8

I have created a SSH tunnel on my laptop connected to LAN. I want to share the internet via WiFi/hotspot, but over the SSH tunnel. I mean any computer using this wireless should connect to the internet via the SSH tunnel (automatically without setting proxy).

In other words, I want to set the proxy setting only on my laptop (e.g., 127.0.0.1:1028), and any computer using the WiFi/hotspot from my laptop should be able to use internet without any proxy setting.

Googlebot
  • 1,747
  • 9
  • 33
  • 55

2 Answers2

4

What you want is not possible with pure SSH (i.e. the -D proxy option to create the poor-mans VPN).

Here's two options that do work, though:

  1. use sshuttle (available in the repositories) and tell it to forward all traffic from the subnet of your hotspot through the "VPN". See the manpage for more info.
  2. set up OpenVPN on the remote system and your local system. The traffic of the connected hotspot users should go through the VPN by default. You might also want to look at this serverfault question.
Community
  • 1
mniess
  • 10,369
  • 7
  • 49
  • 77
3

It is possible using pure ssh -D if one adds redsocks and iptables to the mix. This is much simpler than configuring an OpenVPN especially if you don't have privileges on the remote machine.

For creating the hotspot on Ubuntu I recommend http://ubuntuhandbook.org/index.php/2014/09/3-ways-create-wifi-hotspot-ubuntu/ which uses the built-in default network-manager.

With redsocks installed and configured one can use iptables to redirect all traffic from the wifi hotspot to redsocks which then passes it through the socks proxy.

For instance if your wifi hotspot is on the 10.42.0.1/24 subnet and the incoming redsocks port is 12345 issue:

sudo iptables -F
sudo iptables -t nat -F
sudo iptables -t nat -A PREROUTING -s 10.42.0.0/24 -p tcp -j REDIRECT --to-ports 12345

For a detailed set of instructions visit http://abidmujtaba.blogspot.com/2016/07/ubuntu-create-wifi-hotspot-access-point.html

Abid H. Mujtaba
  • 161
  • 4
  • Why is it necessary to nuke the previous iptables (`iptables -F`) for this to work? – a06e Sep 10 '18 at 19:45
  • I am not sure. By process of elimination I realized it worked only when I cleared the rules. You might try more permutations, I would be curious to know if there is a minimum working set of rules. – Abid H. Mujtaba Sep 12 '18 at 15:44
  • This solution was working perfectly for me so far. But the other day I realized that whenever I did this, I was unable to do some remote ssh on a cluster I usually did. I suspect it's related to the `iptables` nuking. – a06e Sep 12 '18 at 15:47
  • Thank you for the link to the article. I've tried to set my wifi hostspot over ssh tunnel using autossh, but found that it can't handle raw ip traffic. Redsocks is required. – Mateusz Mar 08 '20 at 11:25
  • Just an FYI: I didn't use flush `-F` (first two commands) and it worked well. – Ahsaan Yousuf Feb 24 '21 at 12:24
  • I am trying to configure redsocks. Can someone help me to figure out how should I set the ips and ports in redsocks{}. I use ssh -D 1222. And I use the localhost and the opened port on my Firefox to access unrestricted internet which works perfectly. I want to know whether I should open 12345 port using ssh -D or I should set a different number than redsocks redirected port, i.e. 1222 and then set redsocks differently? And if I use ssh -D manually do I still need to set ip and tcp port of proxy server? – Sina Oct 27 '22 at 09:54
  • 1
    @Sina if you used `ssh -D 1222` to set up the ssh port forwarding then the redsocks `port` (forwarding) must be set equal to 1222. The redsocks `local_port` (listening) is up to you, I chose 12345 at random. Now any traffic directed to port 12345 will be forwarded by redsocks to port 1222 and from there over the ssh tunnel. – Abid H. Mujtaba Oct 28 '22 at 13:44