SSH + SOCKS5 = Universal proxy
Wednesday, November 14th, 2007
I didn’t know it, but (Open)SSH supports setting up a Socks5 proxy:
-D [bind_address:]port Specifies a local ``dynamic'' application-level port forwarding. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configura- tion file.
Socks5 is pretty neat, as it allows you to proxy stuff without the server having to know anything about the way the client works. For instance, if we give the following command:
$ ssh -N -D 127.0.0.1:8080 todsah@sharky.electricmonk.nl
We can now tell all kinds of clients such as web browsers and instant messaging clients that there is a Socks5 proxy running on the localhost at port 8080. SSH will forward all connections made to port 8080 to the sharky.electricmonk.nl host (all encrypted of course).
So, say we tell Pidgin that it should connect your MSN account through the Socks5 proxy at localhost:8080 by opening the Accounts (Ctrl-A) → Click MSN account → click Modify → Advanced tab → Proxy options → Proxy type = SOCKS5 and setting it to Host: localhost, Port: 8080. Now, when we reconnect to our MSN account, all MSN traffic will be routed over an encrypted SSH tunnel to the sharky.electricmonk.nl host, and will enter the public Internet from there.
This works great if you don’t trust the network you’re currently on, but don’t have access to a VPN for instance. You also don’t have to specify a single forward for each application/port like you have to do when you use ssh -L. You can use the same SOCKS5 proxied port with multiple applications, as long as they understand SOCKS5.