SOCKS5 Proxy and N800
 

I am familiar with tunnelling securely back to my home computer using PuTTy and Firefox. That way I can be away from home but still surf quite securely.

I'd like to do something similar with the N800, but don't know of any browsers available that support SOCKS. I downloaded Minimo, but it only has one field in which to enter a proxy. I assume that's just a http proxy.

Does anyone have a suggestion?

Re: SOCKS5 Proxy and N800
 

I would love an answer to this problem, too. Perhaps one is somewhere else in the forums, and we just haven't uncovered it yet.

Re: SOCKS5 Proxy and N800
 

I haven't used socks other than indirectly, but still.. it looks like it might be possible to do with the help of the 'privoxy' proxy and an external socks proxy. However, it'll have to be socks4a then I believe.

So, what you would have to do to try this is:
1) Install privoxy on the N800
2) Edit its /etc/privoxy/config file to have the following:
where 'nnnn' is the port number (e.g. 9050). Note the space and the dot ('.') at the end of the line.
3) Make sure that's the only non-commented 'forward' line in the config file.
4) Set up a network configuration on the N800 which uses proxy, set it to 127.0.0.1 and 8118 (which is privoxy running locally on the N800)
5) In principle the N800 privoxy proxy should now forward through your external socks4a-compatible proxy.
6) Note that I've never used socks proxies other than indirectly, and that was through privoxy like described above.. I don't actually know how it's supposed to work from there, so the assumptions I'm making above that you could/would go through an external socks proxy/server may be rubbish for all I know..

Re: SOCKS5 Proxy and N800
 

Thanks! I'll give it a shot later today.

Re: SOCKS5 Proxy and N800
 

Dynamic port forwarding with SSH (that is, ssh -D 8080 user@somehost) can be used to simulate a local socks proxy at localhost:8080 - search my posts for a similar one I put up just like 5 minutes ago about this :)

This is essentially the same as using Putty on Windows to do the SOCKS proxy thing - you just need openssh installed, as well as a terminal to run the command in.

Ryan

Re: SOCKS5 Proxy and N800
 

As I posted in the other thread. All of what you say is fine, but you still need a browser that is capable of utilising a socks proxy. For example, on Windows, Opera does not support SOCKS. Mozilla Firefox does. As yet I have not found a browser for the N800 that can do this.

Re: SOCKS5 Proxy and N800
 

What I suggested was to point Opera or MicroB to a proxy (privoxy running on the N800) which converts to socks4a for you.. wouldn't that work? It works for my (admittedly not general) use case at least.

Re: SOCKS5 Proxy and N800
 

Using privoxy seems an easy solution.

I've also recompiled http://packages.debian.org/lenny/tsocks on the n800. It took me around 3mn to recompile and package but I have no way to check if it works (haven't even tried installing it actually but I don't see why it wouldn't). I can put it on a webserver if somebody is interested.
Wget would be the easiest to try as it can be launched from cli.

LD_PRELOAD=/lib/libtsocks.so.1.8 wget http://www.google.com
This should transparently redirect all socket operations to the libtsocks that would socksifies wget.

Re: SOCKS5 Proxy and N800
 

I'd be interested in trying it out, free, if you want to make it available.

Re: SOCKS5 Proxy and N800
 

Hi folks,

I just managed to get the MicroB browser engine on the N800 to work with ssh proxy. It is a bit of a pain to set up, but it works.

First, in your xterminal, type (replacing me@myhost.com with your own SSH host -- this can even be a Linux router with SSH enabled, like my WRT54GL running DD-WRT)

ssh me@myhost.com -D 3210

You should have to type your password of course, and then you'll get the remote prompt.

You must have the MicroB browser engine installed. Open your browser. in the URL address bar, type:

about:config

Now you get a page that, if you use Firefox, should look somewhat familiar. At the top, there are two fields. One says, "Name" and the other one says, "Value". I will give the name and the value of each thing you need to add below. The name is followed by a space and the value:

network.proxy.socks localhost
network.proxy.socks_port 3210
network.proxy.type 1


I had values in my http proxy fields that were screwing things up for me. If the above doesn't work, try leaving the value blank for these two names:


network.proxy.http
network.proxy.http_port


You know it's working if you go to a site that tells you your IP address (like http://staff.washington.edu/corey/info.cgi ) and it tells you the remote computer's address.

If you want to proxy your IM, it is a lot easier. Just use Pidgin, it has SOCKS proxy support built-in and accessible from the menu.

Alan

IMPORTANT UPDATE: If you close your browser and re-open it, you stop using the proxy! The good news is that the browser doesn't forget your proxy settings, it just sets the network.proxy.type to 0. It's a bit of a pain, but it is fairly easy to "fix," you have to go to about:config and put network.proxy.type in Name and 1 in Value and then submit it.

UPDATE 2: You can just bookmark the about:config page after you have submitted the network.proxy.type and then just click on the bookmark to set it again. I named the bookmark "Turn on proxy"

Re: SOCKS5 Proxy and N800
 

qole's tips seem to work for me. I will confirm tomorrow by tunnelling home from work.

Re: SOCKS5 Proxy and N800
 

In theory, since MicroB is a Gecko browser, there should be a place to put a file called all.js with a line:

pref("network.proxy.type", 1); // Force proxy use

I found just such a file at /usr/lib/microb-engine/greprefs. I changed it, but it is still getting overridden somewhere and set to 0.

Another note, after having used my proxy-hack for a while: I find if I close the browser and then re-open it, I can't just go to the "Use Proxy" bookmark, I have to go to it and click on the "Set Preference" button.

Re: SOCKS5 Proxy and N800
 

Yes, I have also been clicking the Set Pref button just to be safe.
If you're going to all this trouble to surf securely, you do not want to slip up at the last hurdle and end up surfing insecurely! It also pays to do an ip check afterwards, just to be sure.

Re: SOCKS5 Proxy and N800
 

For downloading tsocks, use the repository in my signature

Sorry, I really have no time at the moment, try it like I said with wget first. I guess you need to put the socks proxy info somewhere, look at the webpage of tsocks.
This hasn't been tested, and it's only my second package on the device.

Try Privoxy if tsocks doesn't work. Privoxy is really good I use it but not for socks.
I read quickly qole's method, from what I understand you need an ssh endpoint, which is not always available. But it's a nice way of doing it.

Bye

Re: SOCKS5 Proxy and N800
 

I am not sure why you would want to do this at all if you don't have an SSH endpoint. Any other proxy would be insecure.

You really do need a SSH endpoint if you want to use web e-mail securely on an insecure AP or hotspot. Without an SSH-proxy, you are at risk of getting passwords stolen, etc. An SSH proxy is an encrypted tunnel from your N800 to a trusted network through which you can put all of your sensitive data.

I recommend buying a $50 Linux-based router like the WRT-54GL and flashing it with DD-WRT firmware. Then set a non-default password and enable SSH. You now have an SSH endpoint from which to securely surf the web. If you have a dynamic IP, the DD-WRT firmware lets you update a no-ip account, so you can do something like "ssh -D 3123 root@myname.sytes.net" from your N800.

Re: SOCKS5 Proxy and N800
 

Well, on _any_ unencrypted connection you can get your passwords stolen, AP or not. Obviously you can use an ssh tunnel to another network and read your web e-mail from there, but why not do one better and just go encrypted end-to-end? You can do that with gmail, and this is typically standard for webmail services set up by workplaces too. For other, improvised setups an ssh tunnel can be very useful. I use it a lot. But let's not forget VPN for connection to you nominal private network.

Re: SOCKS5 Proxy and N800
 

My SSH tunnel is my "poor man's" VPN. Once you have set up an SSH proxy (especially if you use your remote network's DNS) you are doing much better than encrypting individual connections, you are encrypting all browser-related traffic from your tablet. So I would say that is "one better" than the temporary encrypted sessions you get with gmail, since it is less vulnerable to man-in-the-middle, etc.

Re: SOCKS5 Proxy and N800
 

To where?
To your ssh tunnel output, which I guess is not gmail directly.

I'm not using gmail but if they don't provide you SSL with certificate authority, forget about gmail.

If they do, I don't think you can easily do a mitm attack. Otherwise you can compromise any bank, ebay, online paying in general.

Don't mix link layer security with application layer security. TLS on top of WPA 2 is pretty secure AFAIK..

Re: SOCKS5 Proxy and N800
 

Here's how I'm looking at it: if I don't encrypt the entire session, then switching from an encrypted gmail connection to an unencrypted google maps connection might leave any cookies open to hijacking. I don't want to take the risk that someone can determine personally identifiable information--no matter how seemingly innocuous--while I'm browsing. It appears that most users, even perhaps users of these forums, view information privacy as a secondary concern. For me, information privacy is primary.

Re: SOCKS5 Proxy and N800
 

It is also for me, I use https with a certificate. And my webmail is much simpler than gmail which could open other unencrypted page. Even if this is the case, cookies should only be accessible from the site that created it.
In theory :D

Re: SOCKS5 Proxy and N800
 

Some more good news. I managed to get other programs, such as VNC Viewer, to run through SSH SOCKS proxy.

I used the Debian Sid "armel" tsocks package. I installed everything manually using my Ubuntu desktop and sftp; Application Manager complains that the Debian package is "incompatible". Perhaps someone who knows how to package stuff for the N800 could repackage this?

The /etc/tsocks.conf file needs only two lines:

server = 127.0.0.1
server_port = 3210

The server_port is whatever you put after the -D in your ssh line. I use 3210, you can use whatever you'd like.

Then you just type:

tsocks vncviewer

and it's like you're inside your own home network.

EDIT: tsocks is available in the debfarm repository

Re: SOCKS5 Proxy and N800
 

Thanks qole. I finally got mine working.

Re: SOCKS5 Proxy and N800
 

A few posts before, I have given a link to tsocks. You can grab it and do what you want with it. It's the original deb package, no modification.

I have not tested it and won't. But if it is of any use, then good.

Re: SOCKS5 Proxy and N800
 

free:
Sorry, yes, you did say that. I'm blind.

more cool news: I just tested 'smbclient' with tsocks and it works!

tsocks /usr/bin/browser

does NOT work for me, however. So we're still stuck with about:config

Re: SOCKS5 Proxy and N800
 

Not only does the browser reset the proxy type to 0 on close/open, it also does it when the connection changes. I'm assuming this is because you can set proxies per connection - but it doesn't support SOCKS proxy type through the standard connection manager (it allows HTTP, FTP, RTSP).

I wonder why they didn't support SOCKS out of the box.

n810 / os2008

Re: SOCKS5 Proxy and N800
 

I'm able to proxy using openssh's dynamic port forwarding without using tsocks, at least with microb on an N800 running OS2008.

At about.config I set the values for network.proxy.:
.socks = localhost
.socks_port = 3129
.proxy_remote_dns = 1
.type = 1

And the command I'm running to get SSH to proxy it is:
chmod 0600 /media/mmc2/key/my_openssh_privatekey_file.asc
ssh -D 3129 -i /media/mmc2/key/my_openssh_privatekey_file.asc username@hostname
(The private key stuff is something you might not have to deal with, in that case the chmod'ing and -i parameter would be extra.)

After that I have a bookmark to activate the proxy setting:
about:config?prefname=network.proxy.type&prefvalue =1
And this one to turn it off:
about:config?prefname=network.proxy.type&prefvalue =0

Pidgin works fine with the connection.

I'm not sure if Skype is using it because I can't seem to force it to use the SOCKS5 proxy. If it's not up it either isn't using the proxy or it's poking around and then connecting. I've heard from network admins that Skype is particularly nasty in this way, finding its way around firewall blocks. Hm if I can figure out how to block everything but SSH traffic from the tablet that would help me test.

Re: SOCKS5 Proxy and N800
 

Hi InfinityDevil,

Your browser method is what I suggested in my earlier post. This method is kludgy and awkward, however. I want to get something like tsocks working with the browser so the socks5 redirection can happen automatically.

This is a bit of a moot point for me these days, however. I'm not really using any "open" wireless networks so I don't need proxy at the moment. I also "upgraded" to OS2008 and so I don't have smbclient anymore. sigh.

Re: SOCKS5 Proxy and N800
 

qole,
smbclient works with tsocks but browser not?

Did you try to track a bit the problem?
->If /usr/bin/browser overload LD_PRELOAD and maybe bypasses tsocks then?
->Network analyser?

Can you try with wget?

I have no socks server but I can understand that some people might need it..
Did anybody open a bug report "wish" on bugs.maemo.org?

Re: SOCKS5 Proxy and N800
 

InfinityDevil, the problem with your method is there's never any clear indication of if the proxy is being used since each new connection returns it to the unsocked configuration. The whole point (for me) is to always have a tunnel out of the untrusted network I'm on.

Thanks for writing it up - I definitely appreciate that. My intent isn't to be overly critical, it's just a flaw in not having an always-on configuration setting.

Re: SOCKS5 Proxy and N800
 

Ydant, how would you envision getting a clear indication of whether a tunnel is being used or not? Whatever app you're using to tunnel your data will run behind the scenes. It's a fault in the microb browser that it won't keep the proxy on between runtimes, not in anything you'll run to tunnel your data.

Perhaps a page could be written onto the local filesystem to detect the browser setting and display it and that would be your start page? Maybe click a link from there to turn on the proxy setting?

qole, you're right I basically mirrored what you're seeing. As I mentioned to ydant above, however, aside from getting a browser that remembers what your settings are, how is using the SSH call and then opening the app set to the SOCKS5 setting going to be improved by using tsocks?

Re: SOCKS5 Proxy and N800
 

InfinityDevil: I wouldn't worry about Skype using the ssh tunnel. Skype encrypts everything itself, so it doesn't need an encrypted tunnel.

free: 'tsocks wget' works fine. I ran 'tsocks wget http://192.168.0.5/index.html' and it returned the home page of my LAN web server's home page. I didn't try any low-level debugging on the 'tsocks browser' problem. My suspicion is that the 'browser' command isn't really the command that's running, it is simply a 'trigger' that tells the OS to run the browser. I just don't know enough about it. I guess someone could compile Lynx and we could use that one through tsocks.

Re: SOCKS5 Proxy and N800
 

Ah good so the "tsock hack" works. I'll rebuild it for OS2008 (in case it's not compatible) and put it on my repo.
Is /usr/bin/browser even an ELF executable?
Probably it's doing these funky DBUS stuffs to call another executable which should be embended in tsocks. I'm sure somebody who knows this soup can patch this easily.

Re: SOCKS5 Proxy and N800
 

InfinityDevil: I just saw your question about WHY one would use tsocks. If you run a net application like vncviewer or wget through tsocks, all of the proxying is handled transparently. The app doesn't even know that it is using a proxy, so you don't have to make any changes to the app's configuration.

Re: SOCKS5 Proxy and N800
 

Well, I found that the repository at http://mg.pov.lt/770 had a compile of Lynx (called links, here) and it worked fine with tsocks to let me browse the web via SOCKS proxy. Text rules! Who needs images anyway?!

Re: SOCKS5 Proxy and N800
 

links and lynx are two different things.
I discovered on this forum that links can support image also. I'll have to try that!!

Re: SOCKS5 Proxy and N800
 

If you figure out how to get Links to be anything more than an in-terminal text-only browser, I'd love to know.

Re: SOCKS5 Proxy and N800
 

If it's the same links version (and full image support is done), there's nothing to do:
http://links.twibright.com/features.php

Re: SOCKS5 Proxy and N800
 

It isn't the same version. The graphics version is Links version 2.x (Debian package links2), the one compiled for Maemo is Links 1.00pre12. So text only. But cool, nonetheless.

Re: SOCKS5 Proxy and N800
 

In its big brother, I have an extension that shows it clearly in the status bar - I like that. Unfortunately, the microb architecture doesn't make doing something similar easy. I guess it could do like adblock does, but adblock's method seems to slow down the scrolling speed.

I have no disagreement with that.

The real issue is I'd be perfectly happy if microb would just retain the proxy setting I give it. If I had a better idea of what's going on internally, I'd just modify the shortcut to use the tsocks call full time instead.

Editing:

/usr/share/applications/hildon/browser.desktop

Doesn't appear to have any affect on what is started when you run the browser from the web menu or the apps menu, so I'm apparently confused on what's calling what. :)

Re: SOCKS5 Proxy and N800
 

Using "tsocks /usr/bin/browser" does work fine. So that's good. Tested by starting/stopping the socks proxy at various times.

Calling that from the command line gives the four white blocks icon instead of the globe icon on the task bar, though, for some reason. Once the browser is properly started, the bookmark links will open in that sockified browser. Again, good.

So the question is - how do I change the command line used to start the browser? I think you're right that it's a dbus command somewhere.

My ideal situation next would be to have a status-bar icon that allows you to start/stop the proxy (maybe one of many). This is something I'd code up at some point, but I am pretty sure someone will get tired of waiting before I get around to it.

Just to be clear, I am OS2008 and N810, but it seems similar enough.