How to Bypass Websense, the Better Way

Websense blocking Pandora

So you’re at work or school trying to listening to Pandora and Websense or some other internet filtering is preventing you from getting there. Or maybe you’re trying to get on Facebook and your network administrator has blocked it…to each his own. How can you bypass the DNS block?

What comes to mind right way but isn’t always the best solution is a VPN. At first that might seem like the perfect idea…it will effectively bypass Websense. But if you’re like me and you VPN your work computer then you’ll lose access to a bunch of internal company sites; you won’t be able to check your work email because your IP address will become an external one; you’ll start hitting your company’s webpages from an external IP which just causes analytics issues. The list goes on. I want to be on my internal network, I just want some of my web traffic to bypass Websense.

A better way to bypass Websense is to set up a single browser to tunnel through an encrypted connection and leave the rest of your network settings untouched. Keep Firefox, for example, for personal use, like Pandora, SoundCloud, Facebook, and for other encrypted browsing, and your computer and other browsers stay on your current/internal network. Now we’re onto something. To do this, you need to create an SSH tunnel between your computer and another server (such as an NAS), then route Firefox’s traffic through that SSH connection. Not only will the traffic be encrypted, but the DNS lookup will go through the remote server. Pretty foolproof. Luckily for me, I have an NAS (Synology DS412+) sitting at home and SSH is enabled. If you don’t have an internet-connected NAS with SSH enabled you could also SSH into another computer at home. Make sure your router is forwarding port 22 to whatever server you’ll SSH into.

Create an SSH connection

On a Mac/Linux computer, open Terminal. SSH into your server:

ssh -D 22 [email protected]

If your computer is administered you’ll likely need to sudo:

sudo ssh -D 22 [email protected]

If you have SSH enabled on a custom port just change 22 to the port you’re using. It helps to have Dynamic DNS set up on your NAS or other server so you don’t have to remember the IP address you’re connecting to. Alright, connection made.

Route Firefox traffic through SSH

In order to route Firefox’s traffic through that SSH connection you’ll need to install a browser extension called FoxyProxy. FoxyProxy enables you to browse the internet through a proxy. Browsing through a proxy is a common way to bypass some internet filters, but usually DNS lookups are still done locally, so websites can still get blocked. We’ll be using our SSH connection as a proxy and then we’ll also route DNS lookups through to the remote machine so Websense will have no idea what sites we’re visiting.

First you need to install FoxyProxy. Once it’s installed, go into its Options (right-click the little fox icon in the bottom right of your browser window) and click Add New Proxy. Make sure that “Perform remote DNS lookups on hostnames loading through this proxy” is checked and that “Enabled” is also checked. Also check both boxes in the Cache section. Name your proxy something creative.

Click the Proxy Details tab and select Manual Proxy Configuration. You want the “Host or IP Address” field to say localhost, and Port should be 22 (if you SSH’d using a non-standard port then use that instead). Check the “SOCKS proxy?” box. That’s it for the settings. Click Ok. If you get a prompt about not whitelisting any websites just ignore it. You can fiddle with those settings later. Close the FoxyProxy options.

The only thing left to do is enable the proxy you created in FoxyProxy. Right click the FoxyProxy icon and select your proxy (which, in this case, is the SSH tunnel). Keep an eye on your Terminal window for any errors. I found that I had to SSH into my NAS as root in order to get everything working.

Browse to the previously blocked website…Voila!

Firefox working through an SSH tunnel bypasses DNS blocker
DNS lookups and web traffic go through the SSH tunnel. Browse to any site.

You now have a browser that you can use to bypass Websense! Try visiting the same site in Chrome or some other browser and you’ll get your typical Websense blocked page. You can also use this connection when you’re on the road, as an alternative to a VPN, since web traffic through SSH is encrypted between you and your server.

About the author

I like learning, programming, and creating. I'm an incessant problem solver, and have an insatiable desire to absorb information. I'm an information sponge. A critical thinker. My left brain and right brain function as one. Business and technology should be one. I invest based on opportunity or technicals, whichever is right. I never let my schooling interfere with my education. Marketing is not fluff, it is data-driven. I find patterns, and analyze the random. I like to teach and explain.
3 Responses
  1. danglade

    Just tried and it worked perfectly.

    Now my question is, is it really re-directing everything and the DNS lookup its coming out trough the SSH connection?


    1. Nikhil Haas

      The “Perform remote DNS lookups on hostnames loading through this proxy” is the important setting that will do DNS lookups at the remote server. To verify just Google “what is my ip” with a ‘normal’ browser and with your ‘secure’ browser – the IP addresses will be different if DNS lookups are going through your remote server.

  2. Chintan parmar

    didn’t work, outgoing port on 22 is blocked for us. I can connect via web ssh. Tried reverse proxy, that didn’t work either.

Leave a Reply