web.onassar.com Archive

I can be reached at onassar@gmail.com.

For my open source work, check out github.com/onassar

EC2 SSH Tunnel

View more posts

Following up my Ubuntu VPN Build Script (on AWS EC2) post, I wanted to find a more dependable, and secure, way of shuffling my network-traffic through my AWS EC2 instance.

I settled on tunnelling my traffic through my instance using SSH. This was relatively straightforward, but required a little bit of finesse, with two aliases I needed to set up in OSX.

The process is as follows:

  1. You setup a tunnel to your instance from the command line (in OSX):

    ssh -i ~/path/to/key.pem -D <port> <instance-username>@<instance-host-or-ip>
    This will connect to your instance securely, and listen locally for traffic, on the port you specify. This traffic will be forwarded on to your instance.

  2. You activate a SOCKS proxy:

    networksetup -setsocksfirewallproxy "Wi-fi" localhost <port> off
    This will activate a SOCKS proxy, connecting to your localhost (since you're already connected), on port <port>, and turn off authentication (since you're already authenticated through your key in step 1)

  3. That's it :)

While I'm running Ubuntu 12.04 LTS (Precise Pangolin), this should work across a lot of different linux versions, I would imagine.

Note: "Wi-fi" above should be the name of whatever your primary connection is. This can be seen in: System Preferences > Network

Closing the connection

I only want to use this connection with Netflix or when I'm using public Wi-Fi, so I want to be able to activate and close it on a whim.

When I exit out of the ssh-connection, it sometimes hangs, and I need to press Ctrl-C to actually have it exit. But a problem persists: you've set-up a proxy in your Network settings (albeit, through step 2 above via CLI), which then stops your traffic (since the connection can no longer be made).

This is resolved by issuing the following:
networksetup -setsocksfirewallproxystate "Wi-fi" off

This turns off the SOCKS proxy for your "Wi-fi" connection.


I've automated this with the following two aliases in OSX:

alias vpn-off='networksetup -setsocksfirewallproxystate "Wi-fi" off'
alias vpn-on='networksetup -setsocksfirewallproxy "Wi-fi" localhost <port> off && ssh -i ~/path/to/key.pem -D <port> <instance-username>@<instance-host-or-ip>'

Now, when I want to connect, I simply run vpn-on from my command line.
When I'm done, I press Ctrl-C, and then issue the vpn-off command.

Future Changes

I think I may delve into the OSX application development world. I think it'd be great to have this as a menu-item at the top of my screen at all times. With the ability to specify your port, username, host and key, I think it'd be a nice application, that I would pay for my self :)

I found a couple of applications that are close to meeting my needs, but fall short :(

Note on ports

The port you use above doesn't matter a whole-lot. It doesn't need to be open in your instance's security group, since they are local ports.


A couple posts that guided me in the right direction were Forward trafic from secure VPN (ipsec) to PPTP, which suggested an alternative to PPTP (which I was doing before), and How to change proxy setting using Command line in Mac OS?, which helped me with the CLI command for changing my OSX network-settings.