I use a similar setup on my boxes (although I'm using a non-standard port because it's not blocked on our corporate firewall.) I also use SSH inside the house over our wireless LAN because I have no faith in WEP or WPA. On those machines I have a command line Putty script that runs at start up, with public and private key logon instead of using a password. I also use a program called CMDOW to hide the putty terminal window (which I don't use, I only use the Putty for the tunnel and port forwading functions) so I don't accidentally close it.

Using key pairs would definitely be the preferred way to do this. Unfortunately, it's also a bit more complex, so I thought it best to keep it simple. Also I lost my thumbdrive a few months ago, so I've been using password-based authentication myself :P

I used the instructions at: http://bmonday.com/articles/653.aspx to enable keys with the OpenSSH. The documentation that comes with OpenSSH is rather sparse in this area, this adds a few additional steps to your setup process of the server but isn't near as complicated as it looks when you skim the page.

Thanks for the tutorial, I found you via hackaday in case you didn't know you were featured there.

I'm having a bit of trouble getting Trillian to work with the proxy, however. Firefox works just fine with it but the connections on Trillian fail to establish and error out almost immediately like the data isn't getting passed.

So I was wondering... any ideas? The proxy server address is 127.0.0.1 and the port is 8118 on its proxy set up (the same as Firefox) right?

Yup, that should work. But I just downloaded Trillian, and I can't get it to, either.

I'm inclined to say the problem is with Trillian, bloated piece of once-good software that it is. I just tried using the proxy with Google Talk, and it works fine. I suspect GAIM would work as well. If possible, give those a try; I bet you'll have more luck.

okay! got more info for you. I downloaded GAIM and got the same error, except with a detailed message. Apparently privoxy doesn't like forwarding traffic on port 5190 (used by AIM), for some reason. Rather than figure out how to enable this, I suggest changing the "Auth Port" setting in your GAIM AIM settings from 5190 to 443. Worked like a charm for me. There is probably an equivalent setting in the official client, and in trillian.

Just thought I'd let you know that this works like a charm for those of us that aren't using Putty but are using SecureCRT (commercial).. Now If I could only convince my RSS Reader (FeedDemon) to honor the proxy (doesn't even appear to be trying to use it), I'd be set..

Trillian -- Likely an issue with it.. I gave up using Trillian several years ago for exactly this issue -- it's proxy support STINKS! They keep claiming they'll fix it, but it's been two+ years since I last tried it and it doesn't appear to be fixed yet based on your comments.

We get back into the HTTP or SOCKS proxy debate. If you add a dynamic port forwarding (SOCKS Proxy) to your Putty configuration, you can use the SOCKS5 proxy setting in Trillian and check 'Use Proxy server to resolve names' Works on my end. I have been using this setting for at least 6 months with no major problems.

Good point. for IM clients, SOCKS would be fine since you normally would just need to conceal the content of your messages, not that you're logging into IM.

So, for those interested: follow the same procedure in PuTTY as you did you add the 8118 -> 127.0.0.1:8118 tunnel, except choose "Dynamic" instead of "Local" and enter, let's say, 8119. Leave "Destination" empty. Then enter "127.0.0.1" port 8119 in the proxy configuration screen for your IM app, selecting "SOCKS" as the proxy type.

i like the sound of this

all net traffic in my work goes through an internal proxy server first. painfully slow net connection and websense spoil any fun I can have at work

when I set up the tunnel, can I set putty to go through the works proxy first on its way to privoxy on my own machine?
all net traffic in work has to go through the damn proxy

yes, although it'll actually be "on its way to OpenSSH", which then sends the traffic to Privoxy (I know you probably realized this, but just want to be clear).

So when you're setting up the connection in PuTTY on the client machine, go to Connection/Proxy and enter your work's proxy information. It should work, although it's hard to say for sure.

Thank you for a wonderfully done tutorial. I have seen discussion of this before and have wanted to do it, but have never been shure how exactly to tunnel with the ssh connection. Finally a good use for my old server. Thanks again.

about the DNS issue, apparently i had everything setup wrong (had privoxy running on the wrong computer, durrr) everything works correctly now. thanks for simplifying this, before all i could find were bits and pieces of the total picture, and all of it was in linux-guru-speak.
Matt

Sounds great, how about an OSX Tiger version?

Scott: I'll try to turn that info up and put it in a new post later tonight. Check the main page, the tech category, or our RSS feed to see it when it shows up.

I'd rather setup privoxy on my local machine to route everything through a Dynamic port (SOCKS5). That way I can just switch privoxy configurations to switch where my surf traffic is going. No need for anything but SSH on the server and I get more control on my end without reconfiguring my browsers or IM clients. This is also how Tor works.

I use it every day on my OS X laptop when I go to work. I've even got a nice Applescript written to help me switch proxies quickly and easily, all without touching my browser settings.

Sure, that'd work too. I guess it's really just a question of whether you'd rather install more software on the client or the server. For many people (myself included) it probably doesn't matter. I used to use a Tor setup with a local copy of privoxy, but switched to this setup both for reliability (tor is blocked by some sites) and so that I could establish the tunnel from any machine (with a thumbdrive copy of PuTTY).

And for a Mac OS X ((Tiger)?

Thanks

I have a windows server at home set up with the proxy server and is ready to accept an ssh tunnel. My client would be a Mac OS X 10.4 PowerBook. What would the equivalent of Putty be for the Mac to forward to the ssh tunnel?

Alright. I'm not a Mac user, but I've put my best guesses up in a new post called "SSH Addenda".

This is a great method if your locked down behind a work firewill, but it's even better to use this when your on an untrusted network like a public hot spot.

I wrote up a real quick tutorial on using Dynamic ports with putty. It's a better way to proxy traffic as it is protocol independent.

You can find my post at http://www.w00ttech.com/node/5

thanks for the reply and link, snuggles. users should know, however, that using PuTTY's dynamic ports feature leaks DNS requests, so snoopers/bosses can tell what domains you're visiting, although not the specific content of the pages you're viewing. the privoxy method conceals the DNS requests, keeping this information private.

Dependant on the laws of the country you work in you can run into a lot of trouble, in some places even get fired for using the internet for "private purposes". To ensure a clean record at work a tunnel is essential if you're not willing to change your habits (like me). I use the above mentioned technique at work but with different SW. I also tunnel FTP traffic (might as well download some music as they have the bandwidth). Further on I use a fair amount of application which are not licensed at work so I have a citrix metaframe server running on my home server, map my local (work) drives on the metaframe server and run the apps i need (but do not have at work) on the server with the data i have at work. My only worries are getting in trouble for having a ssh tunnel open ("...steeling/uploading sensitive data") and the bandwidth I consume. So far no worries though.

Although this will work through a normal firewall/gateway ... what if you are forced to go through a proxy at work ??

Seting the proxy on your browser to your home IP will not work because you have to forward through the company's proxy first.

So how ould you get around this ??

-Aeq

Aequitas:

It depends on the exact nature of the proxy, but generally speaking this method should still work. Look for PuTTY's proxy settings (Connection/Proxy). Modify them to use your work's proxy and you should be able to establish the SSH tunnel through it. Unless, of course, it blocks that type of traffic (or traffic to your home IP). If it does the former, try changing which port you're running the SSH client and server on. If it does the latter you're out of luck, I'm afraid (but why would it?).

This scenario would work in a lot of small business scenarios, but won't work in larger businesses that will typically deploy http proxies and will not give end users "direct" internet access (ie routeable access/NAT to the Internet).

There are two options for tackling this. The first is to utilize a CGI proxy that essentially is a webpage that obfuscates the URL of where you are going and downloads it. Work is underway for inline javascript based encryption to obfuscate the data on such a level that even by manually viewing the requests it would be impossible to detect. A user needs web space on a remote server outside the network with cgi-bin (perl) access and needs to upload and install the single script listed below. I work in the security assessment field and have used the cgi proxy against the following products with success: websense, symantec web security, dansguardian and websweeper.

http://www.jmarshall.com/tools/cgiproxy/ - cgi proxy

The other method, and this one is ultimately more desirable if you can pull it off, is to use corkscrew to tunnel SSH traffic over an http proxy. This requires having a unix system listening remotely in order to be able to actually connect over the Internet. I have confirmed this to work against squid, websense (wccp on cisco and others), websweeper, Microsoft ISA and symantec web security. This provides secure end-to-end encryption for all of the traffic and basically is the same concept used above for tunneling your proxy over SSH only this piggypacks the SSH connection on an HTTP proxy so even unrouteable addresses can get direct internet access.

http://www.agroman.net/corkscrew/

I'm confused! where is the IP of my http server being supplied?? because otherwise how does it know to which server to connect to??

Thanks

john: please reread the tutorial carefully. if you follow the steps exactly, it will work. But I have no idea what you're asking.

is it me or do https:// sites not work? I know https uses port 443, but I'm not sure how the proxy would handle it.
Matt

I haven't tested https. But you should be able to leave your https proxy unset, and just use your normal connection. If that doesn't work, something's weird with your browser.

If you're going to go through the trouble of setting this up, and your place of business forces you to use IE, you might want to consider this:

http://sillydog.org/mshidden.html

Hey I can't setup a connection from the outside I'm not sure what I am doing wrong, if you don't mind could you help me out a lil more or is there a better place to contact you?

If you can connect from inside your network but not from outside, you've got a problem with your port forwarding (on your router), or you have a software firewall turned on. This tutorial isn't about how to do that, and I'm afraid I can't add more people to my tech support rolls. I suggest finding a nerdy friend or hitting up the forums at portforward.com. Sorry I can't be more help.

Instead of setting up privoxy just use the dynamic setting in putty. It sets up a local socks5 proxy without any extra programs or hassles. Then, if you do not want to have to configure programs to use the proxy you can use a program called SocksCap which allows you to make any application work through a socks proxy (your ssh tunnel in this case).

I am having a problem connecting from my local machine, it doesn't give me any error but theres no prompt in putty its just a black screen that with a blinking bar, and it doesnt do anything else I can't type into it or anything? I have turned of some of my microsoft services is there anything vital, besides the ssh server i need to be turned on.

I'm also confused in the same fashion that John26 is. What I think he was trying to say was, how do you get your client computer at work to your server at home. I'm not clear on why you would put 127.0.0.1 into your browser for the proxy server. You showed us how to set up putty on the remote computer we'll be connecting to (I think O_o) but how do you set it up on your client you're working on with the browser. I'm very confused, so sorry about all the crazy questions.

-tdz

Robert: as mentioned previously, socks5 proxies leak DNS requests. So observers can still tell where your traffic is going, although they can't tell its specific content.

Jeff: you're connecting -- from the server that has openssh installed -- using putty to 127.0.0.1 and it's not picking up? Sounds like you have a firewall turned on. Most likely XP Firewall. Go to your network properties and turn it off (or make an exception for ssh).

tdz: you put 127.0.0.1 into your browser because the browser actually talks to putty (which is running on the same machine as the browser), which talks to openssh (which is on the server), which talks to privoxy (which is also on the server). You set up PuTTY on the client the same way as you set it up (for testing purposes) on the server -- the only difference is that you use external IP of the server, rather than its internal LAN address. To get that information, use the link to broadbandreports.com that is in the article (from a machine within your home network).

Alternately (and more permanently, if your IP changes a lot) you can use a dynamic DNS service like dyndns.org (you'll have to find instructions for that later).

Finally, all of this assumes you've properly opened a port in your router (if you have one) and/or any firewalls you have running, allowing traffic coming in from the internet to get to your server on port 80, 443, or 22 (whichever port you're running openssh on).

Hope this helps.

torn: Thanks so much, I appreciate you taking the time to explain that to me. I was a little confused on where putty was supposed to be run, but you explained it well. Thanks again!

-tdz

Er, tom, sorry, I was too far away from my screen.

-tdz

I did turn off my firewall, i opened my ports, and nothing, not sure, I don't use windows firewall, so I have actually turned it off before.

Sorry Jeff, but it sounds like something weird going on with your system; I'm pretty confident the tutorial is sound, since lots of people have had success with it. I'd suggest finding a friend who can help you debug it. I don't have enough to go on to offer advice (nor do I have the time or inclination to poke around trying to figure out what the issue could be, I'm afraid).

Jeff, I think you mean where do you put your home IP.

Under session in the top left part of the screen,in the part covered by part 1 of the article, thats where you put your home IP

I dunno maybe I'm being a newb but I don't understand how this setup would enhance my privacy.
Is this just for when your browsing away from home or will it also encrypt traffic when you use it on your local machine? I ran ethereal and it looked like all the traffic came through unencrypted. can someone please explain

it won't enhance your privacy from home -- it's not intended to. Your traffic will go out from your home connection unencrypted. But this lets you use your (somewhat insecure) home connection securely from a remote location.

Ok I think I understand now, I'm at school trying it now and it looks like it's working. Thanks for the clarification.

Very nice tut. I got up and running in seconds though we still can not get aim to work, we have tried all the suggestions here and still get error proxy failed or proxy refused.

client -----> linksys ---> inet -->linksys ---> proxy

client ssh access is open on proxy linksys and all ie proxy traffic works though aim traffic will not work. Any suggestions or links give me a shour.

genxweb: turns out that Privoxy (and all HTTP proxies?) won't work for traffic on ports besides 443 and 80. The solution is to change AIM's "auth" settings to use port 443.

Alternately, add a "Dynamic" tunnel when connecting with Putty, then configure AIM to use your local machine as a SOCKS proxy (127.0.0.1, whatever port you specified for the dynamic tunnel). This will leak DNS requests, but for IM that doesn't really matter (it'll just be requesting entries within the aol.com domain).

Yes, please do an updated openVPN post!

Thanks!

Michael: okay, will do. Look for it next week. I do have to say, though, that the HOWTO (2.0) on the OpenVPN website is pretty good. I'll try to make it even simpler, though (mostly by cutting out the extraneous parts). I might even be able to whip up a wizard-style application. Can you tell me what operating system you're running?

At my previous tech job, I ran VNC through putty to my Openssh server over port 443 since I knew it was open and we did a lot of secure traffic via the web. It's a very easy way to get connected to home to get email (I don't use webmail very often. I like my email app at home). I didn't surf via proxy though. I usually just surfed at work, even though we weren't supposed to do that. I didn't go to web sites that are stupid to surf while at work though.

I would like to add that on a home network, SSH is a good idea for wireless. However, if you have W2K and/or XP boxes and even linux and mac, you can also set up IPSEC. I do that on my wired network because I share my connection with the person upstairs via a typical linksys and want to block him pc from my pc's (not that he would try anything, but if he gets owned, it can't get to me.

This encrypted/proxy idea is great for surfing via public wireless networks.

I have followed the article and successfully set up a tunnel through the home pc. However, tor and privoxy are set up at the other end and do not appear to be being used. ie. putty is sending the data through the ssh tunnel but not directing the traffic to the 8118 port on the home pc.

I am identified as my home ip address from work rather than a tor ip address... This happens when using socks or staight port forwarding 8118:127.0.0.1:8118

Any ideas?

muddy: well, I'm afraid I can't really debug your Tor configuration. Sounds a lot like your privoxy configuration file isn't properly pointed at your installation of Tor. Have another look at the docs at tor.eff.org.

I know there isn't much info to go on there. Tor works perfectly on the server machine. I point my browser at 127.0.0.1:8118 and I am using Tor. It seems that when I go through putty and openssh the browser requests don't go to 8118...

so if you use tor via privoxy from on the server, it works -- but if you use it across the tunnel, it doesn't?

but if you use just privoxy, it works via the tunnel?

gotta say, that makes no sense to me.

I am at a lost with the SOCKS5 thing and Trillian...I have everything else setup and I can login into my OpenSSH/Privoxy machine with no problem, but when it comes to Trillian (3.1 basic) and I try to connect by pointing the host to 127.0.0.1 and port to 8118, it states that its connected, but I don't see any of my buddies...

can you explain the SOCKS5 proxy sequence again...

Many and great thanks for any/all.

NeverMind....

Redid everything you guys said about the SOCKS and Proxy, and finally realized that it was a setting within Trillian
(Advance --> Proxy (lower left-hand corner)

Everything works now...

Thanks again.

What if the internet settings already have a proxy set to say, 172.16.0.11, and the internet settings are restricted from being changed to the required 127.0.0.1?

If you can't change the proxy settings, you're probably boned. You might be able to use SocksCap to send your traffic through the tunnel, but your DNS requests will leak, and your boss will see the domains you're visiting. If I were you I'd work on cracking the administrator password.

Help pretty please, I can get putty to work at a mates place but not at work.
My work uses a http proxy, so I set work's proxy ip into putty, however putty can't seem to create a tunnel. I get the following from putty's event log

Looking up host "203.XX.XXX.XXX"
Connecting to 203.XX.XXX.XXX port 443
Server version: SSH-2.0-OpenSSH_3.8.1p1
We claim version: SSH-2.0-PuTTY_Release_0.58
Using SSH protocol version 2
Network error: Software caused connection abort

Note: at work I can usually browse anywhere incl https sites. also my work runs volera to authenticate.

Does this mean my work have restricted ssh tunneling, if so how can I prove it, is there a way/tool to know for sure.
Or have I missed something?

any help would be appreciated.

BTW for those who dont know their router/wan/server IP ie the ip address assigned to you by your ISP use this site http://www.whatismyip.com

Justin: if work have restricted access to change the proxy settings try this:
1. can you run regedit, if so look for that ip in the registry and change it.

2. run firefox or iexplorer from a usb key and put the localhost in them.

poor_me: sorry, but I don't know how else to test whether tunnels are allowed. If you can find more information about volera, it might help determine if it's blocking you. But I won't be too surprised if their software makes establishing this tunnel impossible.

Does your work proxy require a username and password?

yes my proxy requires a username/password however I dont believe its the problem since putty and navigate and see my server.

hmm I investigate volera.

so its possible to block tunnelling then?

I would think so, yeah.

You say your proxy requires a username and password. You *are* using those in PuTTY's proxy configuration settings, right? If not your odds of getting past your work proxy are nonexistent.

yes, I entered those details in.

Couldn't thank you enough for this guide, Tom.. Works great!

poor_me: then I'm afraid it's probably volera being too smart for us. I'd look into some other tunnelling technologies, if I were you -- perhaps you can establish an SSL tunnel (start googling cygwin and stunnel).

Thanks for the tutorial, I went step by step and it worked like a charm. The only problem I have is I can't access my gmail securely. https:\ doesn't work only http:\ works

Is this becuase I set my ssh server at port 443?

Also WinSCP is a nice SSH FTP client. I can now access all my files on my home computer.

One more question. I set the ssh user account on my home XP machine to a 'limited account' but it is rather...limiting. Should I set it to unlimited access or is that asking for trouble?

Thanks for the tutorial, I went step by step and it worked like a charm. The only problem I have is I can't access my gmail securely. https:\ doesn't work only http:\ works

Did you specify an SSL proxy in your browser's proxy settings, or just an HTTP proxy? Depending on your browser, you may have to do both. SSL *should* work over the SSH/privoxy tunnel.

One more question. I set the ssh user account on my home XP machine to a 'limited account' but it is rather...limiting. Should I set it to unlimited access or is that asking for trouble?

I don't know a lot about limited accounts, but my guess would be that if someone can get ssh access to your windows machine, you would probably be in trouble whether the account is limited or not. If you need more permissions, I'd go ahead and grant them -- but perhaps a) double check that you have a good password and b) edit openSSH's config file to restrict access to your work IP block.

Alternately, you could google for how to switch from password-based authentication to public key authentication. That should be very secure. I haven't set it up myself, though, so I'm afraid I can't offer much help on that front.

Thanks for the tip on the FTP program. Another, similar option that people should be aware of is the scp (secure copy) program, available as part of cygwin. Both will be pretty slow, though, relative to an unencrypted file transfer (although your upload speed may still be the bottleneck).

Did you specify an SSL proxy in your browser's proxy settings, or just an HTTP proxy? Depending on your browser, you may have to do both. SSL *should* work over the SSH/privoxy tunnel.

That was it, thanks. Firefox has separate entries whereas IE just has one.

And thanks for the other info. For now I will edit the config file so that only someone from my work can access the server, and I'll change the password to something very complex. Once that's done I'll look into public key authentication.

Thanks again, I learned a lot.

Has anyone got GAIM to work over it yet?

yeah, I've got AOL IM working over GAIM. Go into your AIM connection's settings, set the proxy to HTTP, port 8118, and the auth port to 443. That should do it.

I haven't tried using the proxy with any of the other services. But in general: Privoxy only wants to forward traffic on 80 and 443, so you should try to change the IM service port to 443 (this in addition to setting the proxy port to the port of the SSH tunnel).

I use GAIM IM at work and I can surf perfectly thru my home PC. If I use MSN thru the ssh connection it works but if I use my GAIM IM it doesn't connect. It gives the option to user a proxy and I have tried socks4 and socks5 and http with no luck. I don't see anywhere to change the auth port on the GAIM IM.

The auth port is the key to this problem. It's in an expandable section under the AOL account settings dialog, which you can get to via the "accounts" screen.

ok - I'm sorry. I'm not talking about AOL IM it is GAIM IM

Gaim is a modular messaging client capable of using AIM, MSN, Yahoo!, Jabber, ICQ, IRC, SILC, Novell GroupWise, Napster, Zephyr, and Gadu-Gadu all at once. It is written using Gtk+ and is licensed under the GPL. URL: http://gaim.sourceforge.net/

In GAIM - it does not allow me to change the auth port.

yes, I know what GAIM is. I'm using it for AOL IM over an SSH tunnel right now.

What IM network are you trying to use via GAIM? There are per-network connection settings. This is where you'll find the auth port. Please have another look at the instructions I left in my last comment. They should get you up and running with AIM.

Hi I was wondering how I could maybe make it so I can access the tunnel from my school, I want it so in the internet options I can simply type my home ip, is this possible just I think my LAN might be stopping me from doing this.

you have to run the tunnelling software on the client machine. there's no way to securely transmit your traffic otherwise.

an alternate configuration would be to open up your router so that privoxy is exposed to the internet. doing that is beyond the scope of this article, and has security implications. if possible I suggest running the tunnelling software on the client machine.

Hi there. Wonderful tutorial. I set it up successfully and am able to surf the web via my Laptop from work. Here is what I really want to use this setup for, but cannot get it to work.

I want to play Final Fantasy XI Online from work because we block the ports for it... I entered in the proxy info in the FFXI settings but it will not connect or even attempt to contact my proxy server (look at logs and do not see any activity). Does anyone have any suggestions?

Hi Nick. I'm not specifically familiar with FFXI, but I'd be very surprised if it generates HTTP traffic -- which is all that privoxy passes. Odds are that you need a SOCKS proxy. Fortunately, SSH can do that. Just add a "dynamic" tunnel in the SSH configuration section. Specify a port (doesn't matter which -- let's say 1234), leave destination blank, add the tunnel and connect to your SSH server. Now in FFXI's proxy settings, enter 127.0.0.1 as the socks proxy, and 1234 as its port. That should work (assuming the link is fast enough).

One thing to note, though: your DNS requests will "leak" -- you'll be sending unencrypted requests to your work DNS server to resolve www.ffonline.com or whatever the domain is. If someone's looking, they'll be able to see the activity (I'm sure you could come up with a decent explanation, though).

Tom, Thanks for the info. After thinking about it a while, i realized exactly what you said, that this was more specific to HTTP traffic then what im trying to do.

The ports i need to play is

TCP
25,80,110,443,50000-65535

UDP
50000-65535

as you can see there is such a wide range of ports to open we cannot justify opening them because of such a big hole.

Ill try your tip

Thanks for quick reply!!

-N

Nick: well, the dynamic tunnel will forward whatever ports you throw at it (a SOCKS proxy generally will work for any port).

Unfortunately, SSH can only tunnel TCP traffic, not UDP. So unless FF can work under those conditions, this isn't going to help you. You'd need to either wrap your UDP traffic in TCP somehow (not sure how to do this), or set up a genuine VPN connection to home that'd allow you to use your gateway for UDP and TCP traffic. Either way it's likely to be irritatingly slow.

You'd probably be better off installing Tor on your machine at work and using that. Not sure if it can handle UDP either, but it's got a better shot than an SSH tunnel. http://tor.eff.org

What IM network are you trying to use via GAIM? There are per-network connection settings. This is where you'll find the auth port. Please have another look at the instructions I left in my last comment. They should get you up and running with AIM.

Posted by: tom on October 6, 2005 01:56 PM

Tom, I'm using yahoo and MSN. I did find the setting s that you said but yahoo craps out and doesn't work. MSN says handshaking but never connects...

any suggestions?

we can take this off line if you want - just email me

I like having a record here for other people who might have the same problem in the future.

Unfortunately I haven't gotten MSN or Yahoo working, just AIM. I haven't tried very hard, though. I'll try to find time to take another look, and will email you if I figure it out. This should definitely be possible.

You can't change auth port in the pref of Gaim or in accounts.xml, you have to do it via the accounts screen.
If you're already logged in go to Tools>Accounts, click on account>Modify>click "Show more options" set proxy http and there you go. :)

For Final Fantasy XI Online - I am thinking of addind UltraVNC into this mess and just running Final Fantasy XI Online from my home pc and using UltraVNC to connect to my desktop at home and play from there. I know it will be kind of slow but I just would like to have it to check status of my character.......I think this would be a viable option

that would probably work -- but maybe not. Depends on your graphic card, and how FFXI works. And, for that matter, how VNC works (outside of an X11 environment, I have to confess I'm not really sure).

Regarding GAIM -

I did change the ports and it still didnt work

A tutorial for us recent Mac OS X converts from Windows would be much appreciated!

Gary: I don't own a mac, but I tried my hand at answering this request in another post (it wasn't linked to from this one, sorry). You can find it here.

Hello, Great Tutorial! I got everything working except the last step of setting up IE. I go into settings and there is no 'Connections' tab. Can I reach this somewhere else or will I have to get administrator priviliges somehow to setup IE?

Hmm. Well, I've got a connections tab in MSIE under XP and Win2k. I'd suggest googling for how to set up your proxy. If the tab isn't available, it may indeed be because you're missing admin privileges.

All right, instead of trying to get (sneak)privileges I just got a small usb drive and downloaded Portable Firefox. Working great, but I'm still trying to figure out if everythings encrypted. I don't know that I can install Etherreal yet, still downloading. Thanks for all the goods.

Hey, thanks for the great writeup.

I set up openssh/privoxy at my home PC and am able to successfully connect through putty at my work PC and get around blocked web pages.

My question is, is there a way I can connect to the Yahoo Games server to play literati? I tried forwarding the port the yahoo games server uses (11999) to the forwarded port list in putty (source port 11999, destination 127.0.0.1:11999), but to no avail...the browser loads the java fine but then says cannot connect to the yahoo games server.

what am I doing wrong?

any help would be greatly appreciated :)

Ignore my last comment, I was reading over the comments and saw a lot of people talk about SOCKS...so I put in an entry for a SOCKS connection, and now I can connect to yahoo games fine :)

Yay!

Without knowing much about Literati specifically, there are two possibilities:

1) that the game uses UDP traffic instead of TCP. In that case, you're SOL -- SSH can't tunnel UDP.

2) you aren't using a "dynamic" port. 127.0.0.1:11999 on the remote end won't work, because it's trying to forward that traffic through Privoxy -- which is exclusively an HTTP/HTTPS proxy. It won't pass traffic on ports other than 80 and 443. Instead, add a "Dynamic" tunnel; (described above, or on the other thread).

You'll have to configure Literati to point at the port associated with that new dynamic tunnel, though -- I'm not sure how you'll do that. Perhaps there are settings in the game for a SOCKS proxy (point it at IP=127.0.0.1, port=whatever the port of the dynamic tunnel is). If you can't set a proxy in the game, google for "socksify" and see if you can't find a way to capture traffic on port 11999 in order to send it through the tunnel.

Good luck.

Looks you fixed it while I was writing my reply -- that's great! I'm glad to hear everything is working.

'Ello,

Before I try this I was wondering would this work if I was trying to play games over the internet? They block the ports atm for a game I want to play and am looking for away round it, so I was wondering would this be away?

depends on the type of game. If it's a fast-paced game (FPS, RTS, MMORPG) it'll probably use UDP, which can't be tunnelled over SSH and would be too slow, anyway. If it's a slower game (a card game, for example), it may use TCP and in that case could be tunnelled using the "dynamic port"/SOCKS option (see comments on this and the other thread for specifics).

Ok, I gotten everything to work expcept one thing, I am on firefox at my workplace, I type in the 127.0.0.1 port:8118 for all connections, yet it refuses connections. Does the machine have to be logged in order for Privoxy to work? Because when I'm away it's usually logged off.

It has to be logged into OpenSSH, yes. If you mean logged into windows, then no. If you didn't have to log into SSH it'd be a pretty huge security hole.

For the proxies -- is 8118 the port you put into your SSH config's "local" port? Whatever that number is, it's the one that should go into Firefox's proxy configurations.

In PuTTY, yes. I did the same with Portable Firefox.

So you can run commands on your home computer via SSH, but the browser is acting as if Privoxy isn't running? I'd check Privoxy's settings. Make sure it's configured to start automatically.

Won't work if your work uses a NTLM based proxy server that you already have to go through.

I can't find a SSH client that has the ability to go through a NTLM proxy.

I got this to work with putty just fine, and SFTP option with WinSCP3 works as well, but when I try to connect to localhost or my ipaddress with the SCP option checked, the host does not answer for 15 seconds, and it times out. A different PC with linux couldn't access my server with scp either.

did you specify the port for scp? I believe the syntax is -oPort=443 or something similar

Does this work for Thunderbird? I can't seem to get it to work. I changed my proxy settings in Tools -> Options -> Advanced -> Connection Settings -> Manual Proxy Configuration
HTTP Proxy:
127.0.0.1
8118

SSL Proxy:
127.0.0.1
8118
It seems to be ignoring the settings.

BTW...I have it working for Firefox. Works great!

Hmm... I'm afraid I don't run thunderbird, so I could really say. make sure "automatic proxy discovery" or any similar settings are disabled. If it's working in FF, it really ought to work in thunderbird. You might try posting in the Thunderbird support forums asking for help configuring your HTTP proxy.

how would i go about routing all traffic on my laptop thru the ssh tunnel? is there an easier way (like installing a program to do it) rather than configuring every brower, messenger, etc to use the proxy? i want to be able to turn off the tunnel and use my regular connection at home too w/o having to change too many settings..

yingjai: I don't know, off the top of my head. Many windows programs work off of IE's proxy settings; that would probably take care of most of your needs. I'd google for "proxy switch tool" and see what you come up with. Socksify, which SOCKS-enables non-socks-compliant apps, may also help. I'm sure there's something out there.

It's worth reiterating that SSH can't tunnel UDP traffic, however. So you may not be able to send *all* your traffic through the tunnel, depending on what apps you use. For that you'll need a real VPN solution -- google around for "windows vpn" and I'm sure you can find something.

does anybody know if I could possibly use SSH to bypass schools internet quota. Becuase it costs a bloody frtune, like 10 dollars for 20 megs. But the net is t3. I was wondering. If anybody knows how to do this PLEASE email me at extermin8tor(at)gmail.com.
Or at least tell me if i can use the config here.
thanks

data is data. SSH doesn't make you use less bandwidth, it just conceals what you're doing.

How can I run my audio call with google talk beside ISA firewall server.
Is someone have already known this issue?

Hello,
I keep getting "connection timed out".
I have openssh installed and running(checked services)at home with Privoxy. Set-up port 80 in sshd file. Forwarded ports 22,80,443 to my ip address(ipconfig) on my router. Disabled router firewall,windows firewall and Norton firewall.

At work i run putty(is that all you need here).Also in putty I entered work proxy.Input my wan ip address and port 80 and set-up tunnel with your settings.Click open and times out.
Thw firewall at work can access https sites but no streaming media.

Please help.

Nick: I'd suggest trying to connect from a non-work connection. It may be that your employer's firewall is detecting the SSH traffic and filtering it, even though it's on a different port. If you can confirm that your setup works properly in the absense of the firewall, we can figure out where to go from there.

well its a quite a good tutorial and probably the answer of the what i have been searching for a long time and i came around it accidently while reading documents abt the ssh...will be implementing it in quite a few days and then will reap the fruits...but as of now it seems to be an absolute method of tunneling on a secure encrypted channel like ssh and putty.
Its an ingenous design...........

well its a quite a good tutorial and probably the answer of the what i have been searching for a long time and i came around it accidently while reading documents abt the ssh...will be implementing it in quite a few days and then will reap the fruits...but as of now it seems to be an absolute method of tunneling on a secure encrypted channel like ssh and putty.
Its an ingenous design...........

Great post, SOCK5 part in particular. It worked perfectly on IRC, browsing and IMing. However, I had one problem. It doesn't seem to support the resume broken downloads from FTP servers.

I am sure the FTP server does support broken download resuming and actually seen it working before. But if I use this sock5 to connect to the same FTP and try to download. It always started from the beginning of files when I reconnected from a broken download.

Any ideas?

Hmm. Sorry, nothing really comes to mind other than perhaps trying a different FTP client.

Tried it with Vshell and SecureCRT, this worked also for RAdmin etc. but still need the Proxy at my server, thanx for your post!!!!!!

Tried it with Vshell and SecureCRT, this worked also for RAdmin etc. but still need the Proxy at my server, thanx for your post!!!!!! And use SocksCap for WoW ;-)

So here's a question....(I realize this post is very old so it may not get any responses...)...

Instead of using Privoxy, which is only a http proxy...what about using a socks proxy on the server with openssh? a socks proxy such as analogx proxy

www.analogx.com/contents/download/network/proxy.htm

I'm gonna try to set it up, and then point other apps at it, not just a web browser :)

Thanks,
Jeremy

Jeremy: yup, as you can see in some of the other comments, plenty of folks use the SOCKS setup. The downside to it is that it doesn't tunnel DNS requests in the way that an HTTP proxy does, so if you use it for web traffic a snoop at work would still be blocked from seeing what you were browsing, but could see where you were getting it from (in terms of domain names). Lots of traffic from reallydisturbingpornography.com might be enough to upset your boss, even if he doesn't know exactly what the content of that webpage is.

Thanks for the quick response...
What I was getting at though...is the option of running the SOCKS proxy on the server computer like privoxy in your setup....not using the Dynamic ports option in putty....

This means that the DNS requests would all go through the SSH tunnel before being interpereted...right?
Who cares if it leaks the DNS info to your home computer...it's the work connection that isn't even being touched as far as the DNS settings are concerned....right? don't they tunnel just like the http requests if the server is in the same place as the openssh setup?

-Jeremy

Hmm. So you'd be tunneling proxy traffic? Well, I think you'll still face the same problem: when an application is told to use a SOCKS proxy (as all non-HTTP speaking apps would have to be), they will leak DNS requests immediately. It doesn't matter if the SOCKS traffic gets an extra level of encryption -- that traffic doesn't contain the DNS requests in the first place.

But we're reaching the limits of my knowledge on the subject. I would suggest googling around for DNS proxy solutions. You could probably find something that would let you specify localhost as your DNS server, then tunnel DNS requests to your home connection. That, combined with a SOCKS connection, would probably take care of it.

Is there anyway to use the Cisco VPN client through privoxy?

No. Privoxy only tunnels HTTP traffic, which VPN traffic is not (I suppose *some* sort could be -- but probably not Cisco). For that matter, many VPNs use UDP, which SSH can't tunnel at all.

But I'm completely mystified as to why you'd want to run a VPN through an anonymizing proxy. Encrypting something twice isn't going to gain you anything except a big performance hit.

My school blocks the VPN port and i'm sick of having to drive into work (40 min) to fix something stupid.

well, give it a shot. but you'd be using SSH to do it, not privoxy.

I can't figure out how to tell the cisco vpn client which port or proxy to use. Any ideas?

google around to see what port it uses and make a tunnel for that. then tell it to connect to localhost.

Honestly, though, I used to use a Cisco VPN at work. I think the odds of it working over SSH are very, very low. I'm afraid you're probably going to have to figure out another way to use the VPN by remote. What about just using a dialup line out of school? Or setting up a machine you can access via VNC/SSH somewhere else that has an unobstructed internet connection, and on which you've installed the Cisco VPN client?

Sorry, i bet this is a dumb question but i dont get it, but i was wondering if you could clear this up. THe server machine is running Privoxy and hosts the ip 127.0.0.1:8118 and has OpenSSH setup, if the "work" machine is only looking for 127.0.0.1:8118 how does it know to go to "your/server" specific machine?

You put in the dynamic DNS or the specific IP address in the host/address box in PuTTY. 127.0.0.1 just tells the server to forward port 8118 traffic to itself. Reread the tutorial carefully; it's all there.

Oh. i see it now "enter the information necessary to connect to your SSH server". sorry, my fault. thanks

I am currently out at work right now. My SSH tunnel is up and running and working great. The only problem is that I forgot to start privoxy. Is there anyway to get this executable to run remotely through the tunnel?

Via PuTTY you ought to have a command prompt. So yes, there ought to be a way to start it, I believe -- although I'm not sure how. Google for the DOS "net" command to see how to start and stop services (which is, I assume, what privoxy is registered as -- if not you may just need to run privoxy.exe).

Great info but it still comes up a little short on what I'm trying to figure out, which is, remote access to home from work from behind a firewall I cannot control and on a system where I cannot install applications (no admin privilages). It's a toughy, but seems to be possible through VNC and a Putty SSL tunnel or a service like EchoVNC. Binary files should take care of installation roadblocks. I just can't seem to piece the whole process together, too much info. The ideal solution would be decently fast secure remote access, windows fileshare capability, using minimal free applications. Any suggestions?

I'd suggest looking into the apps that are available for use on a thumbdrive -- those will be the lightweight, no-admin-required types that you'll need. For windows filesharing you're going to need a genuine VPN, not just SSH. OpenVPN is one option you might consider.

As far as the firewall goes -- in general you should be able to run any application over any port so long as you control both the client and server. There are ways for the firewall to still catch you, but they're not particularly likely to be in effect.

Thanks for the quick reply and info. I'll read into what you said. One free service/app I just came across that looks almost too good to be true is SSL Explorer http://www.sshtools.com/showSslExplorer.do. I'm going to give it a try - it seems to satisfy my needs. Let me know if it's a bad choice.

Hey, this is working great for me, thanks a lot! Now I want to let my brother use PuTTY and tunnel into my computer, but I don't want to give him access to a command prompt. Is there a way to let him SSH in without giving him a command prompt? I'm not worried about him doing advanced hacking or anything; I just don't want a prompt in his face.

I have an odd situation. I got everything working at Work today and set up FireFox to use a multi-proxy extention (I also got my ancient copy of Trillian to connect to AIM & ICQ!). This was just using password authentication, as your tutorial describes. So, tonight when I got home, I tried connecting with putty from another computer on my LAN & it worked perfectly--on several tries, in fact.

So, I boldly followed the instructions at http://bmonday.com/articles/653.aspx to setup SSH Public key authentication. However, when I'd finished *that* tutorial, all I could get was
NETWORK ERROR: Connection Refused.

The only error I got during the SSH tutorial was when I tried to run mkGroup -d & mkPasswd -d

Checking GRC.com now shows that my port 443 is "Closed" instead of "Open" as it had been all day, today. (Prior to following your tutorial, this PC had shown nothing but "Stealth").

Does "Closed" mean that the OpenSSH app isn't answering? Or coulld it be a router issue?

I tried putting back the default sshd_config & restarting openSSH, which didn't help. Putty still recieves the "Connection Refused" with a previously-working 'password' Session.

Next, I disabled, then re-enabled the router's 'Virtual Server' setting, which is what it calls a 'firewall hole.' This didn't work, neither did rebooting the Router. I've also reGen'd the passwd & group files.

Between each of these attempts, I've bounced the OpenSSH service. But I haven't messed with Privoxy--it seems oblivious to all this, since it's waiting patiently for traffic on the 'inside.'

I appreciate any light you can shed on this problem, because it WAS working!

Funny how I manage to figure things out, after posting problems to a public forum...

The fix:
I read that OpenSSH sometimes has trouble with white-space in its path. So, I uninstalled it from 'C:\Program Files\OpenSSH' and reinstalled it to 'C:\OpenSSH' and then went through all of the tutorial steps, again. (Well, mostly--I'd made backups of the group, passwd, and authorized_keys files).

Also, the uninstall process required a reboot, which may have actuall fixed it.

So now the public/private keys work & it prompts me for the passphrase in putty! :)

Great info! Anybody know how to use Bypass Proxy Client 0.78 to access Yahoo games? I am behind a work firewall and they block everything. The bypass proxy works fine to get to websites that were previously blocked, but I cant seem to get to Yahoo games :( I keep getting the message that Im behind a firewall. Yahoo games uses port 11999 but Im not sure how to link my port 11999 to theirs through the firewall. I tried setting up a TUNNEL like 11999:games.yahoo.com:11999, but not sure how to make Firfox look at that (SSL proxy?). Any ideas?? Thanks

Try googling for "socksify" or "sockscap" -- that may help you force the yahoo games traffic through an SSH tunnel. Here or here will get you started. You'll want to set up an SSH tunnel with dynamic (socks) port forwarding, then point sockscap at it. Then you "socksify" iexplore.exe (or whatever web browser you're using). This should *hopefully* intercept all the calls to yahoo games and forward them over the ssh tunnel.

If it doesn't, you'll need to go into the task manager and figure out what filename Java is running under when it's called to play the yahoo games.

Tom - great writeup! Just need a bit of help.

I'm able to set up the tunnel and through a command prompt can see my home pc and it's contents. However I cannot get the browser to work. I have to go through a proxy normally, but no id and password required. Any thoughts?

Thanks in advance.

I have a proxy server and a firewall at work, and am trying to remotely control my home PC. I have tried in vain to get through my company LANs firewall and proxy all to no avail. Used HTTPort, Putty / SSH etc still nothing. I was wondering if it was an issue with NAT at the company end od the link, as they have changed the HTTP port from 80 for security purposes.

Any ideas?

db: please review the writeup and make sure you have privoxy configured and running on the home PC and your browser's proxy settings correctly set -- and that you put in the tunnel settings in PuTTY correctly. Specific error messages might help.

Tim, if you can't get out using SSH over the non-standard HTTP port they gave you, I'm afraid it looks grim. If they're worried enough to run HTTP over something other than 80, then they probably can detect and block encrypted traffic at the firewall level.

Very cool tutorial Tom. Just a bit nervous in someone finding out that I'm doing this, since I have to use a proxy at my job.

understandable, vance. In the somewhat unlikely event that you're caught, I'd suggest responding that you were doing it for privacy reasons (and then stop doing it, of course). I've never had anyone approach me at any of the contracting sites where I've used SSH tunnels -- and for some of them, IT would come around within minutes of me booting with a mistakenly still-open bittorrent download. So in general I wouldn't worry about it. SSH is a standard tool for geeks; they're unlikely to turn it off or notice its use unless you're working somewhere with *extremely* tight security (like, the kind of place that won't let you bring ipods in).

Great tutorial!
I am behind a ISA proxy that requires NTLM authentication.
It is still possible to use Putty over 443 port, through NTLMaps.
Putty -> NTLMaps -> ISA Proxy -> SSH Server

http://ntlmaps.sourceforge.net

It works perfectly!
zerodb

Tom- Thanks for the reply to May 2nd post!

Anybody know why I get a blank page with just "reeXOk" in the upper right corner when I try to got the SocksCap32 homepage???

http://www.socks.nec.com/

Is there another place to get it?

Chris: yeah, I noticed that. Seems that it's been down a while. Have a closer look at the May 2 post -- there's a link to a page at theproxyconnection.com. There's a link to a mirrored copy of sockscap on that page.

Yahoo Games behind a firewall........ =(

So I finally got my hands on a copy of SocksCap32 and installed it on my PC at work.

I set up the SOCKS settings in SocksCap as follows:
SOCKS Server: localhost
Port: 8080
Protocol: SOCKS Version 5

I have the program "bypass proxy client" running on my PC (as localhost) which allows me to bypass my work proxy server and read any web pages I want over an HTTP proxy. The web browsing works just fine. But Ive gathered that Yahoo Games needs a SOCKS proxy to work.
The bypass program does support SOCKS protocols. In the bypass proxy client settings I have the following mapping:
HTTP - port 8080
FTP - port 8021
SMPT - port 25
POP3 - port 110
NEWS - port 119
SOCKS5 - port 1080
TUNNEL (not using this)

Somehow I was able to start mozilla.exe in SocksCap (sockisfied), then log into the yahoo games server and play any game I wanted. That was yesterday. Today I get the message from Yahoo Games that I am behind a firewall and I cannot connect.

My question is: Does SocksCap have to be pointed at a SOCKS proxy? My port 8080 is an HTTP proxy, and I could swear I had SocksCap pointed to port 8080 and with mozilla proxy settings at 'direct connection to internet' yesterday when everything worked. If I point SocksCap to port 1080 (my SOCKS5 proxy) mozilla works fine for browsing with the 'direct connection' setting, but yahoo games dies. There are also proxy setting in the Java console! Many settings, but I had it working once. Just cant remember all the settings.

Anybody know a good program to work with SocksCap?

Thanks in advance!
Chris

SocksCap *does* have to be pointed at a SOCKS proxy. SSH with dynamic port forwarding on works as a SOCKS proxy. My guess is that yesterday you had added a dynamic tunnel in PuTTY, and today you didn't. An HTTP tunnel/proxy by itself won't work with SocksCap.

Ok Here is my dilemma. We recently got Websense and also a Cisco Checkpoint firewall. I got around websense by using public Http proxy on other ports but about 2 weeks ago they all stopped working. They beefed the firewall up so that pretty much those ports are all blocked outbound now. This SSH on 443 seems to be a good idea so I set it up at home and tried it from 2 differnt PC's on my LAN Server as itself and a laptop over my wireless. It worked nice and smooth for both. Now It appears that My company blocks most of the ports now but not sure which. My home web server on port 88 is also no longer accessible.

2nd problem. My ISP blocks at least 3 ports that I am aware of being 80, 22 and 23. I also have a static IP. My Web server and FTP servers will not work on these common ports at home. The SSH looks ok locally but when I use it at work I get a connection time out error. I had my brother in another state try from his home PC and he also gets a connection timeout error. I will be double checking my port forwards but if my ISP blocks inbound 443 traffic would this timeout error be a symptom of this. If so do you have any other common outbound enterprise but unlikely ISP blocked ports to try.

Ok Here is my dilemma. We recently got Websense and also a Cisco Checkpoint firewall. I got around websense by using public Http proxy on other ports but about 2 weeks ago they all stopped working. They beefed the firewall up so that pretty much those ports are all blocked outbound now. This SSH on 443 seems to be a good idea so I set it up at home and tried it from 2 differnt PC's on my LAN Server as itself and a laptop over my wireless. It worked nice and smooth for both. Now It appears that My company blocks most of the ports now but not sure which. My home web server on port 88 is also no longer accessible.

2nd problem. My ISP blocks at least 3 ports that I am aware of being 80, 22 and 23. I also have a static IP. My Web server and FTP servers will not work on these common ports at home. The SSH looks ok locally but when I use it at work I get a connection time out error. I had my brother in another state try from his home PC and he also gets a connection timeout error. I will be double checking my port forwards but if my ISP blocks inbound 443 traffic would this timeout error be a symptom of this. If so do you have any other common outbound enterprise but unlikely ISP blocked ports to try.

Yeah, connection timeout error is a symptom of your ISP blocking inbound traffic. Not too surprising, given that it's the HTTPS port (80 being HTTP). I'd suggest running "Shields Up!" (google for it) from work and home and seeing what ports you have open at both (it may not reveal all of them, however). Hopefully there'll be some overlap; if there is, that's where you should run the tunnel.

Thanks for the info. After many hyours of searching and using 2 tools GFI languard network scanner (10 day demo) on my work system and a program called Port Listener XP I was able to open listen on about 4000 ports at a time on my PC directly connected to the internet (not behind my router) at home and use the GFI languard to scan for all TCP and UDP ports. Takes about 30 min a scan but I found a port finally. 1755 that was both open outbound by my company and inbound by my ISP. All works fine now on that port.

This works for me, but only from my home computer when Firefox settings are set to localhost:8118 or 127.0.0.1:8118

However, whenever I try and enter my IP xx.xx.x.x:8118 I get this error

"The proxy server is refusing connections
Firefox is configured to use a proxy server that is refusing connections."

I'm using a router but port 22,80,443,8118 are all set to foward to my machine.

Mark: please reread the article to make sure you understand how SSH tunnels work, and are following the directions correctly (it doesn't sound like you are). You are not supposed to set your proxy IP to your home IP.

Hiyas, Great tutorial! I found it through Google and have been using it to successfully breach the firewall at work for over a month now.

I can also report that your method works fine with the *old* version of Trillian (the pre-bloated 0.72 ver, that is).

And I have a quetsion, if you're still monitoring this page...I've been thinking about your method & wireless access points, specifically the Closed kinds.

For example, some hotels & coffee shops charge ~$10/day to use their WAPs. And without paying, they typically redirect your browser traffic to their $$-up gateway pages. However, I've noticed that they do resolve DNS & many allow http requests to Mozilla.com, microsoft.com & to Opera, to grab new browsers, I guess.

What I'm wondering is if I could tunnel the SSH over the DNS port (53), instead of 443, to get out through a closed WAP?

I'd have to open 53 in my firewall & set OpenSSH to listen to it, but that's easy. So, does this sounds feasible?

Thanks.

Ricochet: Interesting question. I don't know if you could send your tunnel over the DNS port, but I suspect the answer is no: generally there'll be a local DNS server relaying DNS requests, not just an open port letting you speak to the DNS server of your choice.

However, it's a great idea, and someone else has done something similar with ptunnel. It does something similar over ICMP, which some of the smaller wifi retailers leave open for diagnostic purposes.

Just want to say THANK YOU. I followed every step and everything worked perfectly. AWESOME how-to. My only suggestion is to add the following paragraph in the tutorial for FF users:

"specify an SSL proxy in your browser's (Firefox) proxy settings"

First of all very good tutorial, it was hard to find but is exactly what I was looking for. :)

But have tryed it many times and i don't get it to work.
My situation is:
home pc with router, ports 434 and 22 forwarded to my home pc. Windows firewall disabled. Privoxy runing. I can connect using putty (at least i get the login, password and comand message) from my home pc.

At work i have an http proxy. And it is configured as" Do not use proxy for: localhost,127.0.0.1".(i don't know if it maters).
No privoxy in work computer (i think there shouldnt be)
When i use putty in my work computer i write my home computer ip (the ip of the router, not mine (100.100.100.XX) concretely) in the "Host Name (or IP adress)" box (is it here i imagine, i didnt find it writen anywhere) And the port number 443 in my case. I use the proxy settings of my work proxy in putty Connection/Proxy and when I try to connect, after a few seconds it says: "Server unexpectedly closed network connection".

I don't know if I am doing somthing wrong, I think I have followed everything step by step, any suggestions?

Thx in advance for your time.

Albert

Albert - it sounds like you're going everything right. If you can't connect to your home machine from work, using PuTTY with your work proxy information filled in, then it's probably the case that your work proxy is clever enough to detect SSH traffic and strip it out. Unfortunately, there aren't a lot of options that I'm aware of to resolve the problem. It may simply be, though, that the proxy is looking for a login and password that you haven't configured. I'd try to think of an application that the IT guys might let you use, then ask them if you can have the necessary login info to use in your proxy settings.

First of all I will try to conect to my home pc from a friends pc to make sure everything is working fine in the server side.

From your suggestion, at the work pc i have outlook runing, is there any way i could check if there is login and password? By the way, do all aplications go through the proxy? or just internet pages?

And one last question, do you know any aplication i could need for work that could require this login and passord? :P

Thanks for your time.

Albert

Sorry Albert, there's really no way to tell whether a login and password are required for everything, some things, or nothing at all. These values would be embedded in your app settings, not something you'd have to enter on a regular basis.

I'm afraid you'll more than likely have to talk to IT unless you can find some kind of diagnostic proxy tool. I don't have any suggestions on that front, unfortunately.

I think I'm ready to try connecting from work to tunnel around WebSense, maybe.

My question is this--they've stuck me with a thin client/network PC. So I get my own session, but it's already an extension of IT server.

Are there any additional concerns about running putty on a network pc/thin client through a work server? Is this going to set off alarms on the server? Thanks much for any information provided.

Sorry Jim, I don't know much about thin clients. But good luck.