I need to create an encryption-only proxy server. By this I mean, from anywhere in the world I'd like all of the company's laptops' Internet traffic to be encrypted and routed through this single server. Caching would be nice, but not required; encryption between laptop and server are the only requirement.
What are some ways to accomplish this setup? I've been reading up on Squid, but didn't find too much information on encryption. I assume there would be some SSL or SSH involved, but I'm really new to this area. Browsers would be the primary user of the connection, though supporting IM and e-mail clients would be nice as well. The clients would be Windows and nix, while the server could be anything open source.
Edit: It's been made clear that a VPN would be a better solution than a proxy. Before I accept an answer, could somebody comment on this:
What happens when the laptops are plugged into another corporate network? For example, the consultants sit down at ABC Company's office. They need to bring up an intrAnet site like myabc.internal.com for whatever reason. I believe intranet DNS servers would normally resolve this correctly. If I'm connected to this VPN would this work? I understand a browser connecting to proxy would have the same problem, but you could have two browsers: one via proxy, one not. Or would this not be an issue with VPN?
Best Answer
I agree w/ pjz-- it sounds like you're looking for a VPN.
OpenVPN is a great, no cost method of getting started w/ VPNs. It's stable and ready for production use, but even if you don't end up using it, it's a good tool with which to get familiar with VPNs. It's really easy to setup with static keys (for playing around), and only marginally more difficult to setup with certificates (for production use).
You say "Internet traffic" in your question, but it's unclear if that just means browsing web sites, or literally all IP traffic to the Internet. You can pass a "default gateway" route down to the client w/ OpenVPN such that their Internet-bound traffic will route down the OpenVPN "pipe" to the server, which could then put it onto the Internet.
If you only wanted HTTP/HTTPS to be routed down the OpenVPN (i.e. if they PING, run Skype, etc, that traffic can go straight to the Internet), you might consider deploying something like Squid Cache, too, and then configuring client browsers to use that proxy server such that traffic to the proxy was routed down the OpenVPN "pipe" only (i.e. put the proxy on a VPN-accessible IP address, but leave the client's default gateway alone). (You could even do a 'push “dhcp-option 252 ...' to push out a proxy autoconfiguraiton URL to clients via OpenVPN, I believe.)
You've got some options, depending on what you want to do.
re: your comment to pjz about Intranet site access
You're going to have to "pay the piper" on this somehow.
If you're just routing all their Internet-bound traffic down the VPN via a default gateway changeup any traffic to web servers on-subnet with them would still "go direct". If the Intranet web server was on a different subnet, though, their traffic to that subnet would go down the OpenVPN pipe instead of to the on-site router. That'd be bad.
If you did my suggestion above of pushing down a proxy-autoconfiguration script to clients via OpenVPN (or some other means) you could put "exceptions" in that file to cause the clients to "go direct". I typically do that in proxy-autoconfiguration files with:
This causes host names w/o any dots in them to be accessed directly.
If you know a particular host (or wildcard matching pattern) that needs to be directly accessed:
If you know where your users were going to be working you can put in exceptions into the proxy-autoconfiguraiion file prior to the fact. If not, though, you're going to have to reactively deal with such issues. If you don't know beforehand, though, you're asking for a solution that can "do the right thing" automatically. Unfortunately, computers do a horrible job with that. >smile<
I'd take the extra time with whatever you deploy to use proxy-autoconfiguration files. It gives you a centralized method (that can be updated "on the fly" w/o touching client computers) to control diverting HTTP traffic to a proxy server or letting it go directly to the Internet. They're amazingly handy for this kind of application.