TL;DR

I thought I could put Squid in front of an SSH tunnel, but it can’t do that. Thankfully Polipo can do the trick.

Why?

I was quite happy when it was just spies that were allowed to spy on me (even if they might have been breaking the law by doing so), but I see no good reason (and much danger) in the likes of the Department of Work and Pensions being able to poke its nose into my browsing history. The full list of agencies empowered by the ‘snoopers charter‘ is truly horrifying.

PCs are easy

I’ve been using Firefox (with the FoxyProxy plugin) for a while to choose between various virtual private servers (VPSs) that I run. This lets me easily choose between exit points in the US or the Netherlands (and entry points on a virtual machine [VM] on my home network or a local SSH session when I’m on the road).

To keep the tunnels up on the home network VM I make use of autossh e.g.

/usr/lib/autossh/autossh -M 20001 -D 0.0.0.0:11111  [email protected]

I can then use an init script to run autossh within a screen session (gist):

### BEGIN INIT INFO
# Provides:   sshvps
# Required-Start: $local_fs $remote_fs
# Required-Stop:  $local_fs $remote_fs
# Should-Start:   $network
# Should-Stop:    $network
# Default-Start:  2 3 4 5
# Default-Stop:   0 1 6
# Short-Description:  Tunnel to VPS
# Description:    This runs a script continuously in screen.
### END INIT INFO

case "$1" in

  start)
        echo "Starting sshvps"
        su chris -c "screen -dmS sshvps /usr/lib/autossh/autossh -M 20001 -D 0.0.0.0:11111  [email protected]"
        ;;
  stop)
        echo "Stopping sshvps"
        PID=`ps -ef | grep autossh | grep 20001 | grep -v grep | awk '{print $2}'`
        kill -9 $PID
        ;;

  restart|force-reload)
        echo "Restarting sshvps"
        PID=`ps -ef | grep autossh | grep 20001 | grep -v grep | awk '{print $2}'`
        kill -9 $PID
        sleep 15
        su chris -c "screen -dmS /usr/lib/autossh/autossh -M 20001 -D 0.0.0.0:11111  [email protected]"
        ;;
  *)
        N=/etc/init.d/$NAME
        echo "Usage: $N {start|stop|restart}" >&2
        exit 1
        ;;
esac
exit 0

That script lives in /etc/init.d on my Ubuntu VM. I haven’t yet migrated to systemd. With the VM running it provides a SOCKS proxy listening on port 11111 that I can connect to from any machine on my home network. So I can then put an entry into the Firefox FoxyProxy Plugin to connect to VM_IP:11111

Android isn’t so easy

It’s possible to define a proxy in Firefox on Android by going to about:config then searching for proxy and completing a few fields e.g.:

• network.proxy.socks VM_IP
• network.proxy.socks_port 11111
• network.proxy.type 2

That however will only work on a given network, in this case my home network.

I could (and sometimes will) use localhost as the SOCKS address and then use an SSH client such as ConnectBot, but that means starting SSH sessions before I can browse, which will get tiresome quickly.

Android does allow an HTTP proxy to be defined for WiFi connections, but it doesn’t work with SOCKS proxies – I needed a bridge from HTTP to SOCKS.

Not Squid

I’ve used Squid before, and in fact it was already installed on the VM I use for the tunnels. So I went searching for how to join Squid to an SSH tunnel.

It turns out that Squid doesn’t support SOCKS parent proxies, but this Ubuntu forum post not only clarified that, but also pointed me to the solution, another proxy called Polipo.

Polipo

Installing Polipo was very straightforward, as it’s a standard Ubuntu package:

sudo apt-get install -y polipo

I then needed to add a few lines to the /etc/polipo/config file to point to the SSH tunnel and listen on all ports:

socksParentProxy = "localhost:11111"
socksProxyType = socks5
proxyAddress = "0.0.0.0"

Polipo needs to be restarted to read in the new config:

sudo service polipo restart

Once that’s done I had an HTTP proxy listening on (the default) port 8123. All I had to do to use it was long press on my home WiFi connection in Android, tap ‘Modify Connection’ , tick ‘Show advanced options’ and input VM_IP as the ‘Proxy hostname’ and 8123 as ‘Proxy port’.

A quick Google of ‘my ip’ showed that my traffic was emerging from my VPS.

Yes, I know there are holes

DNS lookups will still be going to the usual place, in my case a pair of local DNS servers that forward to various public DNS resolvers (though not my ISP’s). If I was ultra paranoid I could tunnel my DNS traffic too.

When I’m using the tablet out and about on public WiFi and cellular networks I’ll not be proxying my traffic (unless I explicitly use an SSH tunnel).

Conclusion

Polipo provided the bridge I needed between Android’s ability to use WiFi specific HTTP proxies and the SSH tunnels I run out of a VM on my home network to various VPSs outside the UK. I don’t for a moment expect this to provide any protection from real spies, but it should prevent casual snooping, and will also guard against the inevitable ISP data protection failures.