I generally run a Debian Testing box, but frequently find the need to install stuff from the unstable repository. And I am getting tired of juggling my sources.list manually.
So I have created the following file, with thanks to Paul Wise:
Package: * Pin: release a=testing Pin-Priority: 800 Package: * Pin: release a=unstable Pin-Priority: 700 Package: lintian Pin: release a=unstable Pin-Priority: 900
and included sources for both testing and unstable in my sources.list. Note that a higher Pin-Priority gives that source a higher priority for sourcing the specified package(s).
So now when I do an "apt-get upgrade" APT will pull updates from testing only, UNLESS the package does not exist in testing and only exists in unstable. And installing a newer version of a package that already exists in testing from the unstable repo is the usual
apt-get install -t unstable packageName
Finding out about Open Source-compatible network equipment while it is still new enough to be found in shops is quite rare, in my experience. This would be the first time I have been so lucky. This device can be had for about 100 RMB / less then $20 just about everywhere in Beijing right now.
The TL-WR703N is a TINY device, not much bigger then an mp3 player, with one ethernet port, one ordinary USB port, and one mini-USB port for power supply. Made only for the Chinese market, with a Chinese GUI, well-supported by OpenWRT.
This is the version of OpenWRT I flashed the device with. (I went with a beta of the new stable, as it seemed likely that the old stable would not support the TL-WR703N.) Flashing is as simple as using the existing Chinese OS to update the firmware.
 gives very good instructions for unbricking the device if you break the OpenWRT network config. Which in my experience is very likely if you try to deviate from the default config which bridges together the ethernet and wireless into transparent AP mode. I wanted a standard router config with ethernet (WAN) and wireless (LAN) on separate, firewalled subnets, but I found the state of this version of the OpenWRT config frontend to be quite buggy. I tried from both the Luci GUI and manually editing the config files, and neither approach produced a working device. So I am living with the bridged mode right now.
So far I am very happy with the hardware and the OpenWRT support. Not so happy with the OpenWRT config front end.
Thanks to Jon for reminding me that there is something better then flaky public proxies and the over-taxed Tor network. Tor is still better if you want end-to-end security and anonymity, but if you just want a secure hop out of the local censored network and after that you do not care, renting a cheap server (as little as $8/month at vpslink, 100G of bandwidth included) is a simple and easy option.
Assuming your remote server is called hostname.com, setting up an encrypted tunnel is as simple as executing this on a local terminal (must be root):
ssh -v -CND 1080 firstname.lastname@example.org
Note that for my own Debian server on the other end of the SSH proxy tunnel, I have found that "username" cannot be "root". I am not sure why this is (and it is definitely counter-intuitive) but if I try to tunnel to the root account on my server, when I try to use the tunnel to browse to a website it does not work and the following error is reported:
channel 1: open failed: administratively prohibited: open failed
If I tunnel to an ordinary user account on my server, I get no error and everything works. Go figure.....
To semi-automate this I created an alias in my ~/.bashrc:
tunnel="autossh -M 0 -v -CND 1080 email@example.com"
Thereafter, in any terminal, just invoke "tunnel" to create the encrypted tunnel. (To eliminate the password prompt, setup passwordless authentication.)
Any browser can use this proxy, by pointing its proxy setting at localhost and port 1080, with SOCKS 5 turned on. The Firefox FoxyProxy plugin makes this infinitely more flexible by allowing the simultaneous configuration of multiple proxies, and providing fine-grained control over which websites are accessed using which proxies.
Once FoxyProxy is installed into Firefox, you have the option of selecting any one proxy (or none) for all of your surfing, or associating certain websites with certain proxies and running FoxyProxy in "Patterns" mode. Since youtube is often getting itself blocked, a pattern for youtube would be:
While you are at it, install privoxy and make it your default proxy for websites that have not been diverted to Tor or your just created personal proxy. Privoxy blocks a lot of advertisements and information gathering by nosy websites.
Finally, note that
ssh -v -CND 1080 firstname.lastname@example.org
will only allow connections from the localhost. To allow connections from other computers over your local network, start it like this for example:
ssh -v -CND [192.168.8.58]:1080 email@example.com
This will allow any connections to port 1080 on the machine's exterior network interface. To start this as a persistent service at boot, add the following line to /etc/rc.local:
su username -c 'autossh -M 0 -v -CND [192.168.8.58]:1080 firstname.lastname@example.org'&
where username is the account you wish the service to run under.