Some basic concepts to get you going...

I recorded this small presentation on the 3 types of SSH tunnels supported by Secure Pipes and their basic configuration. Sometimes it gets confusing on whether you need a local forward or a remote forward, so this video can help explain things clearly. Please ignore all my "um's" and "uh's", since I haven't yet quite reached YouTube star status.

Secure Pipes v0.85 is Released!

It's been a while since I added any features to Secure Pipes, so I recently took the time to add two that were requested by some users. They are fairly straightforward to use, but I'll give them some words anyway.

HTTP Proxy Support

In some very restrictive network environments (mostly in big corporations), users are only allowed to access the internet by HTTP proxy. I've added a feature in the "Advanced" tab of each connection type that will allow you to use an HTTP proxy to make the SSH connection to your SSH server. Note not all HTTP proxies support this, so you'll have to check with your network admin. If your proxy requires a username and password, there are fields for this as well. Note that just like the SSH password, the HTTP proxy password is stored in the OS X keychain. I've only tested this with squid as a proxy server. I've used some others in the past, but that was the quickest (and cheapest) I could find that also supports authentication (which the user required). This implementation uses a modified version of corkscrew to open the SSH connection using SSH's ProxyCommand feature.

SSH Hostname from Script

In a somewhat unique request, I had a user who runs virtual machines on his Mac using Parallels. Since the virtual IP address of the machines change, he wanted a dynamic way to get the IP address for a connection. This feature runs a shell script and the output of which is expected to be the hostname or IP address of the connection. You can also type in arguments to the script, and Secure Pipes will also pass you a CONNECTION_NAME environment variable containing the connection name if that might be useful.

I'm currently working on further implementation of "Managed Connections" that will allow you to remotely control and monitor connections. This is part of the Free Proxies link on the site. Unfortunately, I haven't had much time to work on this lately, but hope to get back into it in the coming weeks.

Tim

Just so we're all on the same page...

I recorded this simple overview of some of the concepts of TCP/IP so that the context in which Secure Pipes is used is a little clearer. And, I also wanted to test out my setup for recording these tutorials. I can't believe how many tries it took me, and I'm still not very happy with this. Anyway, I have a little more appreciation for actors now.

Secure Pipes was built to solve my own problems...

I usually learn best from examples, and although for some people Secure Pipes might look like just a fancy wrapper around some SSH features (which it is), I found it quite difficult to explain to my friends and family the benefits of this software. So, I thought I would write this quick blog to tell the story about how this software came to be, which might help people discover its utility.

The Great Firewall of China

As my first assignment at my day job, I spent 4 years in China starting a factory. As most people know, all China web traffic is subject to the censorship restrictions of The Great Firewall. Coming from a tech background, it wasn't too difficult for me to get around this to access my Facebook account by just setting up an HTTP proxy server in our US office accessed via the company VPN. This worked, but required the overhead of the VPN, setting up an HTTP proxy server, and only handled HTTP(S). Some years later I discovered that SSH provides a much easier (and generic) way to set this up with its SOCK proxy support. However, the command line arguments were difficult to remember for the occasions that I used it, and quite often the connection would go down, forcing me to restart the proxy. Of course, I could write a quick shell script to fix this, but I thought it would be nicer, and more "Mac", to have the capability built right into the menu bar. In my former life I used to be a somewhat active Linux hacker with a focus on making open source software easier to use, so thus the desire to make an easy way to setup and manage a SOCKS proxy was born.

Privacy and OS X Server

Again, from my life at Cobalt, I have always had an interest in the server side of Internet life with a focus on making servers easy to use. Once OS X Server started being a simple and cheap addition to OS X, I bought a copy to play around with. At times a bit limiting, I still really like the software and like the idea of having a secure server platform that is easy to manage and not based on uninspired, overly complicated software. Call me old school, but I also like the idea of being in complete control of my data, which means running my own dedicated server without a service provider having any kind of superuser access. Cloud services are nice and convenient, but they have their place. I believe for applications like email and anything else that can have legal consequences to you or your company, you need to really own your data and accept the responsibility to protect it. So, I set my sights on finding a way to use OS X Server as a primary, Internet-facing mail server (including address book, calendaring, etc).

Unfortunately, Apple stopped making the Xserve and doesn't allow you to run OS X on general purpose hardware (like 1U rack mountable servers), even in a virtual environment. For these reasons, it's not really convenient to host a Mac in a data center and although solutions exists, you will pay a premium to have a hosted Mac server, and you're still stuck with a third party having keys to your data. Therefore, I convinced myself I needed a way to just run the server locally with my existing Internet connection.

Luckily, while learning about all the not so well known features of SSH, I learned about its ability to setup local and remote tunnels. I figured that with a cheap cloud hosted SSH server having a fixed IP and some remote forwards, it would be easy to get my OS X Server Internet-facing and unleash its real potential. However, as in the case with setting up the SOCKS Proxy with SSH, remembering how to setup the tunnels, making sure the tunnels stay up, restoring the tunnels in event of power outage, etc were some problems I wanted to solve. So thus my desire to write Secure Pipes was fueled even further.

Although far from complete or free from bugs, the minimum functionality I wanted for Secure Pipes is done, and I would like to share it with others in hopes you will find it useful for at least a) getting access to your Facebook accounts from China, and b) promoting the use of OS X Server. I will continue to blog about the software here with some tutorials and cookbooks to help people get started, and really appreciate getting feedback and/or questions from those of you who give it a try.

Happy piping,

Tim