Why set up a personal proxy?
There are several reasons that you may want to use a proxy. For me it’s knowing that my traffic is secure on a network I know nothing about like a hotel or coffee shop. There are a number of public proxy sites out there but they may be slow or if you are trying to get around web filtering they get frequently blocked by your system admin. (Or at least they should). These reasons may include bypassing content filtering or blocked sites, anonymity, personal security, or caching sites.
What you’ll need
o An SSH server to act as your proxy.
I’m using a pfsense box at home so I have SSH enabled and the port forwarded though the NATed firewall. Setting up a SSH server is beyond the scope of this blog post but it is fairly easy and a quick google search will help. Windows users can set up OpenSSH with Cygwin. Here’s more on installing the free OpenSSH with Cygwin.
o A SSH client on the computer you’re using.
I’m going to be using Putty in Windows but Mac and *nix machines have SSH built right in at the command line.
Configure putty and save the details
Open Putty and go to SSH->Tunnels under the Category window. Add a port under “Source port” this can be any port you wish to use. In this example I am using 2626. This is the port that the tunnel with connect to on the other side of the proxy.
Set the Destination as 127.0.0.1 (local host)
Set the radio buttons to “Dynamic” and “Auto” then click the “add” button. This should now show up as “D2626” under the “forwarded ports” section of the screen.
Once that is set up click on “Session” on the Category section and set the connection information. If you want the connection to remember your username for authentication to the SSH tunnel use something like this.
Make sure the port is set to “22” (or whatever port you have set up for SSH at the remote location of your SSH server. Then select the SSH radio button.
I recommend that you name the session and save it as well.
Configure web browser to use proxy
The next step is to configure the web browser that you will be using to send all those encrypted packets through your tunnel. In this example I will be using Firefox. I chose firefox because of its ability to easily install plugins and that you can set it up to fully prevent DNS leaks (More on this in a bit).
First, Open Firefox and make a note of you public IP address by going to go to http://whatismyip.com in your browser. This should be something like 126.96.36.199. You will need to know what this is later so that you can prove that your traffic is going through your proxy.
From the menu bar go to Tools->Options then Advanced and click the “settings” button under “Connection”
On the “Connection Settings” window, click the “Manual proxy configuration” radio button and set the following settings shown below.
Click the “OK” button.
Alternatively you can set up a plugin for proxies I recommend “foxy proxy”. This would give you the ability to toggle the proxy settings without going through all the browser configuration steps each time you want to connect to your proxy server.
Configure the Web Browser to Prevent DNS Leaks
DNS or “Domain Name System” in a protocol that resolves IP addresses to website name that we as humans can more easily remember. For example google.com resolves to 188.8.131.52.
Unfortunately, even though we configured the browser to use our proxy for http traffic, DNS requests are still made locally and this information can still be seen on the untrusted network that you are connecting from. This is known as DNS leaking. To be completely anonymous on the local network we need to force these request go out SSH tunnel. After all, privacy is the point here, right?
To do this we need to make a few more changes in our browser.
- Go to the Firefox address bar and type in about:config and hit enter
- Press “I’ll be careful, I promise!” to dismiss the warning about changing settings
- Search for “network.proxy.socks” to narrow down the available options
- Double Click “network.proxy.socks_remote_dns” to change its value to “true“
Changes take effect immediately and you can now close the tab, secure in the knowledge that your DNS requests are not bypassing the SSH tunnel.
FYI, at the time of this writing, there is no way to secure DNS leaks in Internet Explorer.
Connect to your Proxy
Now after all that it’s time to enjoy the fruits of your labor and connect to your shiny, new, proxy.
Open up putty (you should have the connection saved) and connect. You may will still be prompted for a password. Once connected you should see something similar to what is shown below.
Once connected to the proxy through the tunnel go to http://whatismyip.com . If the IP is different then what you noted earlier then congrats your packets are encrypted and are being bounced off your trusted remote network. All is secure and anonymous, at least from the viewpoint of you untrusted local network.
Prove that packets are encrypted and DNS is forced through the tunnel with Wireshark.
Just in case you are still paranoid, you can prove that everything is working with a tool called Wireshark. Using this tool is beyond the scope of this post but below is a screenshot I took for myself to prove that this worked. (I removed the source and destination columns for security reasons)
As you can see these packets are clearly encrypted. There were no DNS request to filter because they are seen as SSH packets and you can’t see them.