Use SSH on pfsense for proxy at work



  • I would like to use SSH on pfsense to act as a http (or SOCKS, whatevers better, you guys are the experts) proxy server so i can get past the annoying content filter at work.  I have the putty client at work, and i can connect to my box at home with no problem.  But, I'm a little stuck here…

    I'm trying to figure out how to forward the proper ports in Putty to then allow me to set the internet explorer proxy to localhost:5000 (or whatever port).  I opened the ports on the pfsense box to allow traffic to the WAN address on port 8000 (random port, should be ok).  Then in OpenSSH i set 68.xxx.xxx.xxx:8000 (my WAN address) to forward to port 5000 locally.  However, this apparently isnt correct as internet explorer doesnt work with localhost:5000 as a http proxy (i tried it for SOCKS also in IE, same thing).

    What am I missing here? Also, someone told me I can do this with a SOCKS proxy, but I'm really not sure what I'm doing in this regard. What's the difference?

    Thanks.



  • No need to port forward anything.  Simply configure your client to use a socks client.

    I haven't used putty as I do this mainly from OSX, but here is how i do it:

    ssh -C -D 7070 $PUBLIC_IP

    Then point your lock socks client at localhost / 7070

    This works like a breeze with OSX.

    Scott



  • i want all client tunel over this ? any idea?



  • Not sure this is a good solution for multiple clients.



  • @digitalx2001:

    I would like to use SSH on pfsense to act as a http (or SOCKS, whatevers better, you guys are the experts) proxy server so i can get past the annoying content filter at work.  I have the putty client at work, and i can connect to my box at home with no problem.  But, I'm a little stuck here…

    I'm trying to figure out how to forward the proper ports in Putty to then allow me to set the internet explorer proxy to localhost:5000 (or whatever port).  I opened the ports on the pfsense box to allow traffic to the WAN address on port 8000 (random port, should be ok).  Then in OpenSSH i set 68.xxx.xxx.xxx:8000 (my WAN address) to forward to port 5000 locally.  However, this apparently isnt correct as internet explorer doesnt work with localhost:5000 as a http proxy (i tried it for SOCKS also in IE, same thing).

    What am I missing here? Also, someone told me I can do this with a SOCKS proxy, but I'm really not sure what I'm doing in this regard. What's the difference?

    Thanks.

    Why don't you just use OpenVPN?  It's built in and works marvelously for this job.

    –Bill



  • @sullrich:

    No need to port forward anything.  Simply configure your client to use a socks client.

    I haven't used putty as I do this mainly from OSX, but here is how i do it:

    ssh -C -D 7070 $PUBLIC_IP

    Then point your lock socks client at localhost / 7070

    This works like a breeze with OSX.

    Scott

    Scott, this thread is really old, sorry for reviving it.  Do I need to NAT port 443 to the firewalls internal address first?  If I understand correctly, you wont need to have squid loaded for your above example to work?



  • This works over ssh tunneling, not via https. You have to enable ssh at your system>advanced settings and allow that port at the WAN Interface.



  • @hoba:

    This works over ssh tunneling, not via https. You have to enable ssh at your system>advanced settings and allow that port at the WAN Interface.

    Ok Ive done that, Ive changed my ssh port on the FW to 443.  Does my rule need to reside only on the WAN interface, or does it need to forward somewhere?

    Also, using putty, will I need to specify some settings in the Tunnel section, or the Proxy section?



  • You just need a firewallrule to allow the connection at WAN. No portforward. For further refernece see http://forum.pfsense.org/index.php/topic,1298.0.html



  • This is just a suggestion, but if you are going to open up your firewall to the world via port 22, you should probably use key base authentication and disable all password auth. This will make things much, much safer.



  • You can use a custom port for this, not 22. Also note that we run a script behind the scenes that will block bruteforce attacks against ssh.

    Also our head code already has more ssh options to further customize the settings.


Log in to reply