Results 1 to 6 of 6

Thread: bypass corporate webfiltering - squid proxy through ssh tunnel

  1. #1

    bypass corporate webfiltering - squid proxy through ssh tunnel

    Hi everybody,

    I was trying to follow several tutorials online about how to get around corporate proxies. My company for example is using websense to block private web access. I have squid and dropbear running on my asus and what I'm trying to do is to set up a secure ssh tunnel and use it to connect from firefox on my company PC to squid proxy on my asus at home. Since my company blocks almost all outgoing ports, I used port 443 (https) for the ssh channel (in my router I forwarded port 443 to port 22). It works like a charm.
    I also installed squid - many thanks for wpte for his help on that!
    Squid is listening to port 9091 and I forwarded port 80 to 9091, so that I can connect to squid from work. It works like a charm as well.

    Squid by itself can fool websense in some cases, so even by using the simple proxy "feature" I can visit previously blocked sites. Unfortunately not all, because wesense is blind on IP filtering, but not on text filtering, since the connection between firefox and squid is not encrypted.

    My question is, how can I create a ssh tunnel to squid?

    I was trying to follow this tutorial, but I got stuck at the authentication feature of squid (without authentication, the ssh -L* command doesn't work).

    http://www.howtoforge.com/linux_secure_browsing_squid

    Any advise is greatly appreciated.

    Cheers,

    dp79

    BE AWARE: You might get fired if getting caught on doing this at work!

  2. #2
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Oh, but that's easy!
    just set up putty like in the attached screenshot.

    You can add rules with the "Add" button.
    with the rules I put in the screenshot, the proxy will be hosted at 127.0.0.1 and port 9091... so it's like the service is running on your pc (but it isn't)

    You might need to accept some firewall settings on your PC, or turn them off... windows firewall usually pops up, and when accepted it works

    I can't say doing a portforward for your proxy is a good idea... in the end anyone can access it and possibly abuse it, unless you got a password on it
    Attached Images Attached Images  

  3. #3
    Hi wpte!

    Thanks for your instant reply! I knew this "trick" from before, but actually it never worked for me. Can you tell me which line(s) I should fill in the firefox proxy setup window? http, ssl, ftp,gopher,socks

    Other thing... After I set up putty as you described, I assume that I have to log in to my router the usual way and I leave the session open. At least, this is what I did...

    I also checked, that localhost is enabled in squid.conf, so that is not the case here.

    Cheers,
    dp79

  4. #4
    I got it working. The Putty menu was the bastard who was fooling me. Or I was the fool, I should say .

    For others, who might do the same mistake: If you set up the tunnel and then you go back to "session" menu and log in by clicking on your saved session, this bastard disregards your entry in the "tunnel" menu and does not forward. Which actually makes sense, since you load a session without tunnel settings. So, if this is the first time you are using tunneling in Putty, save a new session and make sure that the tunnel settings are included in your saved session. To verify if port forwarding is active, click on Putty's header after log in and cick on event log. This is what you should see:

    2009-08-08 22:56:03 Looking up host "192.168.3.2"
    2009-08-08 22:56:03 Connecting to 192.168.3.2 port 22
    2009-08-08 22:56:03 Server version: SSH-2.0-dropbear_0.50
    2009-08-08 22:56:03 We claim version: SSH-2.0-PuTTY_Release_0.60
    2009-08-08 22:56:03 Using SSH protocol version 2
    2009-08-08 22:56:03 Using Diffie-Hellman with standard group "group1"
    2009-08-08 22:56:03 Doing Diffie-Hellman key exchange with hash SHA-1
    2009-08-08 22:56:04 Host key fingerprint is:
    2009-08-08 22:56:04 ssh-rsa *******************************
    2009-08-08 22:56:04 Initialised AES-256 CBC client->server encryption
    2009-08-08 22:56:04 Initialised HMAC-SHA1 client->server MAC algorithm
    2009-08-08 22:56:04 Initialised AES-256 CBC server->client encryption
    2009-08-08 22:56:04 Initialised HMAC-SHA1 server->client MAC algorithm
    2009-08-08 22:56:11 Sent password
    2009-08-08 22:56:11 Access granted
    2009-08-08 22:56:11 Opened channel for session
    2009-08-08 22:56:11 Local port 9091 forwarding to 127.0.0.1:9091
    2009-08-08 22:56:11 Allocated pty (ospeed 38400bps, ispeed 38400bps)
    2009-08-08 22:56:11 Started a shell/command

    Cheers,
    dp79

  5. #5
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Quote Originally Posted by dp79 View Post
    Hi wpte!

    Thanks for your instant reply! I knew this "trick" from before, but actually it never worked for me. Can you tell me which line(s) I should fill in the firefox proxy setup window? http, ssl, ftp,gopher,socks

    Other thing... After I set up putty as you described, I assume that I have to log in to my router the usual way and I leave the session open. At least, this is what I did...

    I also checked, that localhost is enabled in squid.conf, so that is not the case here.

    Cheers,
    dp79
    ok, if you have something saved already, click the load button on putty first, then set the tunnel stuff.

    what you fill in at firefox:
    http
    ip: 127.0.0.1
    port: 9091

    just leave the session open from putty... and it should work.

    I have localhost enabled in squid... but it's standart in the how-to I believe

  6. #6
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    ah good, you got it working

Similar Threads

  1. Replies: 243
    Last Post: 06-11-2013, 15:25
  2. NAS: Create your own caching proxy
    By vinyols in forum WL-500gP Tutorials
    Replies: 8
    Last Post: 24-09-2009, 20:38
  3. https tunnel for ssh
    By bbaccsi in forum WL-500gP Q&A
    Replies: 16
    Last Post: 10-12-2007, 10:06

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •