Home Page

SSH + SOCKS5 = Universal proxy

Wednesday, November 14th, 2007

I didn't know it, but (Open)SSH supports setting up a Socks5 proxy:

-D [bind_address:]port
  Specifies a local ``dynamic'' application-level port forwarding.
  This works by allocating a socket to listen to port on the local
  side, optionally bound to the specified bind_address.  Whenever a
  connection is made to this port, the connection is forwarded over
  the secure channel, and the application protocol is then used to
  determine where to connect to from the remote machine.  Currently
  the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
  as a SOCKS server.  Only root can forward privileged ports.
  Dynamic port forwardings can also be specified in the configura-
  tion file.

Socks5 is pretty neat, as it allows you to proxy stuff without the server having to know anything about the way the client works. For instance, if we give the following command:

$ ssh -N -D todsah@sharky.electricmonk.nl

We can now tell all kinds of clients such as web browsers and instant messaging clients that there is a Socks5 proxy running on the localhost at port 8080. SSH will forward all connections made to port 8080 to the sharky.electricmonk.nl host (all encrypted of course).

So, say we tell Pidgin that it should connect your MSN account through the Socks5 proxy at localhost:8080 by opening the Accounts (Ctrl-A) → Click MSN account → click ModifyAdvanced tab → Proxy options → Proxy type = SOCKS5 and setting it to Host: localhost, Port: 8080. Now, when we reconnect to our MSN account, all MSN traffic will be routed over an encrypted SSH tunnel to the sharky.electricmonk.nl host, and will enter the public Internet from there.

This works great if you don't trust the network you're currently on, but don't have access to a VPN for instance. You also don't have to specify a single forward for each application/port like you have to do when you use ssh -L. You can use the same SOCKS5 proxied port with multiple applications, as long as they understand SOCKS5.