VirtualBox, FreeBSD, Squid & Reverse SSH Tunnels

Update: 4/23/20 – if Squid 4.11 chokes with http_port 1.2.3.4:listening_port and /etc/rc.conf is configured for DHCP, modify it to http_port listening_port and the reverse tunnel should work again.

***

Update: 4/10/20 – just quick note that using “localhost” with these reverse tunnels will not work if SSHD, Squid or some other service is configured to use a specific IP address. Use the format “-R local_port:1.2.3.4:remote_port” where 1.2.3.4 is the correct and actual IP address.

There has been countless articles written about these subjects. Regardless, I want to share my own experience.

***

  1. Install VirtualBox for Windows 10
  2. Install FreeBSD as a Guest OS
  3. Install & configure Squid
  4. Configure VirtualBox to run FreeBSD headless

Once that is up and running, get a solid VPS from Vultr, install FreeBSD as guest OS and use it as a jump host.

The basic idea is to create a reverse SSH tunnel (1st -R option) from the machine that runs VirtualBox/FreeBSD (sitting behind NAT) to your Vultr/FreeBSD VPS. The reason being is that there’s no way to SSH (forward tunnel) into the VirtualBox/FreeBSD endpoint directly.

Don’t forgot to setup a key-based authentication w/ no passphrase between the two endpoints.

Here’s the full command:

/usr/bin/ssh -i /path/to/sshkey -N -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o ExitOnForwardFailure=yes -R 2020:localhost:3030 -R 4040:localhost:5050  username@1.2.3.4 -p 5678

Let’s break it down:

2020 is a port (Vultr/FreeBSD) that will forward requests to port 3030 of Squid (VirtualBox/FreeBSD)

4040 is a port (Vultr/FreeBSD) that will forward requests to port 5050 of SSHD (VirtualBox/FreeBSD)

1.2.3.4 is the IP address and 5678 is the SSHD listening port (Vultr/FreeBSD)

When the local Squid instance running under Vultr/FreeBSD is used as an HTTP forwarding proxy, by default, you’ll be seen by web sites under the IP/hostname you’ve assigned it to. The fun part is that you can configure it to forward proxy requests through the reverse SSH tunnel (2nd -R option) to the VirtualBox/FreeBSD/Squid endpoint using a child <-> parent relationship. And as a result, your web browsing sessions will be seen by web sites under the public (internet facing) IP/hostname of the VirtualBox/FreeBSD/Squid endpoint.

cache_peer 127.0.0.1 parent squid_port 0 no-query no-digest
never_direct allow all

The code above must be added to the Squid configuration file running on your Vultr/FreeBSD VPS. “squid_port” must reflect the actual port number Squid is configured to listen to (default is 3128).

In my example, the parent Squid is on Vultr/FreeBSD, the child Squid is on VirtualBox/FreeBSD. Both endpoints MUST have Squid running and listening. Don’t forget to apply lock-down as usual.