Bypassing a Corporate Proxy

Quite a few organisations seems to find this thing called “Internet” a scary thing that employees can only be given access to by grace of the mighty network administrators. As a consultant I have worked for a few of those organisations and felt the frustration when a blog is blocked or network traffic is so slow that you’d guess that it’s manually monitored before accepted. I would personally never try to bypass these controls of course, but hypothetically one could do like the following.

You would need a proxy of your own somewhere on the internet that you can access from the corporate network to act as a relay to the free unrestricted internet. It could be a virtual machine running in a cloud service, or a computer you have at home. For this post I’m going to assume a Mac Mini at home running Tinyproxy.

Setting up your relay

For installing applications apart from those in App Store I prefer Homebrew.

brew install tinyproxy

Since I want this service to run at all times independent of which user is logged in, a .plist file should be added to the /Library/LaunchAgents folder. This could be done with brew services, but for some reason that didn’t work for me. Running sudo brew services start tinyproxy just created an empty file for me, /Library/LaunchDaemons/homebrew.mxcl.tinyproxy.plist. So I added the contents myself, ending up with this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd>
<plist version="1.0">
<dict>
  <key>Label</key>
  <string>homebrew.mxcl.tinyproxy.plist</string>
  <key>ProgramArguments</key>
  <array>
       <string>/usr/local/opt/tinyproxy/sbin/tinyproxy</string>
       <string>-c</string>
       <string>/usr/local/opt/tinyproxy/etc/tinyproxy.conf</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
</dict>
</plist>

I leave the config file for tinyproxy pretty much untouched, running at port 8888. I connect to it locally to verify that it’s running, telnet 127.0.0.1 8888.

I also need an SSH server running on the machine to connect to from the outside and port forwarding set up in my router. This can be a bit of trial and error to find out through witch ports you can access your home server from the corporate network, port 80 (HTTP) and 443 (HTTPS) will often work. In my case it didn’t, but I found that on port 23 (telnet) I was able to reach my home server, so I set it up in my router like this (192.168.1.123 is my Mac Mini’s IP address on the home network):

Port forwarding

Connecting to the relay from the corporate computer

The corporate machine provided to me is a Windows 7 machine in this case, where I start by installing Tunnelier (which also exists in a portable version, if you’re not a local admin). I start by setting up the tunnel to my Mac Mini at home by connecting to its dynamic DNS name on the port I forwarded in my router.

Tunnelier login

To be able to get outside the corporate network I have to use their proxy, so I enter the same proxy settings I find in Internet Explorer in Tunnelier as well:

Tunnelier proxy settings

To access Tinyproxy I need to set up some local port forwarding under the client-to-server tab. The destination port should be the one where tinyproxy is listening locally on my Mac Mini, in this case 8888. I also have a VNC server on port 5900 in this screenshot so I can connect graphically to my Mini. The local ports on the Windows 7 machine can be any that is not used already by another service, I chose 1053.

Tunnelier Client to Server

In Internet Explorer (which is really Windows global proxy settings) I enter 127.0.0.1 on port 1053 as my new proxy.

IE-LAN-settings

Since I must be able to access internal corporate network resources I cannot route all traffic through my home server, so I add exceptions for the corporate domain and IP address range (123.4.* in this screenshot).

IE proxy settings

One last thing I could do to make things quicker is to create scripts for turning the proxy settings on and off. If you need to connect to a WiFi in a hotel or on a train where the network is open but requires you to visit a web page to enter some login information, the proxy must be turned off to access that web page. I put these scripts on the desktop so I can right-click them and choose “Run with PowerShell”.

home-server.ps1

$ProxyServer = "127.0.0.1"
$ProxyPort     = "1053"
$Path   = "HKCU:SoftwareMicrosoftWindowsCurrentVersionInternet Settings"
$Proxy = $ProxyServer + ":" + $ProxyPort
$Exceptions = "<-loopback>;*.company.com;123.4.*"
 
# Enable an explicit proxy
Set-ItemProperty -Path $path -Name ProxyEnable -Value 1
Set-ItemProperty -Path $path -Name ProxyServer -Value $Proxy
Set-ItemProperty -Path $path -Name ProxyOverride -Value $Exceptions

no-proxy.ps1

$Path   = "HKCU:SoftwareMicrosoftWindowsCurrentVersionInternet Settings"
 
# Disable an explicit proxy
Set-ItemProperty -Path $path -Name ProxyEnable -Value 0

A final word of warning is that this will of course be against the corporate IT policy, that’s why I would never do this in real life.

No matching posts found. You can use wildcards and search only in titles, e.g. title:iot
Loading search index, please try again in a few seconds.
Index has completed downloading. Please search again.