Chances are, your school or work has a proxying system in place to filter web traffic. Where I work we use a pair of appliances made by Bluecoat to block requests to certain websites. Don't get me wrong; these systems are definitely a smart idea in a business, but quite frankly I like to visit whatever websites I want (within reason) regardless of where I am. Lately, I've been planning a bullpup SKS build (google it if you don't know what that is) but, as expected, gun sites are blocked when I'm at work. SSH Tunneling to an outside connection fixes this problem! Another very popular use for SSH Tunneling is to securely access another network, such as your home network. Coincidently, these are the two main reasons I use SSH Tunneling while I'm at work.
So what is SSH Tunneling? I'm glad you asked. First, let's look at what SSH is. SSH stands for Secure SHell, which is a very popular method (defacto, rather) for managing various NIX based systems, remotely. If you work with *NIX in any way, then you will be using SSH at somepoint. Tunneling over SSH is exactly what it sounds like; creating an end-to-end connection using SSH. In my scenario, from my work computer to a server on my home network running Squid. Squid is a web caching tool, which is great for medium to large networks, but Squid is also the best tool to initate a SSH Tunnel to, effectively using it as an alternative proxy. I use PuTTY to create my SSH Tunnel to my Squid server, and I use a Chrome Extension called Proxy SwitchySharp which uses rules to determine which proxy address to use.
To recap at a high level, Squid server running on your home network, PuTTY running on your work computer, create a SSH Tunnel with PuTTY from your work computer to your Squid server at home, and configure the appropriate proxy settings. Got it?
Installing Squid is actually very easy. Configuring Squid is also quite easy.
This guide is assuming you are using CentOS 6.x, iptables is disabled, and SELinux is disabled. This is not recommended, so please take the proper steps to configure iptables and enable SELinux once your Squid server is up and running.
Let's get started!
yum -y install squid chkconfig squid on
That's all it takes to install Squid and have it start at boot.
To configure Squid, let's edit the config:
This is the heart and soul of Squid, and this file is what decides who can and how Squid is accessed. Squid, as expected, uses ACL's (Access Control Lists) to control access. :)
This is what my config looks like. Edit to fit your needs.
# # Recommended minimum configuration: # acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 # https acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow localnet http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access allow all # Squid normally listens to port 3128 http_port 3128 # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user squid cache_effective_group squid
Take note of:
acl localnet src 192.168.0.0/16 # edit this to your local subnet, so Squid can access devices on your network. http_port 3128 # this is the port squid is running on.
Let's restart Squid so our new settings take effect:
That's it for setting up Squid (to use for SSH Tunneling, at least). We also have to set up SSH for external access, and SSH is probably already installed, but not running. So let's take care of that...
Find the line that says #Port 22 and change that to what port you want to run it on. I use port 80 because that's one of the few ports that are open outbound where I work (alternatively, you can keep SSH running on port 22 and use PAT on your gateway device to a different external port).
Now let's start SSH and set it to start on boot.
chkconfig sshd on && /etc/init.d/sshd start
SSH is now running, and our server setup is done!
We are now ready to grab PuTTY to run on our work computer. Another prerequisite you may want to take care of is setting up a Dynamic DNS service (such as No-IP or DynDNS) so you don't have to remember your external IP, that will likely change (assuming you don't have a static IP).
Launch PuTTY from your work computer, and create a new session that we will save. Under the Session settings, enter your Host Name, SSH port (80, for me) and enter a name for the session and click Save. Should look something like this:
Under the Connection settings, change the keepalive time to 300 seconds, and check the box for "Enable TCP keepalives". These settings will prevent the Tunnel from disconnecting when it's idle.
Lastly, expand the SSH settings and click Tunnels. Here you will need to set your source port (3128 by default) and the Destination should be set to "localhost:3128" so your settings should look like this:
Now go back to the Connection tab, and click save again. Click Open and you should be asked to authenticate your SSH connection. I'm using root for this example, but you probably want to create a new user on your Squid box to use for SSH Tunneling.
Once you authenticate, you now have a SSH Tunnel successfully established. To quickly test things, open IE and enable a proxy and set it to localhost:3128. Should look something like this:
Try to load any website. If it loads, then you are successfully tunneling HTTP traffic through your Squid server! Try and visit a website that is normally blocked by your workplace proxy, such as KimberAmerica.com. You should no longer see proxy block messages!
A tip I'd like to share is a Chrome extension called Proxy SwitchySharp. I use Chrome for 99% of my web browsing, and I didn't want to deal with syncing bookmarks to a separate browser that had a proxy statically set. Using Proxy SwitchySharp I can enable "Auto Switch Mode" and set rules to decide if the HTTP request should be a direct connection or proxied through my SSH Tunnel/Squid setup. With this in place, and with my SSH Tunnel connection auto-launching at login, I have a 100% seemless browsing session and can access my usual sites without worrying about being denied or about my website requests being logged. I can also easily access services running on my home network (such as SABnzbd, SickBeard, SubSonic, Bliss, etc) without forwarding those ports on my WAN interface. Proxy SwitchySharp allows the use of a web delivered config file, that way I don't have to set all my rules on each of my computers. This is what my config looks like in SwitchySharp:
Feel free to browse my current rule list here
Go ahead, give it a try and let me know how things are working for you!