I’m currently working on setting up a proxy on my home computer to bypass my school’s blockers, and want to see if I can make any improvements to security. To be clear, I haven’t opened this to the internet yet, I’m asking BEFORE doing that.
The setup is thus: I have a squid server running on my linux laptop, which will only allow authenticated users through. It’s no longer listening to the default port (3128) and is instead listening to a port in the 10000-20000 range. I would have both my router and modem set to forward that same port, and my laptop’s local IP address is static.
This is a consumer internet connection, so Dynamic DNS, but I have a NOIP address ready to connect once I open the ports (already have the client installed and running, just throws an error on the website because it can’t get through the port.)
I’ll be connecting to my proxy server through the FoxyProxy extension, rather than through the Windows 11 control panel on my school laptop, because I dont have access to that specific part of the control panel.
That’s the sum total of the setup I’ve got thus far. It only needs to be able to support my lone connection, I’m not sharing this around. Any improvements to be made?
Doesn’t quite answer the question, but what I did back then in school is I had set up NoMachine over SSH on my laptop and just had the Windows client on my MP3 player. I’d just plug it in, run the client and remote into my laptop, and as a bonus I wasn’t really using the school’s computers, I was using mine remotely. Nothing to see on the school’s computer, no history. For IT, I guess I just looked like a kid that’s doing a lot of stuff over SSH. Today that’d be x2go, although RDP or VNC would also probably work fine.
I don’t know if the remote aspect helped, but the teachers didn’t care and definitely knew. A friend on mine did something similar, got caught and ultimately got away with it because the remote desktop software itself wasn’t violating the policy, and he wasn’t technically bypassing restrictions either, and he wasn’t caught actively visiting a site that should have been blocked. YMMV.
I would be hesitant to put a squid proxy directly on the Internet as there is a history of vulnerabilities in that software and afaik a bunch of them are yet to be fixed.
First of all I would advise against trying to bypass the security controls your school implemented, but if I hypothetically would attempt to do what you’re trying I would probably set up a haproxy on a dedicated piece of hardware, such as a raspberry pi, and expose 443 to the Internet. I would configure a simple static website to serve as default, and add a ssh backend like in this guide: https://www.haproxy.com/blog/route-ssh-connections-with-haproxy
Now you can SSH to your backend by wrapping the connection with openssl s_client. From here you can do a dynamic port forwarding, which essentially acts as a socks proxy and finally connect to that with firefox
edit: slap a tls cert on that too for good measure. Helps with hiding the ssh traffic
Just putting it out there that bypassing any settings on school hardware is probably a breach of ToS.
Some randon open port is no more secure than standard ports.
What authentication are you using, it’s a long time since I’ve used squid or the like (I have wireguard to remote into home)
I’d be tempted to just run it on port 443 so it looks like normal web traffic… Would raise fewer eyebrows than “what’s all this traffic going to some random port” (depending on how well the network is monitored - and it’s probably not well monitored at all). I’ve used ssh to do stuff like this in the past (use -D to enable a SOCKS proxy through a ssh tunnel).
Frankly I’d be more concerned about the laptop itself being scanned depending on the spyware the school uses to monitor usage.
Picking obscure ports doesn’t really add security, are you using authentication?
It does when ya got nosey IT at a university whacking ports for standard proxy services. And doesn’t hurt to do it either, the port is arbitrary. Also they state:
which will only allow authenticated users through.
So it sounds like they have proper authentication enabled.
Should work fine as a proxy for HTTP traffic. If you want to forward all your traffic through your home IP I’d suggest using a VPN, using openvpn or wireguard.
