Setup a proxy server for external client

The scenario is to proxy a web browser on external network device to the home openwrt router.
VPN to the router is not an option.
Is it possible to set up a proxy server on the home router which listen to any WAN address on ports 8080 and 443 with user and password?
I have checked proxy servers available but the scenarios are to be used for the LAN clients only.

Assuming, you are talking about an "explicit" proxy, to be configured into browser, for example, then the answer is YES.

May be doable... but also looks like a security issue.

You can run a proxy on OpenWRT (squid?) and expose the ports to the outside. Having username/password on every request, probably unhashed, might be an issue.

Sounds like what you are trying to do is bypass some firewall the client is behind of. I can't recommend you do that... someone is going to get mad about it, eventually.

This might be outdated advice, but if you are convinced you want to do this, why not look at stunnel, provided you can run it at the client? That way the proxy can remain safe behind the firewall, and all you expose is sshd. Need it on port 443? Add sslh to redirect ssh traffic to ssh while keeping http traffic to a facade http service (or to nothing). I had that working once. Performance is crummy but it did bypass the firewall that I took offense to.

Thanks! It's seems will do the trick. Can you provide a configuration example?

It was a long time ago.

Check out this page:

Only difference in your use case is that you have a browser instead of a POP3 client, and you have Squid (or any other proxy) running on your router.

But in short, from memory, and probably missing something...

At router:

  • you need a proxy on the router, if it is squid you have port 3128 open in your LAN and from your LAN you can use a browser pointing to router:3128 as proxy - this is the service
  • you need a sshd (don't recommend busybox), and it is accessible in your LAN - this will provide the tunnel and handle authentication
  • you need sslh, publicly available on port 443 (or anything the firewall will let through) with a mapping to forward ssh traffic to port 22 - this is the facade, you could also forward non-ssh traffic to a local webserver with a static page so it is not evident the port listens to ssh traffic
  • you might need some kind of dynamic DNS to call back home - this is your address

At client:

  • you need ssh (client), proxytunnel or stunnel or something like that will authenticate to the blocking proxy (if needed) and take ssh credentials to open the tunnel to sshd to your home router at address:443, and map the remote 3128 port to local 3128 (or wherever)
  • you need your browser to connect to use localhost:3128 as proxy.

That worked wonders in the days when firewalls just had simple access rules (for example, let port 443 pass, block anything else). Nowadays firewalls inspect and even decrypt traffic in true MITM attack fashion (BlueCoat comes to mind). You would not notice it unless you were validating server and client certificates.

Tunneling through a firewall will raise alarms. Don't assume no one will be the wiser. Link above has a more pointed warning in bright colours so you don't miss it. I could only find one or two pages with legitimate uses for this setup and they were more around remote management, certainly not just "browsing".

Another informative page:

This might have a more pointed solution (without squid):