Turn your old laptop into a SOCKS proxy server

You have one or more old laptops, but you don't use them for a number of reasons. For instance, they don't have enough power to browse the Web of today, or handle 3D graphics. You can't even use them for word processing or running a spreadsheet program. That's a pity because they never really malfunctioned nor gave any problem. There's a bunch of duties your good old pal can actually do for you. Here are some of the greatest things of laptops running as low cost servers:

  • Reduced power consumption, yet they have a fair amount of capabilities.
  • Some of them can be absolutely silent when they're idle.
  • If the battery still works it protects the system against power failures.
  • They can be placed almost anywhere.
  • Hard disks can be spinned down almost all the time.
  • The screen lid can be shut to save energy.

A few months ago I was about to leave for a trip, and I knew I would need to use Internet access from different hotels —that means sharing public access points with unknown people. I decided to encrypt my communications using my home network as a gateway.

In this article I will describe how I turned an old Dell Latitude into an SSH/SOCKS server, with an emphasis on power saving and quietness.

The specs of the machine are, roughly:

  • Pentium III 700 Mhz (Coppermine)
  • 128 MB RAM
  • 6 GB IDE HDD
  • Ethernet port
  • Two batteries
  • 15" display
  • [Will not be used:] CD and Floppy drives (swappable), modem, USB port, IrDA, S-Video, stereo speakers and microphone

Okay, first step I did was installing my distro of choice, latest Debian (Wheezy), but only base system and the OpenSSH server. No graphics mode, no audio, no printer, no web server; just a plain SSH service. During installation I defined a static IP address. At the end the machine was restarted.

1. Secure SSH

At this point you should have SSH listening on port 22. I strongly recommend changing this to a randomly chosen port number. It should be greater than 1024, but less than 65536. We will use 39012 for the example.

Edit SSH config file:
nano /etc/ssh/sshd_config

and change the port number:
Port 39012

disabling root login is also a good idea:
PermitRootLogin no

Those are the most essential changes. You can further configure the config file according to your needs, and add public keys to SSH.

2. Enable IP forwarding
Edit file /etc/sysctl.conf and uncomment the following line:
net.ipv4.ip_forward = 1

run this command to reload configuration:
sysctl -p /etc/sysctl.conf

3. Power management

Since most of the time your hard disk will be unused, let's take advantage of aggresive power saving. Install hdparm:
apt-get install hdparm

Edit the config file:
nano /etc/default/hdparm

Here's my current configuration, which will spin down the HDD after 1:40 min:
harddisks="/dev/sda"
hdparm_opts="-S 20"
RAID_WORKAROUND=no

Save changes [Ctrl + X]. Now restart hdparm:
service hdparm restart

Depending on the type of CPU, you might want to manually install package cpufrequtils in order to handle frequency scaling.
apt-get install cpufrequtils

which should work right out of the box.

4. Become accessible from the world
Most likely you are behind a router or firewall, and from now on you should permit connections to your server. In most home routers there is an option called Virtual Server. It simply allows you to define a public port for redirection to an internal LAN IP Address. Mind that option names might be slightly different among router vendors.

Add a new virtual server pointing at your server IP address, select TCP protocol and make sure you set the port you chose in section 1, both for private (LAN) and public (Internet) mappings. Our example might look as follows:

Virtual server name: Laptop SSH
IP address: 192.168.1.29
Protocol: TCP
Internal Port: 39012
Public Port: 39012
Status: enabled

5. Dynamic DNS
If your ISP assigns you dynamically an IP address (i.e. your Internet address changes every once in a while), you should get a dynamic DNS. It's basically a domain name pointing at your IP address, and avoids having no access to your server because its current IP changed. Even though you have a fixed address it's a good idea to have a domain name.
I personally use the Afraid Free DNS service. They have lots of domains to choose from, just sign up and create a subdomain from one of them. They will provide you with an API key, keep it handy.
By running the following command from your home network, the name server will associate or update your domain to your current IP address (make sure you have wget installed):
wget -O - http://freedns.afraid.org/dynamic/update.php?YOUR_API_KEY_HERE

If your new domain works, it's time to automate the process in Cron. I currently execute the update every six hours, because my IP seldom changes. Bear in mind that when your ISP changes your IP, that is theorically the maximum time you will have no access to your network. On the other hand, running it more often will also cause your hard drive to spin up more often.

Here's my way to do it. Let root execute:
crontab -e

Create a new line at the end as follows:
31 2,8,14,20 * * * wget -O - http://freedns.afraid.org/dynamic/update.php?YOUR_API_KEY_HERE >> /var/log/freedns.log 2>&1 &

Don't forget to add your API key. Save changes. It will be automatically run everyday at 2:31, 8:31, 14:31 and 20:31.

6. Time adjust
Did I mention it was an old laptop? Its clock is not as accurate as it should be. I also append the following line in Cron in order to synchronize the system clock once a day:
30 20 * * * /usr/sbin/ntpdate -v ntp.nasa.gov >> /var/log/ntpdate_update.log 2>&1 &

That's all. Close the lid and leave the computer on. Your new server is up, listening for connections, and hopefully very quiet. Now it's time to test your configuration from somewhere else on the Internet.

Use your proxy!
On your real, modern laptop, we will create a local proxy which will route traffic through your server to the Internet. We are going to use port 54321 for our proxy.

The first you want to do is set up your browser to use the local SOCKS proxy. In Firefox go to Edit > Preferences > Advanced > Network. Define manually the way it connects to the Internet: make it use the SOCKS server at localhost on port 54321. Use preferably SOCKS v5. This has prepared your browser to safely surf the web.

Now open your terminal as a regular user. The following command will connect, prompt for your SSH server password, and start a local SOCKS server on port 54321:
ssh -D 54321 -N -p 39012 -l username server_address

If everything is okay no output will be shown, so keep the terminal window open. You can go back to the web browser and load your favourite site.

Hints:

  • Check your IP at http://checkip.dyndns.org/ to ensure you are connected through your home network.
  • tsocks allows you to use a SOCKS server transparently on most TCP applications, even if they don't support it.
  • To improve and calculate power consumption, Powertop is a must-have tool.
  • Whenever possible, try to keep the fan clean. Don't place the laptop near heat sources.