Ubuntu – How to set up a local SOCKS proxy that tunnels traffic through SSH

firefoxPROXYssh

Assume I have access to an SSH server that supports tunneling, and I am on a PC that is running *ubuntu, how do I set up a local SOCKS proxy that tunnels the traffic through that SSH server before reaching the Internet?

Best Answer

  • The ssh binary that you use when you connect to a server running ssh supports running a SOCKS proxy out of the box, with the -D flag. Example:

    ssh -D 1337 -f -C -q -N user@remote -p 22
    
    • -D 1337 tells ssh to launch a SOCKS server on port 1337 locally.
    • -f forks the process into the background.
    • -C Turns on compression.
    • -q enables "Quiet mode", since the purpose here is only to tunnel we don't really care about error output and such.
    • -N tells ssh that no commands will be sent (-f complains if we don’t specify this).
    • -p specifies what port to use; obviously this is defaulted to 22 so the statement above is pointless, but included for clarity.

    When your SOCKS server is up and running, you simply need to make sure that your application (usually a web browser) is trying to connect to the local SOCKS proxy, and not the regular Internet.

    In Firefox 29 (explained here as an example), this is achieved by going to the menu (the three sausages in the top right), followed by Preferences > Advanced > Network > (Connection) > Settings... - make sure you only fill out the SOCKS field! Since your proxy is on the same system, you can use localhost or 127.0.0.1 to point back at whatever port you set it to on the same system.

    If you need your DNS requests to be tunneled as well (if they are not, your DNS lookups will reveal what websites you are trying to visit), you can just check on "Remote DNS" or as well do this entire configuration in about:config. In the last case, open it up and set these values:

    network.proxy.socks : 127.0.0.1
    network.proxy.socks_port : 1337
    network.proxy.socks.remote_dns : true
    network.proxy.socks_version : 5
    network.proxy.type : 1
    

    You may also need this setting to exclude certain domains or sites from tunneling:

    network.proxy.no_proxies_on : localhost, 127.0.0.1, 192.168.0.0/24, .yourcompany.com
    

    This answer was written from France, but tunneled via Sweden :)

  • Related Question