• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Use SSH on pfsense for proxy at work

Scheduled Pinned Locked Moved General pfSense Questions
11 Posts 7 Posters 28.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    digitalx2001
    last edited by Aug 10, 2006, 3:25 PM Aug 10, 2006, 2:58 PM

    I would like to use SSH on pfsense to act as a http (or SOCKS, whatevers better, you guys are the experts) proxy server so i can get past the annoying content filter at work.  I have the putty client at work, and i can connect to my box at home with no problem.  But, I'm a little stuck here…

    I'm trying to figure out how to forward the proper ports in Putty to then allow me to set the internet explorer proxy to localhost:5000 (or whatever port).  I opened the ports on the pfsense box to allow traffic to the WAN address on port 8000 (random port, should be ok).  Then in OpenSSH i set 68.xxx.xxx.xxx:8000 (my WAN address) to forward to port 5000 locally.  However, this apparently isnt correct as internet explorer doesnt work with localhost:5000 as a http proxy (i tried it for SOCKS also in IE, same thing).

    What am I missing here? Also, someone told me I can do this with a SOCKS proxy, but I'm really not sure what I'm doing in this regard. What's the difference?

    Thanks.

    1 Reply Last reply Reply Quote 0
    • S
      sullrich
      last edited by Aug 10, 2006, 4:53 PM

      No need to port forward anything.  Simply configure your client to use a socks client.

      I haven't used putty as I do this mainly from OSX, but here is how i do it:

      ssh -C -D 7070 $PUBLIC_IP

      Then point your lock socks client at localhost / 7070

      This works like a breeze with OSX.

      Scott

      1 Reply Last reply Reply Quote 0
      • J
        jola
        last edited by Aug 10, 2006, 5:20 PM

        i want all client tunel over this ? any idea?

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by Aug 10, 2006, 7:09 PM

          Not sure this is a good solution for multiple clients.

          1 Reply Last reply Reply Quote 0
          • B
            billm
            last edited by Aug 20, 2006, 2:03 PM

            @digitalx2001:

            I would like to use SSH on pfsense to act as a http (or SOCKS, whatevers better, you guys are the experts) proxy server so i can get past the annoying content filter at work.  I have the putty client at work, and i can connect to my box at home with no problem.  But, I'm a little stuck here…

            I'm trying to figure out how to forward the proper ports in Putty to then allow me to set the internet explorer proxy to localhost:5000 (or whatever port).  I opened the ports on the pfsense box to allow traffic to the WAN address on port 8000 (random port, should be ok).  Then in OpenSSH i set 68.xxx.xxx.xxx:8000 (my WAN address) to forward to port 5000 locally.  However, this apparently isnt correct as internet explorer doesnt work with localhost:5000 as a http proxy (i tried it for SOCKS also in IE, same thing).

            What am I missing here? Also, someone told me I can do this with a SOCKS proxy, but I'm really not sure what I'm doing in this regard. What's the difference?

            Thanks.

            Why don't you just use OpenVPN?  It's built in and works marvelously for this job.

            –Bill

            pfSense core developer
            blog - http://www.ucsecurity.com/
            twitter - billmarquette

            1 Reply Last reply Reply Quote 0
            • S
              Sifter
              last edited by Mar 17, 2007, 6:27 PM

              @sullrich:

              No need to port forward anything.  Simply configure your client to use a socks client.

              I haven't used putty as I do this mainly from OSX, but here is how i do it:

              ssh -C -D 7070 $PUBLIC_IP

              Then point your lock socks client at localhost / 7070

              This works like a breeze with OSX.

              Scott

              Scott, this thread is really old, sorry for reviving it.  Do I need to NAT port 443 to the firewalls internal address first?  If I understand correctly, you wont need to have squid loaded for your above example to work?

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by Mar 17, 2007, 6:30 PM

                This works over ssh tunneling, not via https. You have to enable ssh at your system>advanced settings and allow that port at the WAN Interface.

                1 Reply Last reply Reply Quote 0
                • S
                  Sifter
                  last edited by Mar 17, 2007, 6:40 PM

                  @hoba:

                  This works over ssh tunneling, not via https. You have to enable ssh at your system>advanced settings and allow that port at the WAN Interface.

                  Ok Ive done that, Ive changed my ssh port on the FW to 443.  Does my rule need to reside only on the WAN interface, or does it need to forward somewhere?

                  Also, using putty, will I need to specify some settings in the Tunnel section, or the Proxy section?

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by Mar 17, 2007, 7:08 PM

                    You just need a firewallrule to allow the connection at WAN. No portforward. For further refernece see http://forum.pfsense.org/index.php/topic,1298.0.html

                    1 Reply Last reply Reply Quote 0
                    • M
                      magikman
                      last edited by Mar 19, 2007, 7:54 AM

                      This is just a suggestion, but if you are going to open up your firewall to the world via port 22, you should probably use key base authentication and disable all password auth. This will make things much, much safer.

                      1 Reply Last reply Reply Quote 0
                      • H
                        hoba
                        last edited by Mar 19, 2007, 12:18 PM

                        You can use a custom port for this, not 22. Also note that we run a script behind the scenes that will block bruteforce attacks against ssh.

                        Also our head code already has more ssh options to further customize the settings.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received