Offshoring my Android tablet traffic



I thought I could put Squid in front of an SSH tunnel, but it can’t do that. Thankfully Polipo can do the trick.


I was quite happy when it was just spies that were allowed to spy on me (even if they might have been breaking the law by doing so), but I see no good reason (and much danger) in the likes of the Department of Work and Pensions being able to poke its nose into my browsing history. The full list of agencies empowered by the ‘snoopers charter‘ is truly horrifying.

PCs are easy

I’ve been using Firefox (with the FoxyProxy plugin) for a while to choose between various virtual private servers (VPSs) that I run. This lets me easily choose between exit points in the US or the Netherlands (and entry points on a virtual machine [VM] on my home network or a local SSH session when I’m on the road).

To keep the tunnels up on the home network VM I make use of autossh e.g.

/usr/lib/autossh/autossh -M 20001 -D  [email protected]

I can then use an init script to run autossh within a screen session (gist):

# Provides:   sshvps
# Required-Start: $local_fs $remote_fs
# Required-Stop:  $local_fs $remote_fs
# Should-Start:   $network
# Should-Stop:    $network
# Default-Start:  2 3 4 5
# Default-Stop:   0 1 6
# Short-Description:  Tunnel to VPS
# Description:    This runs a script continuously in screen.

case "$1" in

        echo "Starting sshvps"
        su chris -c "screen -dmS sshvps /usr/lib/autossh/autossh -M 20001 -D  [email protected]"
        echo "Stopping sshvps"
        PID=`ps -ef | grep autossh | grep 20001 | grep -v grep | awk '{print $2}'`
        kill -9 $PID

        echo "Restarting sshvps"
        PID=`ps -ef | grep autossh | grep 20001 | grep -v grep | awk '{print $2}'`
        kill -9 $PID
        sleep 15
        su chris -c "screen -dmS /usr/lib/autossh/autossh -M 20001 -D  [email protected]"
        echo "Usage: $N {start|stop|restart}" >&2
        exit 1
exit 0

That script lives in /etc/init.d on my Ubuntu VM. I haven’t yet migrated to systemd. With the VM running it provides a SOCKS proxy listening on port 11111 that I can connect to from any machine on my home network. So I can then put an entry into the Firefox FoxyProxy Plugin to connect to VM_IP:11111

Android isn’t so easy

It’s possible to define a proxy in Firefox on Android by going to about:config then searching for proxy and completing a few fields e.g.:

  • network.proxy.socks VM_IP
  • network.proxy.socks_port 11111
  • network.proxy.type 2

That however will only work on a given network, in this case my home network.

I could (and sometimes will) use localhost as the SOCKS address and then use an SSH client such as ConnectBot, but that means starting SSH sessions before I can browse, which will get tiresome quickly.

Android does allow an HTTP proxy to be defined for WiFi connections, but it doesn’t work with SOCKS proxies – I needed a bridge from HTTP to SOCKS.

Not Squid

I’ve used Squid before, and in fact it was already installed on the VM I use for the tunnels. So I went searching for how to join Squid to an SSH tunnel.

It turns out that Squid doesn’t support SOCKS parent proxies, but this Ubuntu forum post not only clarified that, but also pointed me to the solution, another proxy called Polipo.


Installing Polipo was very straightforward, as it’s a standard Ubuntu package:

sudo apt-get install -y polipo

I then needed to add a few lines to the /etc/polipo/config file to point to the SSH tunnel and listen on all ports:

socksParentProxy = "localhost:11111"
socksProxyType = socks5
proxyAddress = ""

Polipo needs to be restarted to read in the new config:

sudo service polipo restart

Once that’s done I had an HTTP proxy listening on (the default) port 8123. All I had to do to use it was long press on my home WiFi connection in Android, tap ‘Modify Connection’ , tick ‘Show advanced options’ and input VM_IP as the ‘Proxy hostname’ and 8123 as ‘Proxy port’.

A quick Google of ‘my ip’ showed that my traffic was emerging from my VPS.

Yes, I know there are holes

DNS lookups will still be going to the usual place, in my case a pair of local DNS servers that forward to various public DNS resolvers (though not my ISP’s). If I was ultra paranoid I could tunnel my DNS traffic too.

When I’m using the tablet out and about on public WiFi and cellular networks I’ll not be proxying my traffic (unless I explicitly use an SSH tunnel).


Polipo provided the bridge I needed between Android’s ability to use WiFi specific HTTP proxies and the SSH tunnels I run out of a VM on my home network to various VPSs outside the UK. I don’t for a moment expect this to provide any protection from real spies, but it should prevent casual snooping, and will also guard against the inevitable ISP data protection failures.

2 Responses to “Offshoring my Android tablet traffic”

  1. So I’m curious after reading about your dns/proxy setup at home. I have a N36L Microserver doing nothing, I also have a Synology DS213j that can run dns and other services, but it’s pretty underpowered for anything other than storage acitivites (useful for iSCSI/NFS shares with ESXi)

    You talk about routing traffic thru firefox proxy plugin via AWS VMs (or other provider)…..
    is that mainly generic browsing traffic?
    How do you stop android, or xbox or TV from downloading GBs of app updates?

    I’d not had a use case to run long term VPS but with IPA (I wrote to my MP about that and Jack Straws rubbish RIPA to no avail) and the Food Standards Agency able to get a copy of my history it is concerning.

    I just wondered what the cost is and if there are any ways of automatically routing certain traffic or even mime types so that only html pages go via the external proxies. I know from AWS Associate that they will charge you $0.01 for a 1kb file on an s3 bucket so traffic in/out of a VPS, plus the constant running of it would rack up…..but reading your blog post I don’t have to guess…follow the data….could you share example bills?

    • The difference between the cost of VPS bandwidth and AWS (or any other cloud) is pretty ridiculous, which is why I wrote ‘Cloud Price Wars – What about the network?‘ a few years back. Of course since then AWS has become a VPS provider with Lightsail, so you can get cheap bandwidth there, but there are plenty of other Low End Box providers that will rent a VPS with a monthly transfer limit in the TB for a few $/month.

      Running SSH tunnels (or OpenVPN or IPsec connections) isn’t very taxing at either end, so it’s something that can easily be run on a small VM (e.g. on your N36L), a NAS (even with the pathetic RAM on the j series boxes) or a Linux router (I’ve bought a couple of GL-MT300Ns recently and they’re very cheap and very flexible). The bottleneck will almost certainly be your DSL/Cable connection rather than the CPU load of the tunnel.

      There are a few ways to play the connectivity selection game – I tend to use a browser plugin that lets me pick from multiple proxies (to various VPSs in different places), but it’s also possible to have WiFi SSIDs that front different VPNs emerging wherever. So I could have Home-Regular and Home-US and Home-NL and choose networks based on where I want to appear to come from. An advantage of cheap VPSs here is that their IP blocks don’t tend to be on VPN filter lists for streaming services etc. (this can be a reason not to use AWS, as their IP blocks are well known). Regardless of which exit point you choose it doesn’t really matter if an app or device devices to download some GB of updates if your VPS offers TB of transfer.

      Hard data:
      My US VPS from Chicago VPS is $30/yr for a 2GB RAM OpenVZ w 20GB SSD and 2TB transfer
      My NL VPS from Hostslim is €34/yr for a 1GB RAM OpenVZ w 100GB HDD and 1TB transfer

      Of course you can host lots of other projects on a VPS – they’re not just tunnel exit points.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: