I go to conferences and meetups quite a lot, and one thing I always encounter on those trips, is bad wifi or internet access. The “public” networks made available to visitors often limit network access to http(s) and e-mail. This means for instance that I can’t use my XMPP/Jabber chat. A second problem with those networks is that my e-mail provider blocks e-mail access because they think I’m in an unknown location and I’m an intruder. The third problem is that there often are other people snooping around on the network trying to see what they can intercept. This is how I solve those problems for myself:

I use TorBrowser to set up a connection to the Tor network. This works on those limited networks, because Tor can connect over http(s). Tor also starts a SOCKS5 proxy on port 9150 on my computer (it does that by default), which I can use to tunnel traffic trough the Tor network. This would already solve most of my problems, except that my email provider doesn’t trust Tor, and won’t let me connect over the Tor network. We need to go deeper.

Another solution would be to use SSH with its -D option to setup a connection to my VPS (which my email provider trusts) and again, make a SOCKS5 proxy available to my local system to connect to the internet over that SSH connection. That, however, doesn’t work because those public wifi networks don’t allow SSH connections. Let’s combine this with the TorBrowser step: I setup SSH to use the proxy that TorBrowser started by putting this in my ~/.ssh/config file:

ProxyCommand /usr/bin/nc -x %h %p

Then, I use ssh over that proxy and let it expose another proxy, to which I can connect my email client:

ssh -D 9999 user@server

Now I can make all my apps (e-mail, XMPP/Jabber, etc…) use the SOCKS5 proxy on port 9999 to connect to the internet. They will appear to connect from my VPS, but actually, they’re going over SSH, which runs over Tor. It’s tricky, but it fixes my problem!

Enjoy it!



  • This procedure assumes that you’re running a debian based OS, on your local machine. It might work from MacOSX too, possibly using Homebrew to install Privoxy, and from Windows, using the .exe installer for Privoxy and a *nix-like terminal like Mingw or Git Bash.
  • The server OS needs to be unix based for this to work, and you’ll need root access over SSH.
  • We will not have to install anything on the server.

How this works

To allow the server to access the internet, we’ll tunnel the server’s internet traffic through our local computer. To do this, we’ll need to run a simple proxy on our own computer. This proxy usually listens only for local connections. We’ll then port-forward the local port to a port on the server. From the server’s point of view, it then looks as if a proxy server is available on a local port. We can then tunnel certain server’s application’s traffic through that proxy.

Setting up the proxy over SSH

Install Privoxy proxy server and run it

On your local machine
sudo apt-get install privoxy
sudo service restart privoxy

Privoxy should now be running and accepting connections from localhost only, on port 8118.

Log in to the server over ssh and port-forward the privoxy port (8118) over that connection

ssh -R 8118:localhost:8118 root@{server}
This makes the server open port 8118 for connections, which will be forwarded to port 8118 on your local machine, on which privoxy will be listening. Privoxy will then handle the request.

Forwarding traffic over the Proxy


Create or edit the /etc/apt/apt.conf file to set proxy settings for APT
On the server:
vim /etc/apt/apt.conf

Insert this line:
Acquire::http::Proxy "";

At this point, apt will work over the proxy.

The problem now is that we can’t resolve DNS requests over the proxy (We can’t use a SOCKS5 proxy because apt doesn’t work with SOCKS5 out of the box). To solve that problem we’ll edit the /etc/hosts file to contain the repository record.
On the server:
vim /etc/hosts

Insert this line (replace the x’s with the actual ip):
{xx.xx.xx.xx} archive.debian.org

If you don’t know how to get the ip address for archive.debian.org
On your local machine:
nslookup archive.debian.org

Now you should be able to use apt to update or install packages.
apt-get install git

Other programs

If you want to use the proxy for other programs on the server, like wget or git use this:
http_proxy= {command}

This way you’re setting the proxy as an environment variable, while running the command {command}. Most (well-written) command line software will use that variable, but sometimes this won’t work.

http_proxy= wget github.com

That’s it!

Whenever you need to access a server through a VPN for security reasons, you’ll most likely lose your internet connection.
If you still want or need to read your emails or browse the web for the solution of a problem, or get on IRC, it’s possible.

If there’s a server or any other computer with SSH access on your local network, it should still be reachable from your computer when it’s connected to the VPN. We’ll use that to our advantage by tunneling our web traffic through that second computer. The only problem is that DNS most likely won’t work anymore when you’re on the VPN, so we’ll have to know a login and the ip address of the second computer.

While connected to the vpn, we’ll create an ssh connection to the second computer, with some modifiers to do port-forwarding, effectively creating a SOCKS5 proxy.
ssh -C2qtnN -D 8081 {username}@{local-ip-address-of-2nd-computer}

This will not open a shell on the server, but it will make a socks5 proxy available on port 8081 (localhost).
You can now tell your browser to use that proxy as a SOCKS5 proxy, and access your mail, irc and other web needs through that connection.

If your DNS doesn’t get resolved, go to ‘about:config’ in your browser (firefox) and change
network.proxy.socks_remote_dns to boolean true

That’s it! 🙂

Lately i was tinkering a bit on my local area network. These are the commands i used (they will work on Mac OSX as well as on GNU/Linux):

– to see/edit network interface settings

ping http://www.example.com
– to see if a host is reachable, and with how much latency. http://www.example.com can also be replaced by an ip address.

traceroute http://www.example.com
– to see which and how many hops are between you and the server you’re pinging.

– show network status (initiated connections)

lsof -i
– show open network sockets

tcpdump -i en0 -w capturefile.pcap -s0
– capture all network traffic on the en0 interface, save in capturefile.pcap. without the -w option, you can monitor the data live.

arp -a
– list all hosts on the local network, currently seen by your client, with ip and MAC addresses

nslookup http://www.example.com
– do a dns request for http://www.example.com

ssh user@hostname
– login to a remote host via a secure shell

scp user@hostname:/home/user/example.txt /home/me/Desktop/
scp /home/me/Desktop/example2.txt user@hostname:/home/user/
– copy the file example.txt on the remote host to my desktop on the local client over ssh.
– copy the file example2.txt on the local machine to the remote host over ssh.

that’s it for now 🙂

I ran into some problems lately with my network. Whenever i was browsing the web, my Firefox would just not load some pages, mostly pages that i visited quite often (Wikipedia, Apple Trailers, …). I tried Safari because i thought the problem was one of the add-ons or plugins in Firefox, but Safari also failed. Could this be a problem with my operating system (Mac OSX 10.5) ? I tried bridged networking from a Ubuntu virtual machine. Seemed to work. Other computers on the network had no problems (all windooz and GNU/Linux machines).

After countless hours of searching on google, changing network cables, restarting router and switches over the past weeks, i desperately went to the #macosx channel on the freenode irc network. Users ‘frogor’ and ‘CPng|N’ both suggested that the problem could really be due to the router.

So i fired up the admin panel of my Philips router(model number SNA6500/18). I saw in the logs that the local ip of my computer was sending a lot of unanswered ‘SYN’ traffic to the ip’s of the websites that didn’t work. Google told me that this is normal, the tcp/ip stack of osx uses an option flag that causes this. Anyway, this ‘SYN Flood’ required a lot of tcp sessions and my router limited (and aborted) them, so the connections just timed out.

Long story short, on the router admin panel: Advanced Settings > Firewall > Intrusion Detection > Maximum Incomplete TCP/UDP sessions per host
change that value from 10 to 50 and you’re done.


Command Line Love

September 7, 2010

Lately i’ve been learning a lot about using the command line on GNU/Linux and Mac OSX based systems. I wanted to go further in this, and try to do some daily internet things from an all command line GNU/Linux distribution. For this purpose i used ArchLinux.

After a little research i found ‘lynx‘. It’s a great text-based web-browser. It takes little time to learn how it works, and it’s really quite usable as a browser. It uses colors to show links, italic, bold and other fonts. You can find a screenshot of my blog displayed by lynx here.

To download a file, you can use the lynx built-in Save To Disk option, or you can use a cli download manager like wget.

After the webbrowsing, it was time to find a suitable chat client. CenterIM seemed perfect. It’s easy to set up and use. It can handle multiple protocols, like MSN, Yim, ICQ, IRC, Google Talk,… The client works fine. So far, so good.

When looking for a suitable (and working) e-mail client, things got a lot more complicated. It seems that there is no easy way to do this, so i did it the hard way. I used a combination of 4 programs and 1 cronjob to do this. ‘Fetchmail‘ gets the mail off the server through POP3, sends it to ‘Procmail‘. Procmail filters the incoming mail and puts it in one or more text files. I automated this process with a cronjob, so my mail is downloaded every half hour. To read those mails, i used ‘Mutt‘, an easy to use mail program, from which you can also compose new mails. Then they are sent to ‘mSMTP‘, a program that relays your outgoing mail back to the mailserver, to send it to the recipient.
Setting up all these programs to work together to send and receive mails involves a lot of fiddling with configuration files (not for the faint hearted), but when it works, it’s really cool 🙂

So! i succeeded in doing these things from the command line… mission completed



Recently i visited www.whattheinternetknowsaboutyou.com, a site where you can see your complete browsing history… which means that -if they want to- THEY can see your browsing history too. That’s not too bad, you think? You know EVERY SITE can see that, and a few things more.

– your IP adress (so also your location on the planet)
– the site that directed you to that page (referrer)
– your complete web-browsing history
– the browser you’re using (in the user-agent string)
– the Operating System you’re using (in the user-agent string)

and that’s all no big deal really, it’s easy as 1-2-3. Now you say “so what? they don’t know who i am”. Exactly. They don’t. But they don’t need to know your name! The information they have right here is more than enough to uniquely identify you out of billions of other internet users. So don’t you think that’s concerning?

Anyway, IF you want a little bit of privacy on the web, here’s how i hid all these aspects in an easy way, using Ubuntu 10.04 and Firefox, combined with TOR, and a bunch of Firefox plugins.

STEP 1. Install TOR on Ubuntu. you find the how-to hereuse ‘Option two’. By using tor in combination with Polipo(see step 2) we’re going to hide our location and ip adress.

STEP 2. Check if Polipo is installed on your Ubuntu system. (It was automatically installed during my TOR installation). if not, install it. Then go here – Download the Polipo configuration for TOR file (in step two), and follow the instructions in the same paragraph.

STEP 3. We’re going to install some add-ons in Firefox now. First is the ‘Torbutton‘. Without it, TOR doesn’t work with Firefox. go here – and install the add-on by clicking the green ‘+Add to Firefox’ button.

STEP 4. Install the ‘No referrer‘ add-on for Firefox here – this little tool is going to hide our referrer page.

STEP 5. Install the ‘User Agent Switcher‘ add-on for Firefox here – this tool switches our user agent so websites we visit can’t see that we’re using Firefox on Ubuntu (and more info..)

STEP 6. Install the ‘Adblock Plus‘ add-on fore Firefox here – this will block ads on webpages. We need that because ads tend to find around the tor software, and have our real ip and location compromised.

STEP 7. Quit Firefox, and do a complete restart of Ubuntu. Then restart Firefox. you’ll see that a bunch of pages opens because we installed the new add-ons. We need to do a few more things.

STEP 8. A page of Adblock Plus will be opened, asking to install a filter description. Choose one that seems ok to you. After that you can close the remaining pages.

STEP 9. choose another user agent. 'Tools' > 'Default User Agent' > 'Internet Explorer' > 'Internet Explorer 7' might be a good choice.

STEP 10. Click the green ‘R’ icon on the right bottom of your screen. In the menu that pops up check the box before ‘Don’t send referrers to any URL‘ and save.

STEP 11. Click the tor button on the right bottom of the screen to switch TOR on and off.

STEP 12. To disable the history leaking, just disable the history (in Firefox preferences), or choose ‘clear history when Firefox closes’. that way you won’t have much to worry about.

now you’re set. remember. for normal browsing, you don’t need to do all this 🙂 this is just for the paranoid. Still, try not to use the tor network, the user agent switcher and the referrer disabler when it’s not needed. these things were made to make the web better. some people just use them for the wrong purpose.

enjoy the privacy 🙂