Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

SSH SOCKS4 proxy

News SSH Recommended Links Socks4 SSH Configuration Private and Public key management FAQs
VNC over SSH X11 forwaring over ssh SOCKS4 proxy SSH is Pipes Tips Humor Etc

SSH has an interesting feature called Dynamic Port forwarding with which the SSH TCP connection will work as a SOCKS4proxy. By connecting to the given port, it handles SOCKS data transfer requests.

An important application of Dynamic Port forwarding is the following case. Let’s suppose you have a machine on a network that is connected to the Internet and you have another machine on the same network that does not have any Internet connection. By using SSH Dynamic port forwarding, you can easily access the Internet by setting up the machine with an Internet connection to act as the SOCKS4 proxy using an SSH tunnel.

For dynamic port forwarding, use the following command:

ssh -D 3000 remotehost
Now, in your browser, specify proxy settings as:
SOCKS4host: localhost
port: 3000

To enable the DNS service in Firefox, navigate the about:config page and set…

Proxies

Proxies allow application-layer connections without allowing direct network connectivity. This allows applications to bridge otherwise inaccessible networks. Proxy support can be implemented in either of two ways: using alternative networking shared libraries (for instance, the runsocks command) or using the internal proxy support (ProxyCommand keyword).

The ProxyCommand interface is an external command executed with /bin/sh. The command should read from standard input and write to standard output. See ssh_config(4) and the OpenSSH source code for more details on the interface. The Solaris Secure Shell software provides support for SOCKS 5 servers through the ssh-socks5-proxy-connect(1) command and HTTP proxy servers through the ssh-http-proxy-connect(1) command. Both commands use the ProxyCommand interface and are located in the /usr/lib/ssh directory.

Note

General-usage protocols, such as HTTP and SSH, can be used to allow almost anything across the proxy, including enscapulated IP traffic. Monitor the proxy for suspicious behavior. The encrypted Secure Shell traffic hides the network content but not the endpoints or the amount of bandwidth consumed.

The following code example shows the proxy access by using the runsocks command. Some sites require SOCKS_SERVER and LD_LIBRARY_PATH to be explicitly set.

$ /usr/bin/env SOCKS_SERVER=sockserver:1080 \
 LD_LIBRARY_PATH=/usr/local/socks/lib /usr/local
/socks/bin/runsocks \
 /opt/OBSDssh/bin/ssh remote.host.com

The following code example shows the proxy access by using the ProxyCommand interface:

$ ssh -o'ProxyCommand=/usr/lib/ssh
/ssh-socks5-proxy-connect \
          -h socks-gw -p 1080 dmz.foo.com 22' dmz
.foo.com
 user@dmz's password: password
 Last login: Thu Dec 10 23:03:04 2002 from foo.bar.com
 Sun Microsystems Inc.   SunOS 5.8     Generic May
 2001
 $

The proxy method to access a remote host can be specified on a per-host basis with the ProxyCommand and Host keywords. The shared library method cannot be used in this manner. Note that the entire command string must be on one line.

Host Teach
        ProxyCommand /usr/lib/ssh
/ssh-socks5-proxy-connect -h sockserver -p 1080
 teach.foo.com 22

Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[May 02, 2012] SSH Over Proxy

June 13, 2010 | Daniel's page

At home

You need a HTTP proxy running, and you really only need it to accept connections to proxy from localhost. Lots of people already have an Apache running and making it load the proxy module and configure it for localhost is very easy and quickly done. Of course you can opt for another proxy software, such as squid if you prefer that. In this example, we assume that the proxy runs on port 80 - the same as the typical apache install uses.

You may want to enable HTTPS and FTP and other protocols in the proxy config.

You need sshd running on port 443. Almost everyone already have sshd running already, you just need to make it also listen for connections on port 443. 443 is typically used for HTTPS and that's why we use it - most proxies are configured to allow connections to 443 since companies want to allow their employees to be able to use banks and other HTTPS web services on the net.

Perhaps needless to say, but you must make sure that your Apache or other httpd server doesn't use the 443 port for HTTPS.

At Work

You need an SSH client that can issue CONNECT requests through the company HTTP proxy. If you're on Windows, using Putty is fine as it has built-in support for tunneling through a HTTP proxy. If you're on unix/linux (or cywgin) you can use openssh with corkscrew to go through the proxy to your home computer's port 443.

If using openssh, you'd add the following line to your ~/.ssh/config file:

ProxyCommand /usr/local/bin/corkscrew proxy.work.com 80 %h %p
		

You config the ssh client to port-forward a local port, say 8080, to the remote's localhost:80. Now you have a channel established to your home computer, over a securely encrypted connection. Of course you also get a SSH login and you can start your X-programs from home to pop up at work etc...

The openssh command line to connect and port-foward the proxy could then look like this:

ssh -L 8080:localhost:80 [email protected] -p 443 

Configure your browser at work to use "localhost:8080" as proxy, for all the protocols you have enabled in your proxy at home.

All subsequent browser requests are then sent over the SSH connection, through the proxy, to the ssh server at home and from there to your proxy, and out in the world...

The SOCKS proxy way

Instead of running a HTTP proxy at home to reach the internet with, you can use the tunnel as a SOCKS proxy. This basically allows you to not run anything at all at home apart from the ssh server.

If you have openssh in both ends, you can opt to use this simpler approach. It lets you fire up the tunnel to your home machine and use that tunnel as a SOCKS proxy rather than using a HTTP one at the other end of the tunnel. This way, you don't need to run any other software at home than the ssh server itself.

You can start up the tunnel/SOCKS proxy from the work side by issuing a command like:

ssh -D 8080 [email protected] -p 443 

You may still need the "ProxyCommand" line mentioned above to make sure your ssh client can reach your ssh server at home.

Subsequently, you need to configure your work browser to use the SOCKS proxy now running at localhost port 8080.

Without CONNECT

For cases when CONNECT is not allowed to port 443 of your home computer, you can of course try another port - if any at all are allowed, and then you may need to move your proxy/web server from 80 if that's the only way for you.

If you cannot find any useful port or if CONNECT is not allowed at all, you need to establish a tunnel using normal HTTP, using for example httptunnel. httptunnel is a client/server application, and you want the server ("hts") to run on your home computer, listening on port 80, and you run the client ("htc") on your work computer setting up the tunnel.

At home, take an incoming connection on port 80 and forward it to port 22 (ssh):

hts -F localhost:22 80

At work, connect to home over the company proxy and forward a local port (8022 in this example) to SSH to home over:

htc -P proxy.corp.com:80 -F 8022 server.at.home:80
Additional Comments

For other protocols you can of course just make sure that your work-ssh session forwards more ports to your home machine. It then differs between the protocols how you get them to work. If you want to IRC at work through this setup, you need a "IRC bouncer" (like muh) running on your home machine since IRC cannot work properly otherwise.

For cases when your work doesn't actually lock you behind a proxy, you can still use this approach (although you can skip the part with doing CONNECT and your home computer doesn't have to run ssh on port 443) to prevent your work admins from snooping on your network traffic.

Changelog: I added the SOCKS proxy details in June 2010.

[May 02, 2012] A long long way from home " SSH Magic made easy

A long long way from home

VPN setup in Linux is, depending on your distro, a time-consuming
and technically challenging task often involving kernel patching and
a whole lot of setup-file-editing. With ssh and
tsocks much of the same
functionality may be achieved.

Overview

What basically happens is that you open an encrypted tunnel to a
Linux/UNIX machine connected to the remote network where the
services you wish to use are available. All network traffic
requested by your programs are routed through that encrypted
channel so that programs on your local desktop network-wise
appears to be running at the remote Linux/UNIX machine.

Requirements

You will need:

mikeash.com Using ssh as a SOCKS proxy on Mac OS X

First, open Terminal and run the following command:
ssh -D 2001 [email protected]

The -D 2001 tells ssh to set up a SOCKS4 proxy on port 2001. Replace [email protected] with your actual username and remote host information, of course. Log in, and your SOCKS4 proxy is set up and ready to go. Note that you need to stay logged in to your shell for as long as you intend to use the proxy.

Next, open Firefox. In Firefox's address bar, enter about:config. You'll get a ton of configuration options. To narrow it down some, type "proxy" into the filter box at the top. You should get a list like this:

Set all of the items in bold to exactly what you see in the screenshot. For those of you who can't see the screenshot, set the following:

network.proxy.socks 127.0.0.1
network.proxy.socks_port 2001
network.proxy.socks_version 4

These settings configure your SOCKS4 proxy, but don't actually switch it on. This means that you can leave them set permanently, and they won't affect your connection unless you want them to.

To make Firefox actually use the proxy, make one final change: set network.proxy.type to 1. Then go to http://www.whatismyip.com/ to test. If it worked, you should be seeing the IP address of your remote shell host. Compare with its value in Safari if you're unsure.

If you want to use Firefox without the SOCKS4 proxy, simply reset the last setting: set network.proxy.type to 0.

Configure PuTTY To Create SSH SOCKS Proxy For Secure Browsing

You need to have a SSH (Secure SHell) account for this to work. If you have not yet done so, Download PuTTY for free.
  1. Open PuTTY.
  2. Where it says 'Host Name (or IP address)' and has a box underneath it, enter the name of your SSH host into the box.
  3. Under 'Saved Sessions' enter a name for this connection that will help you remember it later. For example, you could call it 'SSH Proxy' so you know this will be the proxy connection.
  4. In the 'Category:' menu on the left, expand the 'Connection' menu list if it is not expanded already. Expand the 'SSH' menu list if that one is not expanded already. Click 'Tunnels' (underneath 'SSH'). This opens the options where you will enter the settings for PuTTY to create the tunnel.
  5. Under 'Add new forwarded port:' enter 9853
  6. Where it says 'Destination' leave that field blank but be sure to select the 'Dynamic' option underneath it.
  7. Click the 'Add' button to add this port.
  8. In the 'Category:' menu on the left, click the click 'Connection'.
  9. Where it says 'Seconds between keepalives (0 to turn off)' enter 5 in the box. This will keep your connection alive and prevent it from timing out even when you walk away from the computer for a while.
  10. In the 'Category:' menu on the left, click 'Session' at the very top to go back to the first screen.
  11. Click the 'Save' button to save all of the settings you just entered. Later you will not have to enter these settings again in the future, you will only need to load up your saved profile (by double-clicking it after you open PuTTY) every time you wish to connect to the proxy.
  12. Click the 'Open' button to open the connection to the proxy.
  13. When connected you will be asked for your username and password. Enter the username and password for your account. Once connected the tunnel is open. After you are finished using the tunnel, type logout and press Enter.
Finished. Now you can connect using any SOCKS compatible software by configuring it to use localhost as the proxy server and use port 9853. The reason why you connect to localhost and not the address of the server is because PuTTY has forwarded that port from the server to your computer. Once you connect to localhost, it sends the data right back up through the encrypted tunnel to the server. Keep in mind data that leaves the server and goes out to the Internet is not encrypted unless you are connecting to a secure web site that uses SSL encryption (https://).

Alternative method: If you use PuTTY from the command line, here is a faster way to establish the secure tunnel without having to use any of the steps above:

putty.exe -D 9853 username@sshhost   

and press Enter

Just replace username with your actual username and ssh.host with the address of the SSH server. When it logs in you will automatically be asked for your password. Once that is accepted the encrypted tunnel is automatically created on port 9853 on your computer.

Another neat trick for command line users: Rename PuTTY.exe to ssh.exe. Move the newly renamed file to c:\windows\.

From then on, all you have to do to establish the tunnel from Windows is click 'Start --> Run...' to open the 'Run' dialogue box and then type ssh -D 9853 username@sshhost and press Enter. Replace username with your real username and ssh.host with the address of the SSH host.

Click here for instructions on configuring Firefox to use the secure tunnel. You will also find out how to download it if you do not have it already.

Click here for instructions on hiding the PuTTY window while you are logged on. This can be convenient since you do not need to use it while it is open.

Click here to sign up for VectroProxy SSH tunnel and go online anonymously. It works just as described above.

SSH Proxy for Secure Web Browsing

Do you have the need to securely browse an internal-only company webpage remotely? Well, here is a method for tunnelling your web browser through an encrypted connection. Please note that this will NOT hide the DNS queries which can reveal the target site.

Many people don't realize that SSH can emulate a SOCKS proxy. You can use any server you have SSH terminal access to as your own personal proxy.

Recommended Links

Google matched content

Softpanorama Recommended

Top articles

Sites

SSH Over Proxy



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: July, 28, 2019