Following up my Ubuntu VPN Build Script (on AWS EC2) post, I wanted to find a more dependable, and secure, way of shuffling my network-traffic through my AWS EC2 instance.
I settled on tunnelling my traffic through my instance using SSH. This was relatively straightforward, but required a little bit of finesse, with two aliases I needed to set up in OSX.
The process is as follows:
You setup a tunnel to your instance from the command line (in OSX):
ssh -i ~/path/to/key.pem -D <port> <instance-username>@<instance-host-or-ip>
This will connect to your instance securely, and listen locally for traffic, on the port you specify. This traffic will be forwarded on to your instance.You activate a
SOCKSproxy:networksetup -setsocksfirewallproxy "Wi-fi" localhost <port> off
This will activate a SOCKS proxy, connecting to your localhost (since you're already connected), on port <port>, and turn off authentication (since you're already authenticated through your key in step 1)- That's it :)
While I'm running Ubuntu 12.04 LTS (Precise Pangolin), this should work across a lot of different linux versions, I would imagine.
Note: "Wi-fi" above should be the name of whatever your primary connection is. This can be seen in: System Preferences > Network
Closing the connection
I only want to use this connection with Netflix or when I'm using public Wi-Fi, so I want to be able to activate and close it on a whim.
When I exit out of the ssh-connection, it sometimes hangs, and I need to press Ctrl-C to actually have it exit. But a problem persists: you've set-up a proxy in your Network settings (albeit, through step 2 above via CLI), which then stops your traffic (since the connection can no longer be made).
This is resolved by issuing the following:
networksetup -setsocksfirewallproxystate "Wi-fi" off
This turns off the SOCKS proxy for your "Wi-fi" connection.
Automation
I've automated this with the following two aliases in OSX:
alias vpn-off='networksetup -setsocksfirewallproxystate "Wi-fi" off'
alias vpn-on='networksetup -setsocksfirewallproxy "Wi-fi" localhost <port> off && ssh -i ~/path/to/key.pem -D <port> <instance-username>@<instance-host-or-ip>'
Now, when I want to connect, I simply run vpn-on from my command line.
When I'm done, I press Ctrl-C, and then issue the vpn-off command.
Future Changes
I think I may delve into the OSX application development world. I think it'd be great to have this as a menu-item at the top of my screen at all times. With the ability to specify your port, username, host and key, I think it'd be a nice application, that I would pay for my self :)
I found a couple of applications that are close to meeting my needs, but fall short :(
Note on ports
The port you use above doesn't matter a whole-lot. It doesn't need to be open in your instance's security group, since they are local ports.
Resources
A couple posts that guided me in the right direction were Forward trafic from secure VPN (ipsec) to PPTP, which suggested an alternative to PPTP (which I was doing before), and How to change proxy setting using Command line in Mac OS?, which helped me with the CLI command for changing my OSX network-settings.