Stay safe on unencrypted public Wi-Fi

Wednesday 6 November 2013

Parisian Park

When working from a café or a parisian park, the tentation to connect to this unprotected public Wi-Fi is great. And you may know that all the web traffic not going through HTTPS is transmitted in clear for everybody connected to the same network to see! Basically, anybody sniffing the HTTP packets on the network can harvest your cookies and impersonate you. Remember Firesheep. Here is a solution to keep your Linux or Mac laptop safe.

Tunnelling to the rescue

We want to encrypt the HTTP traffic passing through this public wi-fi. We can use a transparent proxy which will forward all your network traffic through a SSH connection to a server of yours, using sshuttle.

Pre-requisites: somewhere to SSH

If you don’t already own a server with SSH access, you can use AWS EC2 and create a free micro-instance through your AWS Console. It’s really easy. When creating the instance, you will be provided with a .pem file. Put it in your ~/.ssh folder and chmod 600 it.

(Optional) Use your domain

You can setup a CNAME with your domain name if you own one. I named my micro-instance chaton, kitten in French.

$ dig +short

You can skip this step and use the public DNS name of your instance instead. Just replace each mention of in the following snippets.

Setup an SSH config

Open your ~/.ssh/config file and add a new configuration for this host.

Host chaton
  User ubuntu
  IdentityFile ~/.ssh/chaton.pem

That way, you’ll be directly connected to your micro-instance with:

$ ssh chaton

(If it does not work, make sure to chmod 600 ~/.ssh/config)

Get sshuttle

You need to clone the github repository. For instance:

$ cd ~/code/python
$ git clone git://
$ cd sshuttle
$ ./sshuttle --dns 0/0

The last line is here to manually check that sshuttle behaves correctly. On Mac OSX, you may need to reboot.

Create handy aliases

Open your .aliases file or your .zshrc / .bashrc, and put the following two lines:

alias ip="curl"
alias tunnel='~/code/python/sshuttle/sshuttle --dns \
              --daemon --pidfile=/tmp/ --remote=chaton 0/0'
alias tunnelx='[[ -f /tmp/ ]] && kill $(cat /tmp/ && echo "Disconnected."'

Don’t forget to put your own server in place of chaton

Encrypt your HTTP traffic!

That’s it! After sourcing your configuration file, you should be able to run

$ ip  # Your IP without the tunnel
$ tunnel
$ ip  # Your IP with the tunnel

Ready to get things done!

That’s it, next time you want to connect to an unencrypted Wi-Fi:

  1. Close your Browser and Mail client
  2. Connect to the evil unencrypted Wi-Fi
  3. Launch a Terminal and run tunnel
  4. Enjoy the Internet!

Would you like to learn programming? I am CTO of Le Wagon, a 9-week full-stack web development bootcamp for entrepreneurs, and would be happy to have you on board!

comments powered by Disqus