Redirect ALL web traffic through TLS without a VPN
Solution 1:
I figured it out. :D This solution satisfies all of my requirements and meets all of my goals, perfectly. Performance isn't too bad, either, considering the level of indirection that is necessary to achieve this.
The general approach is thus:
Set up a local Certificate Authority (CA), and generate an RSA "server key" and "client key" (I used 256-bit encryption). For this, I used Easy-RSA version 3.0.0-rc2.
Run any bog standard HTTP proxy on the "Debian Box" (the server on the public Internet), making sure to have it listen on localhost only (it should NOT be exposed to the public Internet). For my purposes I used
Privoxy
, butSquid
would've worked just as well. Since it's only listening on localhost, authentication is not necessary (unless there are processes running on your box that you don't trust; in which case, yikes...)Download stunnel and install it on both the client and server. The process for doing this is going to be OS-specific; in my case, I chose to compile stunnel from source (paranoia...) for Windows, which was a rather involved process I won't detail here. On the server side, it was available in the package manager :)
Stunnel's configuration was quite daunting at first, but it's simpler than it seems! Basically, on the server, you need something like the below "server's stunnel.conf". On the client, you need something like the below "client's stunnel.conf".
Start Privoxy; start stunnel on the server, pointing it to the config file; start stunnel on the client, pointing it to the config file. There's really nothing all that special about Privoxy's config; the default was fine for me.
In Firefox, your browser of choice on the client side, set the HTTP and HTTPS proxy to be the same as the port your client's stunnel is listening on -- probably something like localhost:8080.
I should probably note that if your local network's proxy demands some kind of authentication, you will either have to get stunnel to authenticate for you, or else use another local intercepting proxy and chain them together -- something like Firefox -> stunnel -> local authenticating proxy -> LAN proxy/gateway -> internet -> your server's stunnel -> privoxy.
That's a lot of copying, but it works!
;This is the *client's* stunnel.conf.
[https]
accept = localhost:9020
connect = your.lan.proxy:80
client = yes
protocol = connect
;protocolHost should be the same as the "accept" for the server
protocolHost = 1.2.3.4:443
;Same CAfile, different cert and key pair
CAfile = ca.crt
cert = client.crt
key = client.key
;VERY IMPORTANT!!! Make sure it's really your server and not a MITM attempt by your local network by making sure that the certificate authority "ca.crt" really signed the server's cert
verify = 2
;More performance tweaks...
sessionCachetimeout = 600
sessionCacheSize = 200
TIMEOUTidle = 600
.
;This is the *server's* stunnel.conf.
[https]
;1.2.3.4 is a publicly-routable, static IP address that can be connected to by your box that's under the firewall
accept = 1.2.3.4:443
;localhost:8118 is an example of where your local forwarding HTTP(S) proxy might reside.
connect = localhost:8118
CAfile = ca.crt
cert = server.crt
key = server.key
;VERY IMPORTANT!!! Without this, anyone in the world can use your public stunnel port as an open proxy!
verify = 2
;Set some timeouts higher for performance reasons
sessionCacheTimeout = 600
sessionCacheSize = 200
TIMEOUTidle = 600
Once everything is configured, the end result ends up looking something like this:
- Your web browser connects to
localhost:9020
(stunnel) and treats it like a proxy that can accept HTTP and/or HTTPS connections. - Once stunnel gets a connection from your browser, it reaches out, through your firewall's proxy/gateway, to establish a TLS session with your remote server. At this point, your client verifies your server's PKI certificate, and vice versa.
- Once the TLS session is established with your remote server, stunnel passes along the data coming from your browser, e.g. an HTTP request or an SSL tunnel request, through the local proxy and directly to your server. This channel is encrypted, so your local network can't tell what the data contains, they can only guess by doing traffic analysis.
- Once the
stunnel
instance running on your server starts receiving data, it opens a connection to e.g.localhost:8118
, which would be where your HTTP(S) proxy server, in my case Privoxy, is listening. - Privoxy then acts like a normal forwarding HTTP proxy server, and forwards your requests on to the public Internet through the server's ISP.
The amount of sockets and buffers involved makes this method very high overhead, especially if you're nesting an SSL connection through the proxy, but it has the advantage that your local network has no way of knowing which sites you're visiting over SSL. I mean, it knows you're visiting your server, but aside from that, it doesn't know if you're visiting Gmail or SuperUser or whatever. And your local gateway has no way of filtering or blocking you.
Solution 2:
I have tried this setup on my local machine, and I can assure that the "restrictive proxy" would get a CONNECT DEBIAN_IP:443 HTTP/1.1
, but it will not see any certificate, so I am not sure if this would work.
Let's asume: your Debian has Apache
or Squid
to do the proxying and an SSH server. On your client PC, you need putty
, which is a program that does not need admin privileges to run, not need for installation and could run from a pendrive.
First your Debian:
Make your SSH listen on port 443
, just add (or replace your current port) a Port 443
on /etc/ssh/sshd_config
and also allow TCP forwarding (add AllowTcpForwarding yes
on that file)
Configure your Squid or Apache to do proxying. As this is going to be used through an SSH tunnel, it would only need to listen on the loopback interface. In case you use an Apache:
Listen 127.0.0.1:8080
ProxyRequests On
<Proxy *>
Order deny,allow
</Proxy>
Server done, let's configure your client PC:
On putty, configure your Debian's public IP as Host
and 443
as port. Make sure SSH
is still selected.
Change to the Connection -> Proxy
settings, select HTTP
and fill your "restrictive proxy" settings.
Change to the Connection
settings and stablish a keepalive of 30
-60
.
Change to the Connection -> SSH -> Tunnels
. On source port
stablish 8080
, and on Destination
, localhost:8080
. Leave Local
selected and press Add
. You shoud see in the space above something like L8080 locahost:8080
.
Change back to the Session
settings, write down a name on the first row of Saved sessions
and save all these tedious settings to help restablish the connection on following days.
Now you can try to Open
the connection to your Debian. If you see the user prompt, we are just a step from finishing with this. If not... we will have to search for another way.
Now, on Firefox, set localhost
at port 8080
as your proxy.
Solution 3:
You're halfway there with setting up a proxy on your server. The other half is SSL on the server, and a local proxy on the client using putty to connect to your SSL-enabled HTTP proxy, and set Firefox to proxy everything to 127.0.0.1.
I just did a quick google for a putty setup and found this: https://mariobrandt.de/archives/technik/ssh-tunnel-bypassing-transparent-proxy-using-apache-170/