Mac OS X 10.4 Tiger
What follows is more or less literally copied from the computing support pages of the Harvey Mudd College Department of Mathematics, Claremont, CA.
We run a Cisco VPN concentrator that allows a remote user to connect to a server at the institute so their machine can appear to be running from within the institute’s network. Using this “Virtual Private Network” (VPN) connection allows you to access services that are restricted to machines within the institute’s network or that authenticate your access based on your machine being on the institute’s network. Examples include using various databases and online journals as well as allowing you to run software that queries a license server for a license.
Mac OS X 10.6 (and iOS!) has built-in support for Cisco IPsec VPN connections. However, as of Apirl 2017 that doesn’t work anymore with our VPN concentrator. You will need the Cisco Anyconnect client software installed on your device, however this is licensed software I cannot put here for download.
Outgoing SSH connections usually are unrestricted even in guest networks. In the following we will show how to use SSH as VPN replacement. It doesn’t work perfectly, in particular not for connections which internally open additional ports, however access to our license managers (including Intel compilers, Mathematica, MATLAB) and online journals usually works.
SSH as a SOCKS Proxy Server
The secure shell, SSH, can perform “port forwarding”, allowing a TCP or UDP network port on your machine to be connected to a port on another machine. So you can forward a local port to one on a remote server, and your local application will act as though it was connected to the remote server.
Even better, SSH supports “dynamic port forwarding”, where you don’t have to specify the ports to be forwarded and your computer figure out what to do on its own—it acts as a SOCKS server.
Setting up SOCKS on Mac OS X
Mac OS X supports multiple network configurations it calls “Locations”. Each location can have a different set of active network devices, as well as different IP addresses or methods of obtaining an IP address. In general, the default location, “Automatic”, handles everything dynamically—it uses the Airport wireless network or a hardwired Ethernet network, obtains addresses via DHCP or by self-assignment, and switches to the fastest working network, all on its own.
But by creating locations, you can take more control over the networking behavior of the machine. These options are especially useful if you’re traveling and need to use information provided to you by your hosts and don’t want to disrupt your default settings.
Configuring a Network Location
For our “poor-man’s VPN”, we’ll set up a new network location that uses Mac OS X’s SOCKS proxy support. When we need to use the SOCKS proxy, we’ll switch to this location, when we don’t, we can switch back to Automatic or some other appropriate location configuration.
Start by opening the System Preferences application (in your Applications folder or by choosing Apple menu->System Preferences…). There you’ll see an icon labeled Network; double-click it to open the Network preference pane.
Add a new location
Choose Edit Locations… from the drop-down Locations menu at the top of the dialog. Select the Automatic location, then click on the gear menu and choose Duplicate Location to create “Automatic Copy”. Click on the “Automatic Copy” location to rename it to “Automatic, Through Proxy” or something else meaningful.
Open the Advanced Configuration Options
Next, click the Advanced… button to get to the detailed network configuration.
Choose the Proxies tab. In the drop-down menu next to Configure Proxies, choose “Manually”, which will open new panes in the dialog. Click the check box next to SOCKS Proxy in the leftmost pane, then, in the text-entry field below the SOCKS Proxy Server label on the right, enter localhost in the first box, and 1080 in the smaller box following the colon. These settings tell the machine to use port 1080 on your machine as the SOCKS proxy port.
Click the OK button to return to the Network dialog.
Apply Changes
Click the Apply button to save your changes and make your new location the active location.
Test the Connection
Now you can open a Terminal window and SSH into our SSH server holmes1 like
ssh -D 1080 user@holmes1.cpfs.mpg.de
Replace user with your CPFS login name and make sure to include the -D 1080 arguments in your command; these arguments tell SSH to run as a SOCKS proxy on port 1080 of your Mac.
Change Locations
While you can change locations by opening the Network preference pane, Apple provides a convenient shortcut in the Location menu in the Apple menu. When you’re not using the proxy server, you’ll want to change locations back to Automatic or another location.
Troubleshooting
You may have problems accessing local resources (e.g., a network printer in your home) while using the SOCKS proxy, as all connections will be forwarded through the remote machine.
When logging out of the remote machine, you may sometimes need to type Control-C to completely close the connection.
When your SSH connection is not running, you will not be able to use networked applications (such as web browsers) until you either make a connection (with port forwarding) or you change to a location without a configured proxy.