Laptop > Public Internet > SSH Server on port 443 (Home) > Proxy Server listening on internal subnets only (Home)
I use busybox as an SSH daemon on my router and privoxy for the HTTP/HTTPS requests. Simple, lightweight, works out of the box and highly configurable if you want it. Strips out advertisement and HTTP/Java annoyances also. I like to run SSH on the router as it gives me access to the entire subnet rather than a single PC. You can achieve the same with a linux box and IPTABLEs but in a Windows environment doing it from the router is just easier.
I no longer do ANY browsing on public internet without tunnelling it home - far too many exploits and potential to have data captured.
Running the SSH server on port 443 (HTTPs) gives you ultimate flexibility and the best chance of getting out of strict environments - Public APs that only allow HTTP/HTTPS traffic for example. SSH also does not have the highly temperamental issues of VPNs such as IPSEC passthru and additional overheads of a VPN tunnel failing on networks with highly set MTUs.
Client wise. I use PuTTy on windows machines and Connectbot on my Android mobiles/tablets. Both can forward local ports to the other end of your SSH tunnel. I access my HTTP Proxy, FTP servers, web management interfaces, webcams and connect to systems with Remote Desktop Protocol over the tunnel. Why expose ports to the open internet when you can connect a simple SSH tunnel and encrypt it all?
A typical propxy config would look like this:
Laptop:
Web browser Proxy Enabled pointing at 127.0.0.1:8080
PuTTY SSH tunnel connected with Local/Auto Port 8080 forwarded to 127.0.01:8080 if your proxy server is also your SSH server or proxyhostIP:8080 if the SSH server is separate to your proxy server.
SSH Server:
Running on port 443
Home System:
Proxy server configured to listen on 127.0.0.1:8080 and proxyhostIP:8080 actual IP if accepting data from an upstream device first Eg - Your gateway/router (The proxy server would need to listen 192.168.1.1:8080 if your SSH server ran on your router/192.168.1.254 and your proxy server was 192.168.1.1 for example)
Router/Firewall:
Forward port 443 to your system running the SSH server.
A VPN will be able to encompass ALL network traffic but they are a PITA. (See passthru and MTU/additional header concerns above) You can achieve the same with an SSH tunnel, you just have to do the forwarding on a per port basis. You can also tunnel as a SOCKS proxy for any applications that support it.
I have never, ever met a network/firewall/gateway that stopped me getting an SSH tunnel out on port 443. You can even point your SSH client at an internal authentication based HTTP proxy and chuck the tunnel through that. Do not even need a direct connection.
That flexibility alone is worth the extra work of forwarding on the ports. Once you save your PuTTy/client connection details you only have to reconnect and enable/disable them as you need.
An additional note - If you want to MASK your web browsing you need to forward DNS queries over the tunnel to your proxy also. Use a browser capable of configuring this at config level, Firefox for example. How serious are you about privacy? There are so many pitfalls - You might be performing remote DNS lookups but if you use a browser that has Anti-Fraud checking, for example, it's still going to go away and lookup from your locally configured DNS server - this is potentially the one you do NOT want logging your queries.