This article assumes you have some knowledge of SSH, so I will not explain any basic terminology. Read the SSH manual first.
I needed a way to get secure networking on my iPhone and iPad. Unfortunately my connection does not play well if I use a normal SSH tunnel. The reason for this is because there is no easy way to specify an SSH tunnel to use the ISP’s required HTTP proxy.
This solution is for you if your ISP forces you to use a HTTP proxy but you still want an SSH tunnel. Requires a jailbroken device!!
Only follow this guide if your ISP require you to use their own HTTP Proxy
Setting up an SSH tunnel over HTTP proxy
2. Edit the .pac file and change it so that “var normal = SOCKS 127.0.0.1:1080”. You may use any port, but I will stick to 1080 in this tutorial. Rename the file to “proxy.pac”.
3. SSH into your iOS device, or use an application such as iFile, and place the .pac file in this location: /private/var/root/proxy.pac. Make sure that this file can be read, written and executed by root. This option will be in ‘access permissions’ in iFile.
I believe some older versions of iOS do not support local .pac files. In this case, put the .pac file in some publicly accessible place on the internet. Version 5.0+ of iOS works fine.
Install common Unix commands – You will use the power of unix that forms the base of iOS
4. Go to Cydia and install the following: connect.c, MobileTerminal, OpenSSH, inetutils, and screen. Optional: Automatic SSH.
5. In iOS go to: Settings/Network/Wifi/<your network>
Under ‘HTTP Proxy’ add “file:///private/var/root/proxy.pac”. This means MobileSafari and other apps will use this setting. In other words it serves as a SOCKS option for all apps!
So now your apps can connect to localhost:port which is running your SSH tunnel. However, this is not enough because your ISP may force you to use a HTTP proxy (or any other type of proxy).
Configure the HTTP proxy using connect.c
6. In iOS, go to: /etc/ssh/ssh_config. Open in a text editor (eg. iFile) and add the following line:
Proxycommand connect -H <my_isp_proxy>:<port> %h %p
You should change <my_isp_proxy> to the HTTP proxy that you are forced to use, and <port> to the port that it uses.
If you are not using a HTTP proxy then consult the connect.c documentation for alternative commands.
Notice: You may need to comment out this line when you do not want to use the HTTP proxy. Again, use iFile for this.
Configure the SSH tunnel
7. In MobileTerminal: Click on the ‘i’ button and add a shortcut with the following command:
autossh -M 12345 -D 1080 -C -p <ssh port> -N <user>@<ssh server>
This assumes you also installed automatic ssh from Cydia. If you didn’t then use the regular ‘ssh’ command and drop the ‘-M 12345’ option.
I used autossh because I want to re-create this tunnel automatically everytime the connection is lost. If you want to do this, I recommend setting up your SSH server to use keyfiles. This way, you never need to enter a password, and SSH will automatically connect and re-create your tunnel without user input.
8. Type ‘screen’ in MobileTerminal and press enter to exit the first page.
9. Run the shortcut you just created in MobileTerminal. Done! – ‘screen’ is a nice program that will let you revisit the terminal anytime. To resume your virtual terminal, exit the app, re-enter, and type ‘screen’.
10. Reboot your device. Now enter MobileTerminal and connect to your tunnel.
Test your tunnel
Verify your settings by checking your external IP address in MobileSafari. You should see your SSH server’s IP address and not your normal one.
If it worked, all of your traffic on your iPhone/iPad will go through your SSH tunnel. This is great for unsecured public wifi, or environments that have tough firewall restrictions: work or college.
How this works
The MobileTerminal shortcut creates an SSH tunnel that listens for connections on localhost:1080. All of your apps will connect to localhost:1080 because of the .pac file in settings. This accomplishes the main goal of forcing all apps to use a kind of SOCKS proxy.
The code you added in ssh_config forces you to use your ISP’s HTTP proxy to connect to the main SSH server.
There are other ways to accomplish this goal but this one seems to be the most stable for me.
Leave a comment if you are having problems. Read up on SSH.