers free SSH accounts with proxy support.
See my site for my example.
MacAddict4Life
October 21, 2008 at 8:43am
Interesting, useful article. But it would be far more useful if it included the terminal instructions as well.
Connect with Mac|Life
Featured Content
we put together a spread of worthwhile iOS titles that cover all the major RPG...
Give your Pages documents some professional polish with styles
Find out how you can publish an e-book without licensing restrictions.
Take the neccessary precautions to make sure that your laptop stays put and, more...
In This Month's Issue
Latest Mac|Life Tweets
- MacLife: In our news recap: the FBI's file on Steve Jobs has been leaked, and protests in SF over Apple's labor practices. http://t.co/6WIXFqyW8 hours 53 min ago
- MacLife: Cash allowances are so old-school, so set your kids up with iTunes allowances with this guide. http://t.co/l96nRlDY9 hours 42 min ago
- MacLife: We started a new deals column today, where we hunt down the best deals out there so you don't have to! http://t.co/IfTBGbPt10 hours 33 min ago
- MacLife: Star Marine: Infinite Ammo is gunning for games like Contra III and Gunstar Heroes, which is vaunted company. http://t.co/xBUAsc0M10 hours 52 min ago
- MacLife: We've got a hands-on with Tweetbot's massive 2.0 update. Check it out, and RT us with your thoughts! http://t.co/8OSJLMeA11 hours 38 min ago
