There are multiple situations when you need to work around some strange corporate limitations. It can be explained by the company security policy, 3rd party tools, etc. But often those policies tend to be more than just a limitation and start to be really a nuisance for developers. Even to the point where you have blocked access to the open source repositories on GitHub! This is the moment when you can say: 'I have enough!' and try to come up with a solution to this problem.

Your best option is: A Secure Tunnel through SSH and this article is all about how we can configure a safe and convenient tunnel.

Requirements

  • Own Linux server (VPS or Dedicated Server outside Corporate Network)
  • Installed SSH on your client machine (On Windows you can use the Git installer)
  • Proxy SwitchyOmega or similar browser extension
  • Client Machine with any OS

Notice

Please note that using this kind of workarounds for company policies may lead to legal consequences. Use it wisely and take responsibility of your actions.

Additionally let's explain one thing: Safety of this solution means that we maintain reasonably high level of protection of your private server AND your communication privacy.

There are multiple options for quick and easy tunnel connections, but they often suggest use of 3rd party VPN server (Red Alert - you don't know what the owner of this server will do with your data) or may lead to a loosen security of your server!

This article is not about basics of securing your server. To learn more about properly securing a VPS take a look on this article: Security Tutorials

How to start

Client machine

First we need a new private key for you. It's advised even if you have a private key already! You don't have to set a password for this key, as it won't affect security.

ssh-keygen -t rsa -f ~/.ssh/tunnel_rsa  
# Copy contents of ~/.ssh/tunnel_rsa.pub to the clipboard

Server

Let's create a new limited user on your server and assign to him your newly generated public key.

adduser -d /home/tunnel-user -m tunnel-user  
cd /home/tunnel-user  
mkdir .ssh  
vim .ssh/authorized_keys #and paste there contents of the clipboard  
chmod 0700 .ssh/authorized_keys  
chown tunnel-user:tunnel-user .ssh/authorized_keys  

Open your /etc/ssh/sshd_config and apply the following configuration:

Match User tunnel-user  
    AllowAgentForwarding no
    GatewayPorts yes
    X11Forwarding no
    ForceCommand echo 'This account can only be used for opening a tunnel'

# If you use AllowUsers section (you should), then you need to add a new user to it:
AllowUsers user1 user2 tunnel-user  

Let's reload the SSH daemon, and the server side changes are done!

service ssh restart  

How to use

At this point you are pretty much done and you could be able to establish a secure connection through SSH from your client machine.

Normally you do this by running this command in terminal (or Command Line on Windows) and configuring Proxy Extension

ssh -N -D 9999 -i ~/.ssh/tunnel_rsa tunnel-user@SERVER  

To make it even more convenient for you let's add a custom ssh config (vim ~/.ssh/config)

Host tunnel  
  HostName SERVER
  User tunnel-user
  IdentityFile ~/.ssh/tunnel_rsa
  DynamicForward 9999

With this you can establish new connection even easier:

ssh -N tunnel  

And you are ready to go.

What's so special about this configuration?

There are few cool things:

  • The tunnel-user can log in to your server, but he can't do anything. He can't run any commands.

  • No password when establishing tunnel

  • If you need, you can share with your colleague your private key for the tunnel-user and he would be able to use it as well Well, you should never share your private keys with anyone, but in this particular case it won't be catastrophic for you :)