Secure your mobile wi-fi browsing with the NSLU2

Web browsing at the coffee shop

If you have ever browsed the web at your local coffee shop, restaurant or other wi-fi hotspot, you were likely doing so over an “open” or “unsecured” wireless network. This means that all of your traffic was being transmitted to the wireless router in un-encrypted, plain text. Because a wireless internet connection uses radio signals to connect your laptop to the wifi hotspot, anyone with another wireless card (i.e. in a laptop) can potentially receive those signals and capture the traffic.

a hacker capturing packets from an unencrypted wireless link
a hacker capturing packets from an unencrypted wireless link

There have been numerous accounts of people browsing the web over these unsecured networks who have found their passwords stolen and in some cases their accounts breached. Unfortunately it is quite simple for a nefarious evildoer to capture all of the traffic from a given channel on an unsecured wireless router.

Typically, the effort is as simple as some criminal putting a wireless card into promiscuous mode, saving packets with a packet capture application and then perusing the traffic information at their leisure. They can then extract login information and then either use it or sell it at some point in the future. The worst part is that you may not know your account(s) have been compromised until days, weeks, months or even years later.

So how can you protect your web traffic when connecting to the internet via an internet connection that you don’t control? Fortunately, there is a solution to this common problem and it’s not that difficult to implement.

Secure browsing courtesy of the NSLU2, SSH Tunneling and SOCKS proxy…

This solution is really quite simple and can be implemented by anyone with a little bit of computer administration experience. The key to securing your browsing sessions from a public hotspot is to make use of your existing broadband connection at your house…while you are at the coffee shop!

Basically, you will configure a secure “SSH tunnel” from your laptop back to your home network. Once your browsing requests reach the NSLU2 server on your home network they will be decrypted and sent to the internet from your NSLU2. In essence, you are using your NSLU2 as a proxy server so that you are effectively browsing the web from your home network as opposed to the coffee shop network.

In order to use your home internet connection while you are not at home, you will need some inexpensive hardware and a little bit of time to configure your home router and your laptop. It sounds daunting, but it is not.

securedPublicWifi with NSLU2, SSH, Putty and SOCKS Proxy
securedPublicWifi with NSLU2, SSH, Putty and SOCKS Proxy

The central piece of this solution is the Lynksys NSLU2 device. The NSLU2 is a small Network Attached Storage device that allows you to connect 2 USB hard-drives or flash drives to your network and access them via windows file sharing.

The NSLU2 firmware is based on the Linux operating system for which there are special versions that can run on the NSLU2 device. A large community of open source developers has arisen to make the NSLU2 and similar devices into general purpose, albeit small, Linux computers. The NSLU2 Linux homepage can be accessed here.

You can order your NSLU2 from here:

Setting up your NSLU2

After you have received your NSLU2 device, you can follow the instructions to install the “Unslung” linux firmware distribution on it. Be sure to follow the instructions exactly so that you don’t brick your device. There is a very well written “New Users Guide” that you should read before you proceed.

Once you have fully installed your new ‘Unslung’ linux firmware, you will follow the instructions to ‘Unsling’ your new firmware to a connected USB harddrive or USB flash drive. After completing the process of unslinging your “Slug” you will then need to start installing the tools required to turn your Slug into an SSH server. Here are some quick links to help get you started:

Access the NSLU2 from outside your home router

Now that you have enabled telnet, then enabled the SSH server on the slug and configured your laptop to use Putty and the SOCKS proxy to browse the web, you need to configure your NSLU2 to be seen from outside of your home network.

The easiest approach to doing this is to forward a specific port on your DSL/Cable router to the SSH server port on your NSLU2.  The standard SSH server server port is 22.  If you wanted to simply make this port available outside your router firewall, then you would simply forward external port 22 to the NSLU2’s port 22.  Many folks don’t do this however because any port that is open on the external side of your NAT firewall is visible to anyone on the internet.  This means that nefarious, evil-doing bots will start trying to access your service at this location and by using the external port of 22, you basically advertise that you have a secure communication channel on that port.  Another alternate is to obfuscate the nature of the service on your external port simply by selecting another port for your external port number.  Note that port 80 is the standard web server port for the HTTP protocol, with other common HTTP ports being 8080 8088 and others.  You can usually pick any port number between 1024 and 65535.

Obtaining your external DSL/Cable routers IP address

After you have configured your port forwarding options, you need a way to contact your home router from out on the “public” internet.   To do this, you have a few options:

  • Obtain a static IP address for your router (ISP’s ussually charge ~$5/month more for this option)
  • Check your external router IP address daily, remember it and hope it doesn’t change.
  • Use a free service such as DynDns to provide you with a hostname that can be dynamicaly updated.
    • As far as cheap options go, this is the best as you never have to deal with IP addresses and you only need to remember your personal hostname.
    • If you use Dyndns, there is an automated update script that can be installed on your NSLU2.  This script works for most setups.

to be continued…

Leave a Reply