Tuesday, February 5, 2013

Who needs a VPN? Access the web securely from your iPhone and iPad using shunnels - for free!


One of the nice things about the iPhone and the iPad is their powerful web browser and great WiFi access.  Now you can go to any two-bit coffee house, airport lounge, bus station or whatever and freely access your bank, your hospital, your private and intimate conversations, all broadcast openly without any encryption over the air.  The problem is that it's quite easy to listen to these conversations.  So, what can ordinary users do to protect themselves?  The expensive (and complicated) route is to set up an iPhone VPN.  Here's an alternative which is just as effective - and it's free!

The Basics

Essentially we'll be setting up an encrypted connection (an SSH tunnel, commonly called a "shunnel") between your iPhone and a computer in a secure location (specifically on the Amazon cloud).  Your online activity will be encrypted and sent over the shunnel, so the only way to capture your conversations would be to hack into the remote server, which is much more difficult than listening to your unprotected WiFi connection.  To do this, we'll set up a remote server, create a shunnel from the iPhone to this server and finally configure the iPhone's WiFi settings to use this shunnel.

This guide was inspired by this guide by EBI and this guide by Chris Swan, but I tweaked it for the iPhone and simplified it as much as possible.

Setting Up the Server

First we'll set up the far end of the shunnel on a remote server on the Amazon cloud:

To do this, go to Amazon.com from your computer and sign up for the Amazon Web Services "Free Tier" - it's free for one year.
Next, connect to the Amazon Console and launch a new Ubuntu Server instance.  

Launching your very own Ubuntu Server on the Amazon Cloud

Give it a nice name and make sure you configure it to create a new encryption key.  Download the key - you'll need it later to connect with your iPhone.
After the instance starts (it takes a few seconds), click on it in the console and write down its public address.
Note down your server's public address

OK, the scary part is finished!

Setting Up the iPhone

To connect to the server, we'll need an SSH client for the iPhone that accepts Amazon's key and can create tunnels.  We're going to use Velostar vSSH, which is a graphical shell built around Simon Tatham's excellent open-source PuTTY client.  Here's how you download it from the app store:
Downloading vSSH from the App Store

Once vSSH is installed, you need to connect your iPhone to your computer and copy the key you downloaded from Amazon into vSSH.
First, find the key file you downloaded from Amazon on your computer and rename it to "iPhoneKey.private".
Next, open iTunes and scroll to the "Apps" tab.  Select the "vSSH" app, then drag the key file into the list of files on the right.  This is what it should look like:
Copying the Amazon key into vSSH using iTunes on your computer

Now it's time to open vSSH and set up the connection to Amazon.  There are several things to set up here.  The host you're connecting to is the Amazon cloud server whose address you've just written down.  The username is "root":
Host, port, and username settings

Set up local port forwarding from source host and port 8080 to destination host localhost and port 3128:
Port forwarding settings

You should also configure vSSH to log in using the Amazon key you just downloaded to your iPhone:
Private key setting

Now let's try to connect!  Once you are connected, you need to send the following command to the Amazon server:
sudo apt-get install squid
Here's what it should look like in vSSH:

How to install the squid web proxy on your server

Typing this command will set up a web proxy on the Amazon cloud server.  Now the shunnel is ready for use whenever you're in an insecure location.

Using the Shunnel

Let's assume you're in an especially sketchy location and you want to use the shunnel.  Here's what you should do:
Start vSSH, connect to the shunnel, and press the home (square) button.  vSSH will stay running in the background - you'll see a little badge to remind you.
vSSH displays a badge when it's running in the background

Now open WiFi Settings and press the little blue button to the right of the name of the insecure network, then scroll all the way to the bottom.  Set up a manual HTTP proxy that points into the shunnel.  The server should be localhost and the port should be 8080.  It should end up looking like this:
Setting up a HTTP proxy through the shunnel

That's it - now you can browse the web safely and securely!  If you want to make sure the shunnel works, open Safari and go to the URL ip.nefsc.noaa.gov (there are other sites which do this with names which are easier to remember, but I trust the U.S. National Observatory better than I trust them).  If you get an Amazon address it means everything worked!
Success!  We're browsing through the shunnel!


Since the whole thing comes for free, there are of course some drawbacks:
  • There's a bandwidth cap - AWS starts costing you money if you create more than 15GB of traffic per month.  So don't.
  • It stops being free after one year - and it's linked to your credit card.  After a year you can either start paying or ask a friend or spouse to help you out.
  • You have to click on vSSH once every 15 minutes - that's how the iPhone keeps background applications from eating up your battery.

Extra Credit

This basic guide should be enough for most users.  If you want to do more with your shunnel, here are some advanced ideas:
  • Give your server a nicer name - you can use free DNS services such as dot.tk or OpenDNS to give your server an easier-to-remember name such as bobs-shunnel.tk instead of the long, cryptic address.
  • Use a jailbroken ssh client instead of vSSH - if your phone is jailbroken you can use an alternative ssh client which can stay forever in the background without nagging you every 15 minutes.  I don't know which jailbroken ssh client is the best - perhaps somebody can suggest one in the comments.
  • Use a more restricted "guest" user on the Amazon server instead of the almighty "root" - this involves running the "adduser" script on the server and copying ~root/.ssh/authorized_keys to ~guest/.ssh/authorized_keys.  
  • Use the shunnel on your computer - you can import the Amazon private key into the PC version of PuTTY to get the same privacy advantage.  You might prefer to use a dynamic SOCKS proxy instead of local port forwarding.