(This is from 2001. There must be newer resources you should read instead. To get you started, today I use ssh port forwarding to a host with a squid proxy.)

Did you know that firewall at your company logs every single website you go to? Kinda sucks, but the Constitution doesn't apply to private businesses. So we get around it... and the packet sniffers that could snag your traffic if you sent it cleartext to a remote proxy.

So if you have a reasonably fast home connection, just setup Apache with mod_proxy on the *nix box you're using as a gateway and run an stunnel between your home PC on the DSL or Cable Modem and your desktop at work through an open port on the firewall.

Work Desktop (10.40.80.160)

Of course you run Windows at work...

Download the win32 binaries of stunnel from stunnel.org.

Create a scheduled task to run this command at user logon:

C:\st\st.exe -c -d 127.0.0.1:80 -r 10.20.30.40:81 -p c:\st\stunnel.pem
This command runs stunnel (st.exe) as a client (-c) listening to port 80 on the localhost (-d) forwarding to the remote side's port 81 (-r) using the certificate stunnel.pem (-p).

Now configure your browser to use a proxy at 127.1:80. In IE go to Tools/Internet Options/Connections/LAN Settings/Use a proxy server.

Home Server (10.20.30.40)

After installing stunnel in whatever way you prefer, put this line into your /etc/rc.d/rc.local or equivalent: 
/usr/local/sbin/stunnel -d 10.20.30.40:81 -r 127.0.0.1:80
This is simply the reverse of the command for your work machine. Here we listen on our public port 81 then decrypt that traffic and pass it to the localhost on port 80, where our proxy server is listening.

We don't want anyone else using our proxy server since logging is disabled. We must tighten access not only with stunnel and host wrappers, but also in Apache: 

    <Directory proxy:*>
        Order deny,allow
        Deny from all
        Allow from 10.40.80.160 127.0.0.1
    </Directory>
This is really more useful for times when you must connect without the stunnel in place as otherwise Apache sees the connection coming from 127.1, not the real source address.

End Result

 Ta-da, you now have a transparently secure method of browsing whatever you believe is proper for a work environment without your employer's eyes watching.

Of course, you can be more creative. NT to NT via stunnel running into the MS Proxy server there. Or run database queries from remote unix boxes back to the central oracle server on encrypted channels.

Question: Can't you do this with ssh too? Answer: Yes.

Copyright © 2001 Patrick Tudor