I have a QNAP TS-109 II Network Attached Storage (NAS) device which I use for data storage, download station, torrent client etc. This NAS is a Linux Box so I thought about using it for another application in addition to the other mentioned above: as an SSH tunneling box for encrypting traffic when I’m outside of the home (on an unsecured wi-fi hot spot for example). Since the NAS is already running an SSH deamon, you can enable it to work as an SSH tunneling server. Basically you can use PuTTY (SSH client) to create an SSH tunnel with the NAS using local port forwarding. PuTTY creates a local port on your PC (e.g 9999) which listens for connections and sends all traffic that is destined to this local port over to the remote NAS SSH server. This traffic is sent over the encrypted SSH tunnel between your PC and the remote NAS. At the NAS end, the traffic exits the NAS towards the Internet (TCP Forwarding must be enabled on the NAS). With that setup you essentially create a secure encrypted tunnel that can be used to access the internet securely when you are connected on a public wi-fi hot spot or even in a hotel room.

First, we need to make some changes on the sshd configuration of the NAS station. Open a CLI connection with the NAS (using telnet or ssh) and edit (using vi) the sshd_config file located under /etc/ssh/ path. You need to change the following settings in sshd_config:

  • Uncomment the #AllowTcpForwarding no parameter (remove the # ) and change it to yes.
    AllowTcpForwarding yes
  • Uncomment the #PermitTunnel no parameter (remove the # ) and change it to yes.
    PermitTunnel yes

However, the changes above will not be permanent since the QNAP NAS device will change all configuration to default settings when rebooted. Therefore we need to somehow make the changes permanent. What we can do is the following:

  • Copy the modified sshd_config file into a shared location on the NAS.
  • Use the “autorun.sh” script to copy the modified sshd_config file from the shared location and overwrite the original sshd_config file located under /etc/ssh/
  • Then restart the sshd deamon to take the new modified settings.

I have copied the modified sshd_config file under /share/HDA_DATA/
Now, in order to create the autorun.sh file, do the following:
# mount -t ext2 /dev/mtdblock5 /tmp/config
# vi /tmp/config/autorun.sh

Get into vi editor and enter the following lines:
cp /share/HDA_DATA/sshd_config /etc/ssh/
killall sshd

Save the file and make it executable.

# chmod +x /tmp/config/autorun.sh
# umount /tmp/config

That’s it for the NAS.

Now in order to create the ssh tunnel, we will use PuTTy as shown below:

Open up PuTTY and go to Tunnels. At Source Port enter a desired local port that will be listening on your local PC (e.g 8888). Select Dynamic and press Add.

As you can see above, port 8888 is created. This port will start listening on your local PC after you connect with SSH to the NAS.

Now go up to “Session” and put the IP address of your NAS ssh server. The picture above shows a private IP address (192.168.10.111) but in real situations this should be the domain name or the public IP address of your NAS server. Click “Open” to log in to the NAS with your SSH username and password. When you log in, a secure SSH tunnel will be created between your PC and the remote NAS server.

If you need to encrypt all of your internet browsing traffic, you have to configure a SOCKS proxy on your browser with IP address 127.0.0.1 and port 8888.

Filed under: General Security

Like this post? Subscribe to my RSS feed and get loads more!