This aims to solve the problem of connecting to internal networks without exclusively locking your connection to that one network as well as not having to 2FA with your phone, dongle, rain stick or a magic charm. You shoould be able to open your laptop anytime, anywhere and have secure encrypted access to the network.
Things you will need on your journey:
- Machine inside the network running *nix with:
- Locally you will need:
Enable (systemd) sshd and tor, or rc.d or whatever gets the daemons running on your machine. Configure tor run a hidden service forwarding to 22:
Create a user, leave their public key in ~/.ssh/authorized_keys
Edit: vim /etc/tor/torrc
GOTO: ############### This section is just for location-hidden services ###
Uncomment: HiddenServicePort 22 127.0.0.1:22
Uncomment: HiddenServiceDir /var/lib/tor/hidden_service/
Restart tor
Grab the hostname of the now running hidden service: cat /var/lib/tor/hidden_service/hostname
Done!
Example .ssh/config:
### Serverside box running tor and ssh
Host remote-tor
User $REMOTE_SERVER_USERNAME
Hostname $REMOTE_SERVER_ADDRESS # Example: 3g2upl4pq6kufc4m.onion
ForwardAgent yes
Compression yes # Important for connections over TOR
ProxyCommand ncat --proxy-type socks5 --proxy 127.0.0.1:9050 %h %p
### Internal domain automatically gets proxied
Host *.$INTERNAL_DOMAIN.com # Example: *.google.com
ProxyCommand ncat --proxy-type socks5 --proxy 127.0.0.1:2424 %h %p
User $INTERNAL_DOMAIN_USERNAME
### Keepalive
Host *
ServerAliveInterval 30
ServerAliveCountMax 3
Run the autossh tunnel. This varies with your needs. I have the following in ~/.xinitrc:
autossh -f -M 0 -Nn -D 127.0.0.1:2424 remote-tor
Which will run a permanent tunnel on local 2424 to reconnect whenever disconnected (sleep, no wifi)
Example SystemD unit file:
[Unit]
Description=AutoSSH tunnel service on local port 2424
After=network.target
[Service]
Environment="AUTOSSH_GATETIME=0"
ExecStart=/usr/bin/autossh -M 0 -Nn -D 127.0.0.1:2424 remote-tor
[Install]
WantedBy=multi-user.target
Create a proxy in foxyproxy pointing to localhost:2424 tick sock proxy v5.
In patters configure patters for your network:
^https?://.*\.{{domain}}\.com.*$
^https?:\/\/{{domain}}[a-z]{3,5}[0-9]{2,5}.*$
...
Select use proxies based on their pre-defined patterns and priorities