Update: 4/23/20 – if Squid 4.11 chokes with http_port 1.2.3.4:listening_port and /etc/rc.conf is configured for DHCP, modify it to http_port listening_port and the reverse tunnel should work again.
***
Update: 4/10/20 – just quick note that using “localhost” with these reverse tunnels will not work if SSHD, Squid or some other service is configured to use a specific IP address. Use the format “-R local_port:1.2.3.4:remote_port” where 1.2.3.4 is the correct and actual IP address.
There has been countless articles written about these subjects. Regardless, I want to share my own experience.
***
- Install VirtualBox for Windows 10
- Install FreeBSD as a Guest OS
- Install & configure Squid
- Configure VirtualBox to run FreeBSD headless
Once that is up and running, get a solid VPS from Vultr, install FreeBSD as guest OS and use it as a jump host.
The basic idea is to create a reverse SSH tunnel (1st -R option) from the machine that runs VirtualBox/FreeBSD (sitting behind NAT) to your Vultr/FreeBSD VPS. The reason being is that there’s no way to SSH (forward tunnel) into the VirtualBox/FreeBSD endpoint directly.
Don’t forgot to setup a key-based authentication w/ no passphrase between the two endpoints.
Here’s the full command:
/usr/bin/ssh -i /path/to/sshkey -N -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o ExitOnForwardFailure=yes -R 2020:localhost:3030 -R 4040:localhost:5050 username@1.2.3.4 -p 5678
Let’s break it down:
2020 is a port (Vultr/FreeBSD) that will forward requests to port 3030 of Squid (VirtualBox/FreeBSD)
4040 is a port (Vultr/FreeBSD) that will forward requests to port 5050 of SSHD (VirtualBox/FreeBSD)
1.2.3.4 is the IP address and 5678 is the SSHD listening port (Vultr/FreeBSD)
When the local Squid instance running under Vultr/FreeBSD is used as an HTTP forwarding proxy, by default, you’ll be seen by web sites under the IP/hostname you’ve assigned it to. The fun part is that you can configure it to forward proxy requests through the reverse SSH tunnel (2nd -R option) to the VirtualBox/FreeBSD/Squid endpoint using a child <-> parent relationship. And as a result, your web browsing sessions will be seen by web sites under the public (internet facing) IP/hostname of the VirtualBox/FreeBSD/Squid endpoint.
cache_peer 127.0.0.1 parent squid_port 0 no-query no-digest
never_direct allow all
The code above must be added to the Squid configuration file running on your Vultr/FreeBSD VPS. “squid_port” must reflect the actual port number Squid is configured to listen to (default is 3128).
In my example, the parent Squid is on Vultr/FreeBSD, the child Squid is on VirtualBox/FreeBSD. Both endpoints MUST have Squid running and listening. Don’t forget to apply lock-down as usual.