Are you on a network with limited access? Is someone filtering your internet traffic, limiting your abilities? Well, if you have SSH access to _any _server, you can probably set up your own SOCKS5 proxy and tunnel all your traffic over SSH.
From that point on, what you do on your laptop/computer is sent encrypted to the SOCKS5 proxy (your SSH server) and that server sends the traffic to the outside.
It’s an SSH tunnel on steroids through which you can easily pass HTTP and HTTPs traffic.
And it isn’t even that hard. This guide is for Linux/Mac OSX users that have direct access to a terminal, but the same logic applies to PuTTy on Windows too.
Set up SOCKS5 SSH tunnel
You set up a SOCKS 5 tunnel in 2 essential steps. The first one is to build an SSH tunnel to a remote server.
Once that’s set up, you can configure your browser to connect to the local TCP port that the SSH client has exposed, which will then transport the data through the remote SSH server.
It boils down to a few key actions;
- You open an SSH connection to a remote server. As you open that connection, your SSH client will also open a local TCP port, available only to your computer. In this example, I’ll use local TCP port :1337.
- You configure your browser (Chrome/Firefox/…) to use that local proxy instead of directly going out on the internet.
- The remote SSH server accepts your SSH connection and will act as the _outgoing proxy_/vpn for that SOCKS5 connection.
To start such a connection, run the following command in your terminal.
$ ssh -D 1337 -q -C -N [email protected]
What that command does is;
- -D 1337: open a SOCKS proxy on local port :1337. If that port is taken, try a different port number. If you want to open multiple SOCKS proxies to multiple endpoints, choose a different port for each one.
- -C: compress data in the tunnel, save bandwidth
- -q: quiet mode, don’t output anything locally
- -N: do not execute remote commands, useful for just forwarding ports
- [email protected]: the remote SSH server you have access to
Once you run that, ssh will stay in the foreground until you CTRL+C it to cancel it. If you prefer to keep it running in the background, add -f to fork it to a background command:
$ ssh -D 1337 -q -C -N -f [email protected]
Now you have an SSH tunnel between your computer and the remote host, in this example ma.ttias.be.
Use SOCKS proxy in Chrome/Firefox
Next up: tell your browser to use that proxy. This is something that should be done per application as it isn’t a system-wide proxy.
In Chrome, go to the chrome://settings/ screen and click through to Advanced Settings. Find the Proxy Settings.
In Firefox, go to Preferences > Advanced > Network and find the Connection settings. Change them as such:
From now on, your browser will connect to localhost:1337, which is picked up by the SSH tunnel to the remote server, which then connects to your HTTP or HTTPs sites.
This has some advantages and some caveats. For instance, most of your traffic is now encrypted.
What you send between the browser and the local SOCKS proxy is encrypted if you visit an HTTPs site, it’s plain text if you visit an HTTP site.
What your SSH client sends between your computer and the remote server is always encrypted.
What your remote server does to connect to the requested website may be encrypted (if it’s an HTTPS site) or may be plain text, in case of plain HTTP.
Some parts of your SOCKS proxy are encrypted, some others are not.
Bypassing firewall limitations
If you’re somewhere with limited access, you might not be allowed to open an SSH connection to a remote server. You only need to get an SSH connection going, and you’re good to go.
So as an alternative, run your SSH server port on additional ports, like :80, :443 or :53: web and DNS traffic is usually allowed out of networks. Your best bet is :443, as it’s already an encrypted protocol and less chance of deep packet inspection middleware from blocking your connection because it doesn’t follow the expected protocol.
The chances of :53 working are also rather slim, as most DNS is UDP based and TCP is only use in either zone transfers or rare DNS occasions.
Testing SOCKS5 proxy
Visit any “what is my IP“ website and refresh the page before and after your SOCKS proxy configuration.
If all went well, your IP should change to that of your remote SSH server, as that’s now the outgoing IP for your web browsing.
If your SSH tunnel is down, crashed or wasn’t started yet, your browser will kindly tell you that the SOCKS proxy is not responding.
If that’s the case, restart the ssh command, try a different port or check your local firewall settings.
Solved it finally:
(Follow the steps serially)
1. For gtk3 programs such as rhythmbox and online accounts:
First you need to enter proxy settings in network settings (along with authentication):
Then apply system wide.
2. For apt,software center etc
edit the file /etc/apt/apt.conf
And then replace all the existing text by the following lines
3. Environment variables
edit the file /etc/environment
And then add the following lines after PATH=”something here”
To make wget work with a proxy, I would add also to create a .wgetrc in your home directory, containing :
http_proxy = http://proxy:port/ https_proxy = http://proxy:port/ proxy_user = user proxy_password = password use_proxy = on wait = 15
That’s not all, of course. Some more programs (npm, curl and git):
npm config set proxy $HTTP_PROXY npm config set https-proxy $HTTPS_PROXY npm config set strict-ssl false echo “proxy = $HTTP_PROXY” > ~/.curlrc echo “noproxy = $NO_PROXY” >> ~/.curlrc git config -global http.proxy $HTTP_PROXY git config -global https.proxy $HTTPS_PROXY
For Maven, edit ~/.m2/settings.xml. IntelliJ does not seem to pick up the global config either.
Socket proxy- use redsocks:
for the impatient just do the following; assuming that the proxy is example.com:7777 and it’s socks5 (change it with your own later)
- first install redsocks sudo apt-get install redsocks
, make an empty file anywhere and name it redsocks.conf (or whatever), I’ll assume it’s here /etc/redsocks.conf (change it with your own).
- edit the file you created (redsocks.conf) as follows
change example.com 7777 with your proxy, (note that you can use any local_port other than 12345,it’s the local port that we will set an iptable rule to redirect the traffic to, so if you use another, make sure to use it in later steps below)
— now run redsocks with the config file destination as follows
sudo redsocks -c /etc/redsocks.conf
change with the destination of your redsocks.conf (if you get “bind: Address already in use” try killall redsocks) you can also check if redsocks is bound to local port 12345 with netstat -tulpn
— now that redsocks is running and ready, let’s change the iptables rules to use redsocks. this should be customized to your needs, but if you like to redirect all HTTP and HTTPS packets through the proxy. Define the following rules.
sudo iptables -t nat -N REDSOCKS sudo iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN sudo iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN sudo iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN sudo iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN sudo iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN sudo iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN sudo iptables -t nat -A REDSOCKS -d 22.214.171.124/4 -j RETURN sudo iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN sudo iptables -t nat -A REDSOCKS -p tcp -j REDIRECT -to-ports 12345 sudo iptables -t nat -A OUTPUT -p tcp -dport 443 -j REDSOCKS sudo iptables -t nat -A OUTPUT -p tcp -dport 80 -j REDSOCKS sudo iptables -t nat -A PREROUTING -p tcp -dport 443 -j REDSOCKS sudo iptables -t nat -A PREROUTING -p tcp -dport 80 -j REDSOCKS
now your http and https traffic should be redirected through example.com:7777
if you want your iptables reset use:
iptables -F iptables -t nat -F iptables -t mangle -F iptables -X
additional tip: if you have vpn on your iphone or android, you can use it for free in your pc whatever the OS is. just connect the phone vpn app, and establish a socks proxy server ( in android you can use ‘servers ultimate’ app) then use the proxy in your pc as above, now all your pc traffic is routed through your phone vpn. neat.
Review top Ubuntu set socks proxy command line cheap 2022