Using SSH tunnel & Squid to create a private encrypted proxy for true private browsing (mostly)

I once worked at this place where I got a stern talking-to for viewing non-work-related pages. It was around Christmas and I was doing my shopping online (since I left the house at 7 AM and got home at 8 PM). It’s not like I was farting around all the time. Anyway, the idea that I was being proactively watched by someone with an axe to grind pissed me off, so I decided I wouldn’t give him anything to read.

I don’t have that problem anymore, but I do frequently connect to open wifi points where my traffic can be viewed. I use SSL for things like email, but why even let them see that I’ve gone to

My solution to both problems was the same: on my Linux box at home, run a proxy server, and pipe all my traffic to it via an SSH tunnel.

Step 1: Install Squid

Since I use CentOS, to do this I just did a yum install squid

Step 2: Configure Squid

Well, the default squid config (/etc/squid/squid.conf) was pretty much fine, although I needed to add an ACL clause so I could actually use the proxy. The LAN in my house is, so I put these lines in my squid.conf:

acl subnet_192 src
http_access allow subnet_192

Then start Squid.

Step 3:Create the SSH tunnel

I run Linux, so that’s the syntax I can provide (You can use putty to do this from a Windows machine):
ssh -f evan@public-hostname-of-proxy-server -L -N
This opens an SSH connection from your local machine (port 3128) to the remote server’s private IP on port 3128 (3128 being the default port on which squid listens). So connections to localhost:3128 will be forwarded over the SSH tunnel to port 3128 on the other machine’s private IP.

Step 4: Set your browser to point to localhost:3128 as proxy server

Well, that’s pretty self-explanatory. In the browser’s options (lots of other apps support HTTP proxies as well – AIM, etc), find the section about proxy settings and set the HTTP and HTTPS proxies to “localhost” and port 3128.

That’s it. To test if it’s working, try going to and confirm that it shows you as coming from the home machine’s IP.

If you have a strict network admin who’s locked down outbound SSH, you can just have sshd listen on port 80 or 443, which almost everyone allows. A really nosy admin may notice encrypted traffic going to the server and kill it, but… well, I never said it was foolproof. 🙂


6 Replies to “Using SSH tunnel & Squid to create a private encrypted proxy for true private browsing (mostly)”

  1. Evan, thank you for the best article!

    In my work I have parent proxy

    In my local pc I have squid (local:3128).

    I made ssh -f login@public-name-of-my-pc -L 3128:local:3128 -N.

    Who I can be test my traffic to parent proxy is encrypted (that admin doesnt able to understand where i surfed)?

    Thank you in advance,

    1. You don’t want to run squid on your local computer (inside your employer’s network), you want to run it at home or somewhere you know is safe. Run squid there, then create an SSH tunnel from your local computer to the remote computer. Then in your browser settings, set the proxy to localhost:3128. If you do it correctly, all your HTTP/HTTPS (or anything else you choose to proxy) requests will be forwarded over the SSH tunnel to the proxy at your home, and the return traffic will also be encrypted between your local PC and the remote proxy server.

  2. just run “ssh -D1080 user@home” then open firefox browser, proxy seting tab. put localhost into SOCKS HOST and port 1080 in to SOCKS PORT. open about:config and change value of network.proxy.socks_remote_dns setting to true. that’s all 🙂

  3. Hello

    Nice article. But I hace now almodt 400 i.p addresses attacking my server:3128.
    I setted proxy authorisation and installed fail2ban, but there are a lot of TCP_Denied in my squidlog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: