Secure browsing using a local SOCKS proxy server (on desktop or mobile) and an always free OCI compute instance as SSH server

Oracle provides several services as ‘always free’. In contrast to Azure and Amazon, these include compute instances which remain ‘forever’ free to use. Although there are some limitations on CPU, disk, network resources, these instances are ideal to use as a remote SSH server and with a little effort a connection target for a locally running SOCKS proxy server. When you configure a browser to use that SOCKS proxy, your web traffic will be send through a secure channel (SSH tunnel) towards the OCI instance and the OCI instance will appear as your browsers client IP for remote sites you visit.

An SSH server in combination with a locally running SOCKS proxy server allows you to browse the internet more securely from for example public Wifi hotspots by routing your internet traffic through a secure channel via a remote server. If you combine this with DNS over HTTPS, which is currently at least available in Firefox and Chrome, it will be more difficult for other parties to analyse your traffic. Also it allows you to access resources from a server outside of a company network which can have benefits for example if you want to check how a company hosted service looks to a customer from the outside. Having a server in a different country as a proxy can also have benefits if certain services are only available from a certain country (a similar benefit as using a VPN or using Tor) or as a means to circumvent censorship.

Do check what is allowed in your company, by your ISP and is legal within your country before using such techniques though. I of course don’t want you to do anything illegal and blame me for it 😉

Create and configure an OCI compute instance

The example configuration is based on Oracle Linux 7 but will most likely be the same for RHEL and CentOS. Mind that creating always free instances is only possible in your home region and that changing your home region after account creation is currently not possible. See here.

When configuring the OCI instances, there are some challenges when you are not that experienced with cloud providers such as creating an SSH key pair and making the instance accessible from the internet. After the instance is created, there are also some measures to take to keep the instance updated and to make using it as SOCKS proxy from a remote source easier by assigning the SSH port to 443 (which is usually used for HTTPS traffic).

Create an instance

Creating an OCI instance is relatively easy but exposing it to the internet and configuring it to auto-update, require several steps.

Prepare the SSH public and private keys

First prepare an SSH key. There are several tools which allow you to do this. The below screenshots are from MobaXterm. You can also use PuttyGen, keytool (a command line tool), KeyStore Explorer, etc. I prefer MobaXterm since next to generating keys, it is also a powerful SSH client, provides a Linux like environment and has a nice SSH tunnel manager.

Do not supply a password. Next to saving the public and private key using the respective buttons, also save the top part starting with ssh-rsa. This is the part which OCI needs to configure the instance. The private key is the thing you use to login from a client.

Create the instance

Why Oracle Linux? I was having some difficulties with the Ubuntu image and I suspect running an Oracle OS on Oracle Cloud might make things easier in the future.

In the below step you copy the previously saved public key.

Now start creating the instance and wait until it is ready.

Create a public IP

When using the free tier, you only have a single public IP address. You can create 2 compute instances though. I recommend using different accounts on a single compute instance if you want to allow different users to access it.

Assign the public IP

Confirm client connectivity

You can confirm you can access your instance with MobaXterm using a regular SSH connection You use the assigned public IP at port 22 and your private key to login with user opc. The screenshot indicates port 443 but that is after you changed it as described below. It starts out with port 22, the default SSH port.

Make sure it auto-updates and restarts when necessary

Since your OCI instance will be accessible at a public IP address and has an open SSH port, it will be bashed with hack attempts. You can keep the SSH port closed until a certain sequence of connection attempts is executed (port knocking) but you might not be able to execute those through a company proxy server. If you keep the port open, it is important to keep your system updated in order to reduce the number of vulnerabilities which can be abused to gain access. Since manual maintenance of environments is no hobby of mine and I do like my system to remain up to date and do not care about reboots once in a while, I’ve automated this.

The below commands are based on RHEL 7 and variants like OL 7 and CentOS 7

sudo yum -y install yum-cron yum-utils
sudo systemctl enable --now yum-cron.service
sudo systemctl start yum-cron.service
sudo sed -i 's/apply_updates = no/apply_updates = yes/g' /etc/yum/yum-cron.conf
echo "$(echo '* 11 * * * /usr/bin/needs-restarting -r || sudo shutdown -r' ; crontab -l)" | crontab -

This does several things

• It checks for updates regularly (interval specified in yum-cron.conf)
• It applies the updates
• It checks if updates require a restart daily using the needs-restarting command which is part of yum-utils
• It executes the restart when required

Change the SSH port

Company proxy servers almost never block port 443. This is the port used to access HTTPS websites. In order to give you maximum flexibility to access your OCI instance, it is recommended to run the SSH server on port 443.

Change the port

sudo sed -i 's/#Port 22/Port 443/g' /etc/ssh/sshd_config
sudo semanage port -m -t ssh_port_t -p tcp 443
sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
sudo firewall-cmd --reload
sudo systemctl restart sshd.service

Update the security list

In the below screenshots port 443 is publicly accessible.

Configure your SSH client as a local SOCKS proxy server

Linux / Unix (should probably also work on Mac)

This is by far the easiest since you don’t need more than an SSH client which is there usually by default. Execute a command like:

nohup ssh -i ~/oraclecloudalwaysfree.key -D 8123 -f -C -v -N opc@132.145.250.238 -p 443

And you get an SSH SOCKS server which is available at localhost port 8123. Of course change this to your own IP and refer to your own private key. Output will be saved in ~/nohup.out. If the connection fails, you can check that file for the cause.

• -D 8123 starts a SOCKS 4 and SOCKS 5 compliant proxy server on port 8123
• -i indicates the private key to use
• -f indicates background execution of SSH
• -C requests compression of data
• -v gives verbose output. Useful for debugging
• -N indicates no remote command needs to be executed. we just need the tunnel functionality
• -p indicates the port to connect to on the remote host. 
• opc@132.145.250.238 indicates the user and host to connect to

MobaXterm

I’ve used MobaXterm before to login using SSH normally. MobaXterm also has an easy to use tunnel interface.

The last two icons indicate to MobaXterm to start the tunnel when the application is started and to automatically reconnect upon disconnect.

Android: ConnectBot

ConnectBot is an Android App which allows you to create SSH connections to remote servers, use private keys to login and configure SSH tunnels. If you have a rooted Android phone, you can even use the ProxyDroid app to configure the SOCKS proxy server globally and not specifically per app. The process on how to configure this is described here. For a secure connection to OCI, first load your private key in ConnectBot. Next create a connection to opc@yourhost. Next add a port forward of type Dynamic (SOCKS) with source port 8080. This will start a local SOCKS proxy server available at port 8080. This is what you can configure in webbrowsers.

iPhone

For iPhone it is probably also possible to run a SOCKS proxy locally and connect to it from a browser but since I have no iPhone available I’ll leave that to others. You can read for example some discussion on this here.

Others

Bitvise SSH client can also easily be used to configure SSH tunnels. See my blog post about this here.

Configure clients to use the SOCKS proxy server

Firefox desktop

In Firefox on a desktop this is easy.

Firefox mobile

For Firefox on a mobile device this is slightly harder, but on for example Chrome, these settings are not available at all. In Firefox the same settings as described above are available but not nicely from a GUI. The following here describes the steps you need to take.

In the firefox URL bar, type ‘about:config’ and press enter to access advanced settings. Search for ‘socks’ and set the following settings:

• network.proxy.socks = 127.0.0.1
• network.proxy.socks_port = 8080
• network.proxy.socks_remote_dns = true

Search for ‘proxy.type’ and set the following setting:

• network.proxy.type = 1

Now confirm you can access the web using your OCI instance by going to

Torrent client on mobile

If you are looking for a torrent client which can run on your mobile phone and supports using a SOCKS server, checkout Flud or tTorrent. I’m using Flud.

• Open Flud
• Go to Menu > Settings > Network > Proxy Settings
• Enter the settings as shown below
• Proxy type: SOCKS5
• Host: localhost
• Port: 8080
• Make sure to check ‘Use proxy for peer connections’ and uncheck ‘Requires authentication’
• Click ‘Apply Proxy’