I’m looking for a highly skilled network engineer or red-team consultant to help design and implement a secure, stealthy proxy system that routes internet traffic in a way that avoids detection from Enterprise Secure Web Gateway (SWG)
I will be using a GL.iNet router (OpenWRT-based) and want to simulate the behavior of WSS Agent on my own test setup — then route traffic in a way that prevents VPN/proxy detection.
Objectives:
Set up a residential or home-hosted proxy server (e.g., Raspberry Pi) located in a specific geographic region (e.g., Dallas, Texas).
Configure the proxy to avoid triggering common detection mechanisms:
Known VPN IP blocklists
TLS fingerprinting (SNI, cipher suite anomalies)
DNS leaks
CA chain violations
Routing anomalies (tun interfaces, MTU mismatches)
Integrate proxy with a GL.iNet router (running OpenWRT)
Configure policy-based routing (only certain MACs/devices routed through proxy)
Route all other traffic normally
Simulate basic WSS Agent behaviors in a test environment
Required Technical Skills:
Advanced Linux networking (iptables, netfilter, routing, MTU tuning)
Deep understanding of proxy servers (Squid, Shadowsocks, SOCKS5, HTTP CONNECT)
TLS/PKI expertise (certificate trust chains, cert pinning, MITM avoidance)
DNS resolution and tunneling knowledge (DoH/DoT, DNSCrypt, DNS leak prevention)
Policy-based routing configuration on OpenWRT (GL.iNet or similar)
Familiarity with traffic obfuscation techniques:
obfs4, simple-obfs, tls plugins
masquerading VPN traffic as HTTPS
(Nice to have) Experience with corporate proxy/firewall simulation (e.g., Zscaler, Symantec WSS)
Environment:
GL.iNet Router (MT3000 – Beryl AX)
Rasberry PI
Test device: macOS with WSS Agent
NordVPN (only for comparison/testing)
Deliverables:
Fully functioning proxy server in specified location
GL.iNet router configuration with PBR to selectively route traffic
DNS leak mitigation plan
Traffic inspection logs or analysis if WSS detection occurs