Ask the Wifi Guru: Episode 42
December 21, 2011
Our resident expert explains how to set up a secure SSH tunnel so you can run your favorite email client and surf securely no matter where you're sipping your latte.
Q: I sometimes work online at free Wi-Fi hotspots around town. The problem is that sometimes I can’t check my email from these hotspots. I launch my e-mail client but it just fails to connect. I can browse the Web just fine. But at other hotspots I can check my e-mail. Is there a problem with my software? – Nancy
A: The problem, as they say, is that “It’s not you, it’s me.” Well, not me, but the hotspots you are connecting to.
Most hotspots are configured to enforce a firewall on guests. The firewall controls which network services you can use. When you run a program like a Web browser, it communicates over the network through what is known as a “port.” For example, most websites communicate over port 80, except secure (HTTPS) websites which use port 443.
At some hotspots, firewalls are configured to be very restrictive and they may only allow communication through a very limited set of ports. E-mail clients may communicate over several different ports depending on how the mail server is configured. Typical examples include port 110 for POP3 and port 143 for IMAP.
When your e-mail client fails to connect, it is probably because the hotspot is blocking the e-mail port you need. Why? Simply because some hotspots have decided to offer only Web access and nothing else.
The simplest workaround to this problem is to access your mail via a browser interface if one is available to you. But this is not always a perfect solution. From my own experience, my webmail browser interface is very difficult to use on a small screen mobile device.
For those who like to get their hands muddy, there is a more sophisticated solution to bypassing a restrictive firewall and continue to use the apps you like. You can overcome the hotspot firewall using a strategy called an SSH tunnel. Let’s break that down:
SSH is the “secure shell” protocol. It is an encrypted form of communication for sending commands to a remote server. The “tunnel” is a line of communication between your client and a remote server that transports the data you want to transmit but that the firewall is blocking.
To create a tunnel, you need access to a server outside the firewall. This could include a hosting account you have with a third-party provider or even your home computer.
In simple terms, this is how an SSH tunnel is built:
- If necessary, install an SSH server on the outside machine.
- Configure the SSH server to listen on port 443. This port is typically used for secure websites. We choose this port because even very restrictive hotspots will allow port 443 so that guests can visit HTTPS websites.
- If necessary, install an SSH client on the machine you use at the Wi-Fi hotspot.
- Configure this SSH client as a tunnel by assigning a local and remote address. For example, you would tell the SSH client to listen on local port 10000 and tunnel requests to yourmailserver.com at port 143 (IMAP), using yourtunnelserver.com port 443 for the tunnel.
- Configure your blocked application (such as your e-mail client) to connect to the server at localhost, port 10000. Instead of directly trying to contact the mail server, your e-mail client will connect to its own machine running the SSH tunnel. The SSH client will then “smuggle” data intended for the real mail server through your SSH server on the outside computer. Because the hotspot firewall allows communication through port 443, you use this port for “smuggling” any network service you want.
You can build an SSH tunnel using any platform, although the tools are generally built into Linux-based systems.
The most popular tool for the server end of the tunnel is OpenSSH, which is available for Linux, Mac OS X, and Windows. If you are running the SSH server on a home computer, you will probably need to install a dynamic DNS client such as FreeDNS or No-IP so that your home computer can be reached from the Internet.
OpenSSH also includes a client that runs on Linux and Mac OS X; Windows users may want to use the SSH client called PuTTY.
Besides overcoming a restrictive firewall, there is another good reason to run an SSH tunnel at a Wi-Fi hotspot: security.
Even if you only intend to browse the Web at a hotspot, employing an SSH tunnel will let you browse securely. At most public hotspots, your wireless communications are easy to intercept, with the exception of visiting secure HTTPS websites. But if you browse through an SSH tunnel, every transaction will be encrypted, as if every website you visit were a secure site.
Given all this, you might be wondering how to actually create the SSH tunnel. Detailed instructions are long and vary by platform, but here are two great starting points – instructions for Linux users, should also work for Mac OS X; instructions for Windows users.
Aaron Weiss a technology writer, screenwriter and Web development consultant who spends his free time stacking wood for the winter in Upstate New York. His Web site is bordella.com.