Setting up a proxy server at home
Why would you want a secure proxy server on your home machine?
There are several good reasons for a setup like this. The primary purpose is to encrypt your network traffic. You may want to hide your browsing or chatting from your employer OR something as benign as not wanting people to see your passwords when connected to a hotspot at your local $tarbuck$. When you are browsing through your home proxy server, whomever is 'sniffing' your netowork traffic can only see lots of random packets going to your home machine. Due to the nature of these programs, you should only set this up if you have a broadband router or other NAT device in front of your home network.
The following pre-requisites will make things a lot easier:
Doing this involves four steps:
All you have to do is launch puTTy and connect to your home machine whenever you wish to securely browse.
There are several good reasons for a setup like this. The primary purpose is to encrypt your network traffic. You may want to hide your browsing or chatting from your employer OR something as benign as not wanting people to see your passwords when connected to a hotspot at your local $tarbuck$. When you are browsing through your home proxy server, whomever is 'sniffing' your netowork traffic can only see lots of random packets going to your home machine. Due to the nature of these programs, you should only set this up if you have a broadband router or other NAT device in front of your home network.
The following pre-requisites will make things a lot easier:
- Know your home machine's external IP address. For this, you'll need either a static IP address from your ISP *or* have a dynamic DNS client installed. For testing purposes, you can view it via http://www.whatismyip.com.
- Give your home workstation a static IP address on your home network. Open up a command prompt and type 'ipconfig /all' and note the current IP address, gateway, and DNS servers. Assign your computer a static IP address that is 50 more than its current dynamic IP (that's a safe bet since most home networks would never have >50 devices connected to it, even if the broadband router has a DHCP scope larger than that). Use the existing gateway & DNS servers.
- Know that your mom goes to college
Doing this involves four steps:
- Installing an SSH server on your home machine. SSH is an encrypted version of telnet which also allows a function called port forwarding. It's this port forwarding that allows you to redirect your network traffic through this proxy. SSH will also function as your authentication mechanism, keeping random people from being able to use your machine as a proxy.
- Installing a HTTP/Socks-5 proxy server on your home machine.
- Opening up the SSH port on your home firewall AND in WindowsXP's firewall (if it exists).
- Installing an SSH client with the appropriate port forwarding settings on your client machine (work machine, laptop, etc).
- Configuring each application to talk through the proxy
Step 1: Installing an SSH server on your home machine
- Download and install the SSHWindows installer from Sourceforge: http://sourceforge.net/project/showfiles.php?group_id=103886&package_id=111688, accepting all defaults.
- Open up a command prompt (start > run > cmd) and type the following:
cd\program files\openssh mkgroup -l >> etc\group mkpasswd -l -u %username% >> etc\passwd net start opensshd
That will create a local ssh user group and give the current logged in user the ability to log in (the password will be the same as your windows login password - if it's blank, change it to something harder!). It will then start the ssh server service.
Step 2: Installing SpoonProxy, a Windows proxy server
- Download spoonproxy: http://www.pi-soft.com/spoonproxy/index.shtml. It costs $19 for a 1-user home license, but there is a 30-day trial.
- Launch spoonproxy: Start > All Programs > Spoonproxy > spoonproxy. Spoonproxy's default configuration works just fine, so just minimize it.
Step 3: Opening up ports in Windows firewall & your broadband router
- If windows XP firewall is enabled, you need to open up the incoming SSH port. To do this, right-click on My Network Places and choose Properties. Now right-click on your primary network card and choose properties. Go to the Advanced tab and click on Settings under windows firewall. Click on the Exceptions tab and then 'Add Port'. Name: ssh Port number: 22 (TCP). Click OK, OK, OK.
- Now you must open up the port on your broadband router. To do this, most broadband routers have a web interface. I can't walk you through this because it's slightly different on every system. You want to tunnel external port 22 to the (internal) IP address of your home computer port 22.
Step 4: Installing puTTy, a Windows SSH client on your work computer or laptop
- Download puTTy: http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe.
- puTTy is a free SSH client that is a single executable; there is nothing to install. Save puTTy.exe to your desktop.
- Double-click on puTTy. First, scroll down the left column under Connections > SSH > Tunnels. From here, you need to add three ports to be forwarded. For Source Port, enter 80. For destination, type localhost:8080 then click on add
Do the same for what you see below: 443, localhost:8081 & 1080, localhost:1080. This forwards http, https, and socks-5.
- Now, go up to the top and click on Session. Under "host name or IP address", enter your home computer's external IP address or dynamic DNS name. Under 'saved sessions', type in "SSH home" and click on Save. This will save these connection settings
for everytime you want to connect to your home machine.
To connect, click on Open. You should be asked to accept the SSH certificate (choose 'Accept & Save'). Login using your home windows computer's login and password. You should then see a command prompt. You are now connected and set up to tunnel traffic - you can now minimize (don't close) puTTy. This session must remain open to proxy your web traffic.
Step 5: Configuring applications to go through the tunnel
- Firefox: I recommend configuring one browser (such as firefox) to always go through the proxy, leaving your other browser to browse your corporate intranet (or access
sites that you do not wish to proxy). Alternatively, you can simply tell firefox for which URLs to not use the proxy. In Firefox, go to Tools > Options > General > Connection Settings. Set up the HTTP and SSL connections as seen here:
You should now be browsing through your home machine. Remember, the speed will be limited to your home machine's upstream connection (since your home machine is essentially downloading the web page then re-uploading it to you). If you wish to test that it's working, close puTTy. You should now be unable to browse the 'net.
AIM and Yahoo both support SOCKS5 proxying. Simply go into the connection settings and enable socks5 proxying... server = localhost port = 1080 (default).
Done!
All you have to do is launch puTTy and connect to your home machine whenever you wish to securely browse.
Comments
Pretty Sweet
Pretty cool tutorial. I may need to get a proxy set up for me though
Minor Suggestions
First, THANKS. This is exactly what I've been looking for. In your instructions above, "cd\program files\openssh" should be "cd\program files\openssh\bin" Also, it would probably be a Good Idea to create a non-Admin account to connect to remotely (maybe "sshuser" or "luser" ;-), in which case you'd need to "mkpasswd -l -u sshuser >> etc\passwd". You'll have to log into it once locally, first, before it'll work remotely. You might suggest using http://www.whatismyip.com to test that you're actually using the SSH tunnel and the proxy server (it should show your home IP, rather than the IP you're browsing from. SpoonProxy site says "So, for a small two machine home network, SpoonProxy is basically free." Sweet. Fx also has several usable proxy-switching add-ons, such as FoxyProxy Users should also keep in mind that the cache on the client machine may end up containing things you would not like found on your work machine. Hopefully this will be used to get to a site linked from places like /. or Deal Sites that are blocked for something lame like Web Banners. Again, many thanks!
Correction Correction
Firefox Proxy Add-ons
Just installed Fx Quick Proxy & Show MyIP. Quick Proxy is just the basics: Turn the proxy on/off. Show MyIP confirms I'm going through my proxy server.
verification?
Hi I have attempted your setup Kristopher and I think it is awesome. I installed and setup everything and even get a putty to connect to my remote computer at home and I can browse my home computer via the cmd like prompt of putty... only issue now is that when I configure firefox to go thru my proxy it just says connection timed out. the task bar at the bottom gives the indication that my browser is never even connecting with the website. I just get a "connecting to ..." notification. So either my spoonproxy is set up wrong, I miss configured my port forewarding, or what? I then installed freecap on my client machine at work and it opens firefox fine and webpages connect but is there a way to verify that it is going remotely thru my SSH tunnel and not using the companies proxy server?
I can't seem to
Connect using my main PC... it says connection timed out AND I can't type in a password into Putty when it asks for it :( and it won't go through if I set it not to have a password and press enter... says access denied
SOCKS5 connections
I set up the Proxy server as described and noticed after about an hour I had 7 different connections from different IP addresses. I am using CCProxy. Does anyone have an idea about what that means? Is someone scanning and using my proxy machine? thanks for any input..
Microsoft Windows XP
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Jason>cd\program files\openssh C:\Program Files\OpenSSH>mkgroup -l >> etc\group 2 [main] ? 3068 _dll_crt0: internal error: couldn't determine location of thread function on stack. Expect signal problems. What am I doing wrong? Thanks
The problem is with SSH, it
The problem is with SSH, it doens't install without errors, so it has nothing to do with your tutorial.
I went with php proxy instead
Gaming
Is there a way that I can forward ports or something so that I can play games (Call of duty 4) online? I have set this up but am unable to connect to servers. Cod4 uses the port 28960 is there anyway i can p[en it up or something?
About gaming. I used this
About gaming. I used this guide in the beginning of my tunneling career. I was restricted at work and I wanted to play wow.
It is very good and simple. But I made some more research about tunneling and I came up with a great tool. its tunnelier and winsshd both softwares from Bitvise. The Winsshd is the server itself and tunnelier is the client like putty.
Tunnelier is free to use but Winsshd you have to purcase after 30 days.
for gaming you might want to look up a tool called Freeproxy. it socks your application.
I dont have the programs availible atm but if someone do reply to my comment I will take some time and tell exactly how to. but I will explain some of how to do it. It doesnt take a rocket sienctist to set it up. but it can be abit tricky at start especially when you dont know what to do.
What you need is.
A server
1. setup a password
2. Install Winsshd or openSSH
optional config:
1. open the run command from the start menu and type in Control userpasswords2 and uncheck the "User must use his password when starting windows" or what it says.
2. Create an account at www.no-ip.org and download their software so you can always connect to your server even if it connected to internet with a dynamic IP
3. If you like me use XP pro on your server (I know win XP isnt the best to use in a server, but there are so many programs that I like to have running at the server that isnt developed for any other platform) you might want to open up the TCP conection limit with http://www.lvllord.de/?lang=en&url=downloads the XPSP2 TCP Patcher. Since I use the server computer to download alot of torrents
4. setup a schedule to reboot the Server once a week during ofpeak hours. It takes about 1min to reboot the PC. make a schedule type in the command line "Shutdown.exe /r /d p:2:4"
5. Install www.logmein.com software great tool to remotely control your server. Even if there is a remote control software in the WinSSHD bundle you might find this more handy.
Client side
1. Install the client. Putty or Tunnelier. I prefer Tunnelier since you can config it to run without you even have to know or bother and I like the SFTP client that is built in since I DL alot of torrents at the server I like to DL the torrents to work in a complete DL. And I prefer putty when doin alot of testing.
2. here is the major change for gamers, Install Freecap http://www.freecap.ru/eng/ in freecap you can SOCKS any program through the tunnel that you have created. open up the configuration inside Freecap. Go to File>Settings and in the "Proxy Settings" tab you enter Loaclhost as the "Default Proxy server" check so SOCKS v5 is choosen.
3. Add the Program file that you want to use and start it in the Freecap window. and voila you have now bypassed forewalls and other things to play some online games.
SocksCap is another great program to SOCKS your programs. I think it is an earlier version of FreeCap with the same developer. Anyway why use an earlier version aswell? Well I have noticed some programs to not work properly with FreeCap and also with SocksCap you can create shortcuts for the diffent programs so you dont have to know that SocksCap is even running.
Gah!
Just forget about the line "for gaming you might want to look up a tool called Freeproxy. it socks your application." It should be FreeCap there not FreeProxy. just a typo.
how about a batch file to start everything at one tim
HEy everyone. I know enough about networking to get me into allot of trouble but not enough to fix or make anuthing better. Is there a way to automate all of these programs and setting so that they are started and configed on start up. You know in case my the power fails and I have to call my wife to restart the computer.
Help
When I am configuring SSH in command prompt and I get to this part,
mkpasswd -l -u %username% >> etc\passwd
I get this error
A domain name is only accepted when '-d' is given
What should I do?
when '-d' is given
This means that the machine group that you're trying to create is a member of a domain.
Just change the '-l' to '-d' and you'll be fine
l = local
d=domain
Indeed
This is great. Thank you so much for opening my eyes. WARNING: OPENSSH is a gateway drug. Next thing you know, you'll be messing around with VNC and VPNs
Internet Hate Machine
Internet Hate Machine approved.
Amazing :)
A great article which has helped me out no end!
UP YOURS I.T. :D!
Connection Error
Could you add some tutorial more. because my internet connection at work have a proxy server. can we use putty to bypass the proxy? thanks
Yes
I used this page to setup my first SSH tunnel, so that I can connect to my computer at home (from work) and surf the net without worrying about the firewall our IT dept setup. This page was super easy to follow, thx man
THIS IS AWSOMEEEEEE!!!
DUDE!!! YOU ROCK!!! Can you help me a little more....how can this be used in FTP? for example in fileZilla
Hey, Just to help you out a
Hey, Just to help you out a little bit, and FTP connection is done thorugh port 21 so you would set this up the same way as you setup the others. When doing the options controlling SSH Port forwarding, your source port would be 21 and destination would be 888. Then under connection settings, your FTP Proxy would be localhost on port 21. That should take care of you.
Great article! If somebody
Great article! If somebody doesn't want to setup your proxy, goto www.aplusproxy.com and you'll find lots of working proxies.
Post new comment