I did not, but I did solve my problem. Turns out, what I really needed was a SOCKS proxy through SSH, and luckily, there exists a pretty much 1-click solution on Windows: Bitvise! For the purposes of firewall avoidance it works exactly as a VPN would: all (chosen) internet traffic appears to originate from my home IP, and it gets there from a client machine through an encrypted tunnel.
All you do is install the server on your home machine (PC, not router, sorry if that was key), install the client on the remote machine (it’s portable, no admin rights needed if you just copy-paste the install folder), set up a single port to get through your home router (can be anything), and that’s all the infrastructure. Fire up Bitvise, set up a dynamic client-side tunnel, point your browser’s proxy settings at the tunnel (FF and Chrome both work, there are also extensions which can change proxy on a host-by-host basis), and away you go.
Now, you might say “Hey, I can do that with any software, like PuTTY and OpenSSH!”, and you’d almost be right. Thing is, OpenSSH isn’t exactly user-friendly as far as its non-existent interface is concerned (it’s command line, Bitvise has a GUI), and neither PuTTY nor OpenSSH are what you would call feature-rich. Bitvise already has SFTP built in, as well as RDP (no need to run a separate VNC server), and of course the powerful UI. Plus, it has one added feature that almost nothing has that turned out to be critical for me: obfuscation!
Basically, the firewall (proxy+fw, techincally) I am behind would, after one SSH**(!)** connection (successful or otherwise), block the target IP on that proxy for about a day, possibly something like 6 hours. That means I would be able to connect, but only three times per day, switching through the 3 proxies I could use from “inside”, which is a bit of a risk if the connection is unstable, and really annoying when troubleshooting and setting up. The thing to note here is that while SSH traffic is encrypted, the handshake and the setup of the connection isn’t (insofar as the fact that an SSH connection is being set up is visible), so the fw saw me connecting to this random IP and setting up an SSH connection and (weirdly) decided to shut it down the next time I tried. (Sidenote: funnily enough, unencrypted HTTP traffic was A-OK as far as the FW was concerned…) Enter SSH handshake obfuscation. As far as I’m concerned it’s magic, and I am assured it’s not even remotely secure, but what it is is obscure. There is basically one decade-old fork of PuTTY that purports to support it, and some manual OpenSSH patches I think, so the odds of whatever FW being set up to detect it are minuscule. But, as it turns out, Bitvise also implements it (due in part to Bitvise not being built on OpenSSH), and at a tick of a checkbox on both ends your SSH connection, including handshake, just looks like random noise.
Of course this would mean that you can only connect to your Bitvise SSH server with a Bitvise SSH client, since no client (that I know of) supports this obfuscation, right? Well, yes and no. Yes, the obfuscated connection you set up is only accessible to clients that support it, but all you have do is add another listen port to Bitvise, disable obfuscation on that port, and voilá, you have both an obfuscated and standard SSH server running as if they were one!
I know, I know, long post, infomercial, etc etc… I’m just really happy this software exists, is free, and is being updated!