Setup SSH on Router: Secure Remote Access Guide

Protecting Your Data on Public Wi-Fi

Utilizing internet connections from public Wi-Fi hotspots, workplaces, or any location outside of your home network can introduce vulnerabilities to your data. These networks often lack robust security measures.

Fortunately, establishing a secure connection, or tunnel, through your router is a viable method to safeguard your browsing activity when operating remotely.

Understanding the Risks

When connecting to unsecured Wi-Fi networks, your data is potentially exposed to interception by malicious actors. This includes sensitive information like passwords, financial details, and personal communications.

A secure tunnel, such as a Virtual Private Network (VPN), encrypts your internet traffic, making it unreadable to anyone attempting to eavesdrop.

Configuring a Secure Tunnel

Many modern routers offer built-in VPN server functionality. This allows you to create a secure connection back to your home network from anywhere in the world.

The specific configuration steps will vary depending on your router's manufacturer and model. However, the general process typically involves the following:

Accessing your router's administration interface through a web browser.
Locating the VPN server settings.
Enabling the VPN server and configuring the desired settings, such as the encryption protocol and user credentials.
Downloading and installing a VPN client on your remote device.
Connecting to your home network's VPN server using the client.

Benefits of Using a VPN

Employing a VPN offers several key advantages for remote users:

Enhanced Security: Encryption protects your data from interception.
Privacy Protection: Masks your IP address, making it more difficult to track your online activity.
Access to Home Network Resources: Allows you to securely access files and devices on your home network.

By implementing these measures, you can significantly reduce the risks associated with using public Wi-Fi and maintain the confidentiality of your online communications.

Understanding Secure Tunnels and Their Importance

Many users question the necessity of establishing a secure tunnel between their devices and their home router, and the advantages such a setup provides. Let's explore several common internet usage scenarios to illustrate the benefits of secure tunneling.

Consider this: you are working from a coffee shop, utilizing their complimentary Wi-Fi with your laptop. Your data travels wirelessly from your device to the coffee shop’s Wi-Fi access point, then onward to the broader internet. During this transmission, your information is potentially exposed.

Anyone equipped with a Wi-Fi-enabled device in the vicinity could intercept your data. The process is remarkably simple; even a technically adept young person with readily available software could compromise your login credentials for various online services. Imagine speaking a language no one else understands in a crowded room – the moment someone appears who *does* understand, your privacy is lost.

Now, envision the same scenario, but this time you've created an encrypted tunnel using SSH between your laptop and your home router. All your internet traffic is now routed through this secure connection, effectively turning your home router into a proxy server.

This encrypted pipeline is virtually impenetrable to Wi-Fi eavesdroppers, who would only observe an unintelligible stream of encrypted data. Regardless of the security of the public Wi-Fi network, your data remains protected within the tunnel until it reaches your home network and then proceeds to the internet.

The contrast is clear: in the first scenario, your online activity is completely exposed, while in the second, you can access sensitive websites, like your online banking portal, with the same level of security you enjoy at home.

The benefits extend beyond Wi-Fi networks. An SSH tunnel can also secure a wired connection, allowing you to remotely access a network and bypass firewall restrictions, effectively replicating your home internet experience.

The advantages are compelling, and the setup process is surprisingly straightforward. Establishing your own secure tunnel is achievable within a short timeframe – often less than an hour.

How Secure Tunneling Works: A Deeper Look

The core principle behind a secure tunnel lies in creating an encrypted connection between your device and a trusted point, typically your home router. This encryption shields your data from potential interception during transit.

SSH (Secure Shell) is a commonly used protocol for establishing these tunnels. It provides a secure channel for data transmission, ensuring confidentiality and integrity. When you initiate an SSH tunnel, your data is encrypted on your device before being sent over the network.

This encrypted data travels through the internet, arriving at your home router. The router decrypts the data and then forwards it to its intended destination on the internet. Conversely, data returning from the internet is encrypted by the router before being sent back through the tunnel to your device.

Benefits of Using a Secure Tunnel

Enhanced Security on Public Wi-Fi: Protects your data from eavesdropping on insecure networks.
Bypassing Firewalls: Allows access to restricted content or services.
Remote Access: Enables secure access to your home network from anywhere.
Data Privacy: Ensures your online activities remain confidential.

The SSH tunnel acts as a protective conduit, safeguarding your sensitive information from unauthorized access. It’s a powerful tool for anyone concerned about online security and privacy.

Setting up a secure tunnel doesn’t require advanced technical expertise. Numerous guides and tutorials are available online to walk you through the process step-by-step. The initial investment of time is minimal compared to the ongoing security benefits.

Essential Requirements

Numerous methods exist for establishing an SSH tunnel to enhance the security of your internet browsing. This tutorial concentrates on configuring an SSH tunnel with maximum simplicity, minimizing complexity for users with a home router and Windows computers.

To effectively follow this guide, ensure you have the following components readily available:

A router utilizing the Tomato or DD-WRT custom firmware.
An SSH client, such as PuTTY.
A web browser with SOCKS proxy support, like Firefox.

This guide will specifically demonstrate the process using Tomato firmware. However, the steps are largely consistent with those required for DD-WRT.

If your router currently lacks custom firmware, consult our comprehensive guide on installing DD-WRT and Tomato before continuing with these instructions.

Router Firmware Considerations

The use of modified firmware like Tomato or DD-WRT is crucial. These firmwares provide the necessary SSH access for creating a secure tunnel.

Software Prerequisites

PuTTY serves as the SSH client, facilitating the connection to your router. A SOCKS-compatible browser, such as Firefox, is required to route your web traffic through the tunnel.

Ensure you have these tools installed and accessible on your Windows machine before proceeding to the configuration steps.

Creating Keys for a Secure Encrypted Connection

It may appear unconventional to begin with key generation prior to configuring the SSH server itself. However, having the keys prepared beforehand allows for a streamlined, single-pass server configuration.

Obtain the complete PuTTY package and extract its contents to a directory of your preference. Within this directory, locate the PUTTYGEN.EXE executable. Initiate the application and select Key –> Generate key pair.

Key Generation Process

A window similar to the one displayed will appear. Random data is crucial for key creation, so move your mouse cursor within the window to facilitate this process.

Upon completion, the PuTTY Key Generator window will resemble the example shown. Proceed to enter a robust and secure password.

setup-ssh-on-your-router-for-secure-web-access-from-anywhere-3.jpg

After setting a password, click Save private key. Securely store the resulting .PPK file in a safe location.

Subsequently, copy the entire content from the “Public key for pasting…” field and paste it into a temporary TXT file for later use.

Multiple Device Support

If you intend to access your SSH server from various devices – such as laptops, netbooks, or smartphones – a unique key pair must be generated for each.

Generate, secure with a password, and save each additional key pair as needed. Ensure that the public key from each new pair is appended to your temporary document.

This ensures that each device has its own unique authentication credentials for secure access.

Configuring Your Router for SSH

Both Tomato and DD-WRT firmware distributions include integrated SSH servers. This is advantageous for a couple of key reasons. Previously, establishing an SSH server on a router involved a complex telnet process for manual installation and configuration. Furthermore, running the SSH server directly on the router—which typically uses minimal power—eliminates the need to keep a dedicated computer running solely to host a lightweight SSH server.

Accessing the Router’s Web Interface

Using a computer connected to your local network, launch a web browser. Enter the address for your router’s web interface; in our example, a Linksys WRT54G running Tomato, this is http://192.168.1.1. Log in to the interface and then navigate to Administration –>SSH Daemon.

Enabling SSH Access

Within the SSH Daemon settings, ensure both Enable at Startup and Remote Access are checked. Changing the default remote port is optional. While it can slightly obscure the purpose of the open port during a port scan, the benefit is minimal.

Crucially, uncheck the Allow Password Login option. Password-based logins will not be used for remote access; instead, a key pair will be implemented for enhanced security.

Adding Authorized Keys

Copy and paste the public key(s) generated earlier in the tutorial into the Authorized Keys text area. Each key must be on a separate line. The initial portion of the key, beginning with ssh-rsa, is essential. Omitting this prefix will render the public keys invalid for the SSH server.

Finalizing the Configuration

Click Start Now to initiate the SSH server. Then, scroll to the bottom of the page and click Save to apply the changes. Your SSH server is now active and operational.

Establishing a Remote Connection to Your SSH Server

The core setup is now complete. You have generated a key pair and configured your server, but the ability to connect remotely is essential for realizing the full benefits. This stage focuses on establishing that connection from a remote computer, specifically a Windows 7 laptop in this example.

Begin by transferring the PuTTY folder to your remote machine, or alternatively, download and extract a fresh copy. All subsequent steps will be performed on this remote computer. If the PuTTY Key Generator was initially run on your home computer, ensure you are now working on the mobile device. Confirm you have access to the .PPK file created earlier. With PuTTY extracted and the .PPK file available, you are prepared to continue.

Initiate PuTTY. The initial screen presented is the Session screen. Input the public IP address of your home internet connection here. This is distinct from your router’s local LAN IP; it’s the address visible from the external network. This information can be found on the Status page within your router’s web-based configuration interface. Modify the Port to 2222 (or the alternative port you specified during the SSH Daemon configuration). Ensure SSH is selected. Assign a name to your session and save it for convenient reuse. "Tomato SSH" is a suitable example.

setup-ssh-on-your-router-for-secure-web-access-from-anywhere-5.jpg

Within the left-hand pane, navigate to Connection –> Auth. Click the Browse button and select the .PPK file that you saved and transferred to your remote machine.

setup-ssh-on-your-router-for-secure-web-access-from-anywhere-6.jpg

Remaining within the SSH sub-menu, proceed to SSH –> Tunnels. This is where PuTTY will be configured to act as a proxy server for your remote computer. Activate both checkboxes under Port Forwarding. In the Add new forwarded port section, enter 80 for the Source port and your router’s IP address for the Destination. Select both Auto and Dynamic, then click Add.

setup-ssh-on-your-router-for-secure-web-access-from-anywhere-7.jpg

Verify that an entry has been added to the Forwarded Ports list. Return to the Sessions section and click Save again to preserve your configuration. Now, click Open. PuTTY will initiate a terminal window. A warning may appear, indicating that the server’s host key is not recognized. Confirm your trust in the host. For verification, you can compare the fingerprint string displayed in the warning with the fingerprint of the key generated using PuTTY Key Generator.

setup-ssh-on-your-router-for-secure-web-access-from-anywhere-8.jpg

Within the terminal, you will be prompted for two pieces of information. Enter root at the login prompt. At the passphrase prompt, input your RSA keyring password—this is the password you established during key generation, not your router’s administrative password. The router shell will load, indicating a successful connection. You have established a secure link between PuTTY and your home router.

Now, you must configure your applications to utilize PuTTY as a proxy.

It’s worth noting that generating a keypair without a password and enabling automatic login in PuTTY (under Connect –> Data –> Auto Login) can streamline the process, albeit with a slight reduction in security. This simplifies the connection to merely opening the application, loading the profile, and clicking Open.

Setting Up Browser Connectivity with PuTTY

Having established a functioning server and a connection to it, the final configuration step involves instructing applications to utilize PuTTY as a proxy server. Numerous applications supporting the SOCKS protocol, including Firefox, mIRC, Thunderbird, and uTorrent, can be linked to PuTTY. If you are uncertain about an application’s SOCKS support, consult its documentation or explore its options menus.

This is a crucial step that should not be bypassed. Traffic isn’t automatically routed through the PuTTY proxy; it must be explicitly directed to the SOCKS server. For instance, you could operate multiple web browsers, one configured with SOCKS and another without, resulting in encrypted traffic from one and unencrypted traffic from the other.

Configuring Firefox Portable

We will now focus on securing our web browser, Firefox Portable, as a straightforward example. The configuration process for Firefox is largely applicable to any application requiring SOCKS information input. Begin by launching Firefox and navigating to Options –> Advanced –> Settings.

Within the Connection Settings menu, choose Manual proxy configuration. Enter 127.0.0.1 under SOCKS Host—this directs the connection to the PuTTY application running locally, rather than your router’s IP address as previously used. Set the port to 80 and then click OK.

A minor adjustment is still needed to complete the setup. By default, Firefox does not route DNS requests through the proxy server. This means while your traffic is encrypted, a connection observer could still identify the websites you are visiting, such as Facebook.com or Gmail.com.

setup-ssh-on-your-router-for-secure-web-access-from-anywhere-10.jpg

To ensure complete privacy, route your DNS requests through the SOCKS proxy. Type about:config into the address bar and acknowledge the warning by clicking “I’ll be careful, I promise!”

In the Filter: box, paste network.proxy.socks_remote_dns. Then, right-click on the entry for network.proxy.socks_remote_dns and select Toggle to set it to True. Subsequently, both your browsing activity and DNS requests will be transmitted through the SOCKS tunnel.

Enhancing Proxy Management

While we’ve configured our browser for constant SSH usage, you might prefer a more flexible approach. Firefox offers the FoxyProxy extension, which simplifies toggling proxy servers on and off. It provides extensive configuration options, including switching proxies based on domain or website.

For example, FoxyProxy allows you to automatically disable the proxy service when you are at home. Chrome users can achieve similar functionality with the Proxy Switchy! extension.

Let’s verify the successful implementation of these settings. We opened two browsers: Chrome, without the tunnel, and Firefox, newly configured to utilize the tunnel.

setup-ssh-on-your-router-for-secure-web-access-from-anywhere-11.jpg

The left browser displays the IP address of the Wi-Fi network, while the right browser, leveraging our SSH tunnel, shows the IP address of the remote router. All Firefox traffic is now being routed through the SSH server, confirming a successful configuration!

Do you have any helpful tips or tricks for securing remote traffic? Perhaps you have a preferred application for use with a SOCKS server/SSH connection? If you require assistance with encrypting your traffic, please share your experiences and questions in the comments below.

Topics

More