How to Bypass Most Firewall Restrictions and Access the Internet Privately aka The Surf At Work Page

The objective is to encrypt your network traffic so it can not be read as it passes through over employer or school’s network. To do this, we will;

  • Run an SSH server on your computer at home.
  • Use an SSH client on your computer at work to create a secure tunnel between your home and work computers.
  • Enable Dynamic Forwarding in the SSH client to simulate a SOCKS Proxy.
  • Configure Internet Explorer to use a SOCKS Proxy for network traffic instead of connecting directly.

After this is all setup, the process for browsing a website will be as follows. Internet Explorer at work connects to the SSH client running on your computer at work. The SSH client connects to the SSH server running on your computer at home. Internet Exlorer will make requests for websites using the SOCKS protocol, which SSH will intercept and handle for you. Thus, the SSH server talks to the website and returns the web page to the SSH client. The SSH client returns the web page to Internet Explorer.

In essence, you are tricking Internet Explorer into thinking you have a proxy server running on your local machine, when in fact the proxy is running on your computer at home. Since all communication over your work network takes place through SSH, it can not be read. The SSH traffic CAN be seen or detected, but it will look like a garbled mess of letters and numbers. Other than being a little slower than usual, you shouldn’t notice any difference when surfing the web when using the secure method.

Some people that are familiar with SSH and may be asking, “How can Internet Explorer talk to SSH?”. Well, SSH has a great little function called Connection Forwarding. You setup SSH to accept TCP connections on a port and forward them to a port on another computer. SSH takes ALL the network traffic on that port, wraps it in a secure package, and forwards it somewhere else. I refer to this as a “shunnel”; a secure tunnel.

The other trick to this setup is the Dynamic Port Forwarding. Newer versions of SSH can emulate a SOCKS proxy server. A SOCKS Proxy server is a server that acts like a “middleman.” It accepts requests from a client, and connects to the target server on your behalf. Take a look at these links on Webopedia for a little more information; SOCKS Proxy

Shunnel Graphic

This guide is written for a moderately skilled computer user. You MUST know how to install programs on your computer, how to navigate file systems, and how to edit configuration files. A knowledge of “how the Internet works”, like TCP, sockets, ports, HTTP, and other network protocols would be extremely helpful.
To use this method, you need the following;

  • A decent computer at home that you can leave connected to the Internet all day while you’re at work.
  • A fast Internet connection at home; usually cable or DSL. (Technically, this can work with a dialup modem connection, but it may cause problems and it’s really slow.)
  • Microsoft Windows NT, 2000, or XP installed on your computer at home and any flavor of Windows on your computer at work. You may be able to get this to work with 95, 98, or ME, but I can’t say for sure. You definitely can get this to work with Linux or Unix. I don’t know about Macintosh.

Alternatively, if you don’t meet the prereqs or don’t want to leave your computer on all day, you can try HTTP-Tunnel, a commerical alternative that lets you do everything here and more.

When won’t this work?
Please notice the title of this page starts “How To Bypass Most Firewall Restrictions… I say most because the method I describe here will not work for everyone, even if you meet the pre-requisites above. If any of the following are true for you, you probably can’t use this method successfully;

  • You can not access any external Internet websites; only internal websites or none at all.
  • You can access a few specific Internet websites, but no others at all.

If either of the 2 lines above apply to you, your network administrator is working hard because they are using a “pessimistic” blocking strategy. In other words, they have decided to block everything, and probably only allow specific access. The problem with that strategy however, is that it requires much more work and maintenance than using an “optimistic” strategy, in which they allow access to everything and block only certain “things”.

The method I describe on this page will not work with a pessimistic blocking strategy because it depends on being able to access your home computer from work. 9 times of 10, if you can’t get to, you won’t be able to your home computer either. If for some reason you CAN access your home computer, then great.. proceed If not, you may want to talk to your network administrator. Ask him if they would punch a hole in the firewall so you can SSH to your computer at home. Or come up with some excuse to get access to 1 port on your home computer, then run the SSH server on that port.

Or… maybe you ARE the network administrator and are just curious about how this works. :)

Before we start installing and configuring software, you need to find out the following things;

  • Your home IP Address
  • Your work/school external IP Address

The easiest way to get your IP Addresses is to go to at home and at work. Write down the numbers.

We’re going to be using 2 fairly simple pieces of software; an SSH Server and an SSH Client.

There are a few flavors of SSH Server’s out there, but we’re going to be using OpenSSH because it’s free. The website for OpenSSH is . But wait! OpenSSH doesn’t run on Windows unfortunately… But there is a site that converted OpenSSH to run on Windows, which is what we want! .

Download OpenSSH for Windows from . The version I wrote this document using was 3.7.1p1-1. The latest version should work for you, plus it will have less security holes.

For the SSH Client I recommend using Putty. Putty is a small single executable SSH client with the ability to setup a tunnel. The newer version also support Dynamic Forwarding, which is essential. It’s possible to use OpenSSH as your client as well as your server, but Putty is much easier to setup and use. Download putty.exe from .

Install the SSH Server
The OpenSSH installer comes in a zip file. Unzip the file, then run setupssh.exe. Choose to install both the Client and the Server. It will ask you to install into C:\Program Files\OpenSSH. If you choose to install into a different location, that fine, but be aware I will use the above path in this document.
Configure Windows
OpenSSH for Windows uses Windows’ user database for login authentication. That mean you must have a User name and Password setup to login to your home computer. If you don’t, you have 2 choices. 1, set a password on your Windows account, or 2, create a new local account that you will use to login from SSH. I know a lot of people out there don’t use logins or passwords on their home computer, but if you’re using NT, 2000, or XP, the functionality is there, even if you don’t use it.

There are many different flavors of Windows, with different methods of creating a local user. There’s no way I can cover all of them, but here are a few examples;

To create a new account on your home machine (Windows XP):

  • Start Menu, open Control Panel, then User Accounts.
  • Click Advanced tab, then the Advanced button.
  • Highlight Users, then click Actions, then New User.
  • Enter a User name, and a Password twice. I recommend you use a User name and Password that is different than anything you have ever used at work. Obviously, your employer probably knows your password, so there’s no security if you use the same password at home.
  • Deselect User must change password at next logon.
  • Check Password never expires.
  • Click Create.
  • Close the Windows, close Control Panel.

You should now have a new local Windows user on your home machine. Remember the Login name and password for later.

Configure the SSH Server
We want to configure your SSH server to allow access using User name and Passwords, and to listen on port 443 instead of port 22.

Why port 443 instead of port 22? In most cases your employer will block almost all outgoing network ports except for port 80 and port 443, which are the 2 ports that webservers run on. I used to tell people to run SSH on port 80 because that’s the standard webserver port, but now I recommend you run it on 443. Port 443 is used for encrypted websites, which is what your shunnel traffic will look like as it passes through the firewall. If you have trouble on port 443, try it on port 80 instead. If neither work, you’re probably out of luck.

Open Windows Explorer, navigate to C:\Program Files\OpenSSH\etc. Open the file sshd_config using Wordpad. (That’s sshd_config not ssh_config!)

Change the line

#Port 22


Port 443

Save the file.

Now open a command prompt. Change to C:\Program Files\OpenSSH\bin. We are going to create a user and group database from your Windows user database. Type the following;

mkgroup -l > ..\etc\group


mkpasswd -l > ..\etc\passwd

These 2 commands will create group and password files at C:\Program File\OpenSSH\etc

Start/Stoping the SSH Server
On your home computer, open a command prompt. To start your SSH server, type the following:

net start opensshd

To stop your SSH server, type the following:

net stop opensshd

To make it easy, you can create a .bat file that will this command. If you make a shortcut to the .bat file in your Windows Startup program group, then when you turn on your home computer in the morning, the servers will startup automatically, and be ready for you when you get to work.

If you have a wired or wireless router at home (Linksys, D-Link, Netgear, etc)
Some routers call it port forwarding and others call it virtual servers, but the setup is very similar no matter what brand you use. You will need to configure your router to route port 443 to the computer where you’re running the SSH server. I not going to go into details, but there is usually a browser based interface directly to the router, which will have a page to setup virtual servers. Configure it to forward port 443 to your SSH server computer, port 443.
Setup Putty at Work/School
Copy putty.exe to somewhere on your hard drive at work. c:\ will do fine, or anywhere else you want. Your desktop is convenient but kind of obvious. If you don’t have permissions to write files to your hard drive, just copy putty.exe and shunnel.bat to a floppy disk or burn them onto a CD. Take the disk to work and run Putty from the appropriate drive.

Open Notepad and copy the following into it, change the bold part where necessary;

putty -D 8080 -P 443 -ssh homeIP

  • homeIP should be the IP address of your home machine that you wrote down in the Addresses section above.

Save the file as shunnel.bat in the same directory that you saved putty.exe.

Note for advanced users: If your computer at work is already configured to use a proxy server, you need to configure Putty a little differently, but this may still work.

Open Putty in graphical mode, input your connection setting, and also copy the proxy settings from Internet Explorer to Putty’s proxy configuration screen. Putty should now create a secure tunnel through the proxy at work to your computer at home… pretty neat trick.

Create your tunnel
At work, simply double click shunnel.bat to initiate the shunnel. A Putty window will popup asking for a login name and password. Type the user name and password you created above on the Windows account. If it works, you will be presented with a DOS prompt waiting for a command. This is actually a command prompt to your HOME machine. You can use it if you want, but as long as this command prompt is open, your tunnel is alive. To close the tunnel, type exit or close the window.
For Advanced Users
If you are very familiar with SSH and know what you are doing, you can set this up so you don’t have to enter a password each time you create the shunnel. You have to install OpenSSH as your SSH client and then setup key based authentication by creating a public and private key on your work computer. Install the public key on the SSH server on your home computer. Thanks to Robert W. for this suggestion. I may go into more detail on how do set this up in the future.
Configure Internet Explorer
Now we have to configure Internet Explorer at work to use a SOCKS proxy server.

First, at school/work, go to . Write down the number. This is your IP address WITHOUT your shunnel enabled.

In Internet Explorer;

  • Open the Tools menu, then click Internet Options.
  • Click the Connections tab, then click LAN Settings.
  • Check “Use a proxy server …”, then click the Advanced button.
  • If “Use the same proxy for all protocols” is checked, uncheck it.
  • Delete anything from the “Proxy address to use” and “Port” boxes.
  • On the Socks line, enter “” for the address, and “8080” for the Port.
  • Click OK a couple times, then close Internet Explorer and restart it.

Proxy Settings Graphic

First go to again. If everything worked correctly, the page should have changed to show your HOME IP address, NOT your work IP address. If it shows your home IP Address, congratulation, your surfing the web securely and privately from work.

If your intent is to access MySpace, and MySpace was blocked before, try it now.

Configuring other applications to use the private connection
Most applications that access the Internet can be configure to use the shunnel. For it to work, they have to support a SOCKS 4 or SOCKS 5 proxy connection. Instant messaging programs like AIM, ICQ, Yahoo IM, and mIRC all support this.

Setup is different for all application, but the settings will be the same. You want to configure the application to use a SOCKS 4 or SOCKS 5 proxy server, Host should be, and Port should be 8080.

Protect yourself from someone looking over your shoulder
Here’s a great application that fits in perfectly with the theme of this page. It’s called Ghostzilla. The idea is that you want to surf the web, but have it look like you are doing normal work to people walking by your computer. Ghostzilla is a browser that hides itself in your normal work applications, like Excel, or Word, or Visual Studio… anything. With a swish of the mouse, Ghostzilla pops up and you can surf the web. If you see someone coming, simply move the mouse away, and it disappears, leaving no trace. Plus, you can easily configure it to use the shunnel as described here, for total privacy!
A Simpler Solution
Buzzsurf has teamed up with HTTP-Tunnel Corp to encourage users to try the HTTP-Tunnel Client as a simplier alterntive to the procedure described here. Using HTTP-Tunnel , you don’t need a computer at home to leave turned on all day. And you don’t need to know how to install SSH or Putty. All the network communication is encrypted and sent over standard webserver ports, just like I describe, so it offers just as much protection without the hassle. Try it for free at

Copyright 2002-2008 – All rights reserved.
Please do not repost or retransmit the content of this page.
You are welcome and encourged to link to the page.




4 responses to this post.

  1. 我々も一度、失われたウーリー人あなただろうを忘れてしまったにするため迅速にどこつもりです。


  2. 購入 ペア ルイヴィトン 財布のあなた 子供 です
    本当に 厳しい。 これら財布 生産 に 軽量 なし は 必要があります を犠牲 品質。レポート
    リソース: 低コスト ルイヴィトン アウトレット、ルイヴィトン 財布の販売。 ポイント、ルイヴィトン が に発展する 主要 推進 季節
    プレゼント すべて 周り は 環境。よろしく 、 多くの 知識 .
    – グッチ 財布


  3. Posted by Rio on October 27, 2010 at 9:35 am

    mas, mau nanya
    1.kalo tunneling itu kenapa banyak orang menyewa/milih plan di vps dibanding plan di webhost? Apa karena spek vps itu memang di-set untuk kerja berat di trafik internetnya (terutama untuk download) atau karena webhost tidak disediakan root sebebas vps?
    2. apakah di webhost pada umumnya diperbolehkan “numpang” akses internet saja, jadi tujuan sewa cuma tunneling saja.
    3. apakah ada beda kecepatan trafik internet bila kita memlilih webhost ketimbang vps di satu perusahaan hosting yang sama? (misal ISP tsb menyewakan webhost dan vps, kita pilih yang mana untuk masalah kecepatan internetnya lewat tunnel).



  4. Grow with us, one of the Fastest Growing Survey Sites
    Over 2 Million Dedicated Survey Takers


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: