Automated SOCKS proxy in OS X Snow Leopard
In honor of Firesheep’s release, I whipped up an AppleScript that goes through the steps to have your Mac use a SOCKS proxy (AKA SSH tunnel). For the unfamiliar, this is a technique that involves creating an encrypted connection to a server you have access to and then redirecting all your network traffic through it. It’s wise to use such a setup when on an untrusted network connection, such as any open wireless network (note that Firesheep only works on an open wireless network). This tutorial assumes you already have access to a server with OpenSSH installed, preferably with key-based authentication so passwords don’t need to be exchanged.
The standard way to setup a SOCKS proxy is opening Terminal.app and running ssh with a couple extra flags. This will initiate a SOCKS proxy over the port 8888:
ssh -vND 8888 user@host.com
I run SSH on a non-standard port, so I also tack on -p X
before user@host where X is the port SSH runs on. To make things a little easier, I aliased this in my .profile
:
alias socks="ssh -vND 8888 -p X user@host.com"
Now I just have to type “socks” in a Terminal window and I’m all set up. To make your Mac actually use the proxy involves going into System Preferences > Network > Advanced… > Proxies and checking off the SOCKS Proxy checkbox. Make sure your port agrees with whatever you used to start the tunnel and after saving your changes you should be good to go. FireFox doesn’t use a proxy for DNS requests by default, but you can change that by going to about:config and toggling network.proxy.socks_remote_dns to true. After you’re set up, go to a site like whatismyip.com and make sure your IP is originating from wherever your SSH server is from (in my case Slicehost).
The process of going into System Preferences can be a bit of a drag, so I customized an AppleScript to do it for me. This script will toggle the status and announce what the result is.
Note: This is a customized version of a script originally posted by Meredith Davison to Mac OS X Hints.
tell application "System Preferences"
activate
set current pane to pane "com.apple.preference.network"
end tell
tell application "System Events"
get properties
tell process "System Preferences"
tell window "Network"
-- Selects the active network connection
tell table 1 of scroll area 1
click row 1
end tell
--Select the Advanced button
click button 11
--Select the Proxies tab
tell tab group 1 of sheet 1
-- delay 1
click radio button 6
tell group 1
tell table 1 of scroll area 1
set selected of row 6 to true
click checkbox of row 6
if value of (checkbox 1 of row 6) is 1 then
set outStr to "You Turned SOCKS Proxy ON"
else
set outStr to "You Turned SOCKS Proxy OFF"
end if
end tell
end tell
end tell
tell sheet 1
click button "OK"
end tell
end tell
tell window "Network"
click button "Apply"
end tell
end tell
end tell
tell application "System Preferences"
quit
end tell
-- Voice status of SOCKS Proxy settings
say outStr
Save it as an application from AppleScript Editor and add it into your scripts menu for quick universal access. All credit should be directed to her. This likely works in other versions of Mac OS X, but I have only tested it on Snow Leopard.
You wrote: “After you’re set up, go to a site like whatismyip.com and make sure your IP is originating from wherever your SSH server is from (in my case Slicehost).”
Why would I need to do that and what should I be looking for?
-SteveL
p.s. I suspect you intend it to be a security check to make sure “host.com” is resolving to an actual IP address owned by your ISP. Is that correct?
I check because it confirms that you’re proxy is set up and being used by your browser. There’s no error or warning if you aren’t using the proxy and without checking to see your IP you won’t be sure it’s really being used. It’s just a quick way to make sure you’re secure.
This blog is very helpful. It explains how to create a virtual SOCKS Proxy server on your local machine (perhaps a laptop) that will connect to your home machine. The blog also explains how to create an AppleScript application to get OS X to start/stop using the SOCKS Proxy server. One thing that appears to be missing is info on configuring OS X’s SOCKS proxy settings. What values should I enter for the SOCKS Proxy server address and port?
Unless you changed something from defaults, just using the provided command and AppleScript get you up and going. The default is 127.0.0.1:8888 and the only thing that would change is the port. If you used something other than 8888 in the SSH command you would need to change that in the SOCKS proxy settings.
Final comment… An easier to use alternative to creating an AppleScript to start/stop using the SOCKS Proxy server would be to use OS X’s Locations feature.
OS X’s Locations feature has nothing to do with your physical position on Planet Earth. Instead the Locations feature provides an easy way to quickly and easily switch between multiple sets of network settings. Using the Locations feature you could create a location for home use and another location for public WiFi use.
OS X’s default location is named “Automatic.” For the sake of this example let’s assume the Automatic location is configured for home use, i.e. it is not configured for using the SOCKS Proxy server.
To create a new location open the Networks system preference, click on the Location dropdown and select Edit Locations… In the dialog that pops up you can click the “+” to create a new location from scratch or click the gear icon and select Duplicate Location to create a duplicate of the currently selected location’s settings. In either case set the new location’s name to “Public WiFi” (or any other name you like) and click the Done button. Now make sure that the Public WiFi location is selected in the Locations dropdown I mentioned earlier then configure the network settings by specifying the SOCKS Proxy server’s address and port as well as checking the checkbox to enable use of the proxy server. Be sure to click the Apply button to save the new settings for this location.
Now when you want to enable use of the proxy server all you have to do is go to Apple menu -> Locations and select “Public WiFi” from the list. To disable the use of the proxy go to Apple menu -> Locations and select “Automatic” from the list. That’s both faster and easier than mucking with an AppleScript. Plus it allows you to create and switch between any number of special network configurations.
Beautiful, that is easier. Thanks for the tip. I haven’t used Locations in quite some time.
Thanks for this! It wasn’t working, then I realized I had little snitch running on my home computer. I VNC’d home and sure enough, process ‘ssh’ was requesting to connect to the internet. I clicked ‘Allow’ and now it works!
There is an easier way for this; (self-explanatory)
sudo networksetup -setsocksfirewallproxystate Wi-Fi on