There are multiple situations when you need to work around some strange corporate limitations. It can be explained by the company security policy, 3rd party tools, etc. But often those policies tend to be more than just a limitation and start to be really a nuisance for developers. Even to the point where you have blocked access to the open source repositories on GitHub! This is the moment when you can say: 'I have enough!' and try to come up with a solution to this problem.
Your best option is: A Secure Tunnel through SSH and this article is all about how we can configure a safe and convenient tunnel.
- Own Linux server (VPS or Dedicated Server outside Corporate Network)
- Installed SSH on your client machine (On Windows you can use the Git installer)
- Proxy SwitchyOmega or similar browser extension
- Client Machine with any OS
Please note that using this kind of workarounds for company policies may lead to legal consequences. Use it wisely and take responsibility of your actions.
Additionally let's explain one thing: Safety of this solution means that we maintain reasonably high level of protection of your private server AND your communication privacy.
There are multiple options for quick and easy tunnel connections, but they often suggest use of 3rd party VPN server (Red Alert - you don't know what the owner of this server will do with your data) or may lead to a loosen security of your server!
This article is not about basics of securing your server. To learn more about properly securing a VPS take a look on this article: Security Tutorials
How to start
First we need a new private key for you. It's advised even if you have a private key already! You don't have to set a password for this key, as it won't affect security.
ssh-keygen -t rsa -f ~/.ssh/tunnel_rsa # Copy contents of ~/.ssh/tunnel_rsa.pub to the clipboard
Let's create a new limited user on your server and assign to him your newly generated public key.
adduser -d /home/tunnel-user -m tunnel-user cd /home/tunnel-user mkdir .ssh vim .ssh/authorized_keys #and paste there contents of the clipboard chmod 0700 .ssh/authorized_keys chown tunnel-user:tunnel-user .ssh/authorized_keys
/etc/ssh/sshd_config and apply the following configuration:
Match User tunnel-user AllowAgentForwarding no GatewayPorts yes X11Forwarding no ForceCommand echo 'This account can only be used for opening a tunnel' # If you use AllowUsers section (you should), then you need to add a new user to it: AllowUsers user1 user2 tunnel-user
Let's reload the SSH daemon, and the server side changes are done!
service ssh restart
How to use
At this point you are pretty much done and you could be able to establish a secure connection through SSH from your client machine.
Normally you do this by running this command in terminal (or Command Line on Windows) and configuring Proxy Extension
ssh -N -D 9999 -i ~/.ssh/tunnel_rsa tunnel-user@SERVER
To make it even more convenient for you let's add a custom ssh config (
Host tunnel HostName SERVER User tunnel-user IdentityFile ~/.ssh/tunnel_rsa DynamicForward 9999
With this you can establish new connection even easier:
ssh -N tunnel
And you are ready to go.
What's so special about this configuration?
There are few cool things:
The tunnel-user can log in to your server, but he can't do anything. He can't run any commands.
No password when establishing tunnel
If you need, you can share with your colleague your private key for the tunnel-user and he would be able to use it as well Well, you should never share your private keys with anyone, but in this particular case it won't be catastrophic for you :)