Secure Connectivity on the Road

[March 2007]
Secure Connectivity on the Road
Use OpenSSH and Squid to create a non-Microsoft VPN
By: Mark Joseph Edwards
Solutions +
InstantDoc #94902
From the March 2007 edition of Windows IT Pro

Connecting to the Internet while traveling can sometimes be dangerous, especially over open, unencrypted networks, such as those found at hotels, coffee shops, conventions, and sometimes even at client or business partner sites.

To give you an example, at the 2006 DEFCON 14 hacker convention in Las Vegas, hackers sniffed the public wireless network airwaves to discover all sorts of information from people who didn't bother to encrypt their network traffic. The hackers then posted those details on a "Wall of Shame" for everyone to see. As a result, a lot of people's sensitive information, including banking and business information, was compromised.

You can, of course, use a VPN to establish secure connectivity when you're mobile so that you don't fall victim to snoops. If you want a lightweight VPN solution that's easier to install and manage than other solutions, check out the OpenSSH VPN tool and the Squid for Windows proxy server (formerly SquidNT), both of which are free.

PROBLEM:
You need a way to protect the network communications of client computers when those clients are using untrusted networks.

SOLUTION:
Use OpenSSH and Squid for Windows to build a quick and simple VPN.

WHAT YOU NEED:
OpenSSH, Squid for Windows, Kraken Config, server computer, client computer

DIFFICULTY:
3 out of 5

Open SSH and Squid for Windows
OpenSSH is based on the popular Secure Shell (SSH) technology, and Squid for Windows is based on the popular Squid proxy server, both of which were originally developed for UNIX and Linux platforms. OpenSSH and Squid for Windows are versions of those tools, which have been designed specifically to run on Windows platforms. One major benefit of using these tools is their simplicity and portability. They're easy to install, require very little configuration and management, and the solution works on nearly any client OS today, which means you can install this solution on two desktops if you want, instead of needing a dedicated server platform. These benefits are, of course, not the case with other proprietary solutions. Note that any client software you use must be able to support the use of a proxy server to communicate over this VPN solution. If you want to implement this solution on another platform, such as Linux, BSD, or OS X, then simply obtain OpenSSH and Squid for those platforms and use the same principles that I provide in this article.

I'll show you how to build a VPN server and client, collectively referred to in this case as "VPN," step by step, by using the OpenSSH toolkit and Squid for Windows proxy server, which you can run on nearly any Windows system. This solution will let you move all your mobile-client traffic over an encrypted connection through the VPN and then out to the Internet or to systems on the network on which your VPN server resides.

An added benefit of this solution is that you can use it to remotely manage the server that runs OpenSSH or any systems that you have access to through the OpenSSH server (e.g., other systems on the same network). This is possible because when you connect to the OpenSSH server, you get a command-line prompt, which is actually a remote command shell running on the OpenSSH server. In that command shell, you can run any Windows commands or command-line tools that you have permission to access under the account with which you logged on. So if you want to manage other systems by using the OpenSSH connection, plan ahead by copying any tools that you might need onto the server before you head out on the road, or make sure you have access to other remote servers where any required tools might reside. If you need to manage other systems over the OpenSSH connection, you should probably use domain authentication (which Step 1 describes) so that you have proper permissions on those other systems.

How It Works
The OpenSSH/Squid for Windows solution is relatively simple. You install OpenSSH on a server and on any clients. You install Squid for Windows only on the server system. On the client side, OpenSSH connects to your OpenSSH server and opens a separate port on the client computer to listen for client traffic on the localhost address. You configure your client applications (Web browser, email client, chat client) to use a proxy server with the localhost address. The client applications then send traffic to the OpenSSH localhost port, which routes the traffic to the OpenSSH server over the encrypted connection. The OpenSSH server then receives that traffic and routes it to Squid for Windows, which in turn sends that traffic on to its destination. Although this might sound a bit complex, once you try it you'll see that it's very easy to understand and implement.

To implement this solution, you'll need one computer to use as the VPN server and at least one mobile computer to use as the VPN client. OpenSSH and Squid for Windows don't require much memory or CPU time, so you can easily run both on nearly any server that mobile computers can reach from the Internet. You could also build the VPN server on a computer on your home network, and if your company policy allows for it, build on the company network instead. Be sure to read this solution in its entirety before you implement it.

SOLUTION STEPS:

Install and configure OpenSSH on the server.
Install and configure Squid for Windows using Kraken Config.
Install OpenSSH on the client computer.
Fire up the server and connect.
Configure your client applications.

Step 1: Install and Configure OpenSSH on the Server
To get started, download a copy of OpenSSH (http://sshwindows.sourceforge.net/download) and install it on your server by using the installation wizard. This is a straightforward process and doesn't require any special knowledge.

After you install OpenSSH, I recommend that you edit the default configuration so that OpenSSH runs on some port other than the default port 22. Running on a port other than 22 makes it harder for intruders to discover the OpenSSH server by performing a port scan of the machine. Intruders expect an SSH server to listen on port 22, so if you move it to another port, then they'll have a harder time figuring out what service is listening on that port. To change the default port, go to your OpenSSH installation directory and navigate to the etc subdirectory. Edit the sshd_config file and adjust the port parameter to an unused port number on your system. In this article, I use port 422. If you're unsure what ports might be available, use the netstat -an command, to view all open ports. Any port not in the list could probably be used for OpenSSH. Just be sure to remember the port number because you'll need it to log on to the OpenSSH server later.

Prev. page [1] 2 3 next page

You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

I recommend using copSSH - OpenSSH for Windows (http://www.itefix.no/phpws/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=12&MMN_position=22:22) It's a lot more up to date than Openssh for Windows 3.8.1p1. It include version 4.6p1 which patches a lot of security holes and is still updated regularly. I would also recommend using puTTy on the client side. No installation required. You can even run it from a removable flash drive.

quillinanm- March 13, 2007

Article Rating 3 out of 5

ADS BY GOOGLE SPONSORED LINKS

Order Your SharePoint Fundamentals CD!: Learn how to uncover rich information management capabilities with this free SharePoint CD.

Evaluating Your Database Infrastructure: The wind of change is in the air for your corporate databases. SQL Server 2008 and other new technologies can mean it is possible to deploy more powerful and effective databases.

True High Availability for SQL Servers: SQL Server DBA’s must ensure that they have some form of protection in place. This seminar gives useful tips on HA and resources that are available for your disaster recovery planning.

Virtualization Congress Oct. 14-16: Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.

FEATURED LINKS

Coming This Fall –SharePoint Live Event Series: Join SharePoint experts Wendy Henry and Michael Noel for best practices regarding infrastructure, design, redundancy, site administration, and ECM. Early Bird Price of $99

Find a new job on the all new IT Job Hound!: Search jobs, post your resume, and set up job e-mail alerts!

Master SharePoint with 3 eLearning Seminars!: Learn how to customize field types, create scheduled services, and go further with the Content Query Web Part with MVP Andrew Connell. Register today!

Virtualization for Mission-Critical BI with SQL Server: Join this Aug. 20th web seminar to learn a different approach to virtualization for BI-based application infrastructure. Ask questions of live experts!

Windows IT Pro Is Your Definitive Source for BI Tools: Our tools are BI-lateral (relating to both the front and back ends of BI). Build the best platforms and reports with help from SQL Server Magazine. Master data-delivery with solutions in Windows IT Pro. Choose the resource that's right for you.

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technical Resources Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2008 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

Search

Reader Comments

Learning Path

Windows IT Pro Resources

Related Whitepapers

Related Events

Related eBooks

Related Essential Guides

Related Resources

vLabs Links

SQL Job Openings

ADS BY GOOGLE SPONSORED LINKS

FEATURED LINKS