How To Proxy Internet Connections Through SSH Tunnels

There are a number of very good reasons you might want to route your internet traffic thru an encrypted tunnel – be it for security reasons (all traffic between you and the server you’re proxying thru would be well encrypted), privacy reasons (hiding your real IP address, and thus location), technical reasons (getting around IP-based authentication restrictions, creating a poor-man’s VPN), or simply because you can. Below, I’ll show you how to do it, easily, reliably, and securely.

What is described here is the “tunneling” of applications’ traffic thru an encrypted SSH connection. To do this, obviously, you need a shell account. If you have your own server, you can certainly use that; if not, you can mooch one from a friend with a server somewhere, pay for one, or try to get a free one from somewhere. Any which way you get one, it’s a requisite.

Also required is the ability to create a SSH connection. If you run linux or a UNIX-based OS, you’re set. If you’re running Windows, you’ll probably find PuTTY quite useful. There are other SSH clients out there, but PuTTY is (probably) the best of the bunch, and certainly the most popular.

Having acquired PuTTY (or the smartcard-enabled version, if you use cryptographic tokens for authentication), load it up; you should get a screen something like this:


Default PuTTY screen

In the address box, put the hostname or IP address of the server you have an SSH account on; here we’re using example.tld . Make sure the SSH radio button or check-box is ticked, and be sure you’re using port 22. In the menu, click on “SSH”, and you should see a screen similar to this:

PuTTY SSH setup window

Here, select “enable compression”; this will compress the traffic thru your SSH tunnel, which not only provides a modest improvement in transfer rates, but has some minor security benefits as well. Set your preferred protocol to “2”, or “2 only”, and click on the “tunnels” menu under SSH:

PuTTY SSH tunnel and port-forwarding screen

At the bottom, select the “dynamic” button, and enter a source port. In the example, we’re using 4567, but any port not otherwise in use on your machine will work just as well. Click the “add” button, and you should see something like this:

PuTTY dynamic port forwarding setup screen

That out of the way, go back to the “session” tab in the menu, enter in a title for this proxy, and click save.

PuTTY screen, saving our connection settings

The hard part’s out of the way, now; all that’s left is to try out our new SSH tunnel. Fire up PuTTY, select the connection we just saved, and login as normal to the account you’re using. Now, open whatever SOCKS-compatible application you’d like to tunnel; in the example below, we’re using everyone’s favorite web browser, FireFox. Regardless of the application, you need to get to the proxy settings. In FireFox under Windows, it’s under Tools -> Options -> General -> Connection Settings.
Once there, put in “127.0.0.1” for the proxy address (Windows doesn’t know “localhost” from Adam), and the local port you chose earlier; in our example it’s 4567:

FireFox proxy settings screen

Socks5 is preferable to version four, and supported by our SSH tunnel, so select it. Click OK, and you should now be proxying thru the server with the SSH account; a quick check of one or more “What’s my IP?” websites should confirm this.

Unix and Linux users don’t need PuTTY; you geeks can simply type:
ssh -2 -C -D 4567 username@example.tld
…and go from there. The options select the SSH2 protocol (-2), to use compression (-C), and the local port you want to use (-D 4567).

With the advent of portable applications that can run off flash drives, including Firefox Portable, it’s possible to take relatively secure, reasonably private internet access with you wherever you go; PuTTY runs fine off removable media, like thumb drives. You can tunnel web and email traffic easily, some instant-messenger traffic, some P2P applications, and probably most other things with a little effort. One thing you absolutely, positively cannot tunnel thru a connection like this is FTP traffic, for purely (and unavoidably) technical reasons.

What you’re doing is creating a secure connection between your computer and a remote computer. Everything passing between these two computers is encrypted (and compressed, if the server supports it). Your browser requests, as an example, then come “out” the remote server and to their destination; the response comes to the server, then gets encrypted and sent back to you thru the secure tunnel. This is a great way to secure traffic thru wireless connections, among other things. Under normal circumstances, the traffic to and from the tunnel won’t be logged, though packet sniffers running on the remote connection could, of course, see the unencrypted half of all traffic.

An interesting little note about SSH is that you can create a tunnel thru an SSH account even if you’re not logged in, or incapable of getting an actual shell. A good discussion of the phenomenon is here. In PuTTY, go to the SSH screen, and tick “Don’t start a shell or command at all”; for the CLI geeks, just add “-N” to your ssh command.

Published in: Geekiness, General, Security | on February 9th, 2007| 25 Comments »

You can leave a response, or trackback from your own site.

25 Comments Leave a comment.

  1. On 2/10/2007 at 3:08 am Ben Said:

    You are missing the end quote on the span in <img align=”center” src=”http://frank.redpin.com/~urbex/wht/putty4.jpg” span=”80% alt=”PuTTY dynamic port forwarding setup screen”/>

  2. On 2/10/2007 at 12:55 pm Nemo Said:

    Thanks; it should be fixed now. Darn that fully-manual HTML coding, eh? :)

  3. On 8/31/2007 at 12:49 pm Nemo Said:

    For what it’s worth, I’ve since discovered that this works beautifully with bittorrent, at least with the utorrent client…

  4. On 11/11/2007 at 9:08 am omert Said:

    the port 4567 which you mentioned above has to be open on server or the client accessing the ssh server ? and why 4567 ? do i just have to run ssh server with no other configuration to port my voip or any other traffic ? is there any voip client which supports socks?

  5. On 11/11/2007 at 1:10 pm Nemo Said:

    4567 is just an example; you just want to use a port that isn’t already in use on the client machine. Yes, you need access to an SSH server of some sort to do this. As I mentioned in my reply to your other comment, using a proxy for the actual voice traffic with VOIP is probably a bad idea – and I’m not aware of any softphone or ATA which supports a SOCKS proxy for such a thing, though there could well be something out there.

  6. On 12/11/2007 at 7:44 am alex Said:

    Would the data viewed through the tunnel be viewable by an IT department? We have restricted net access, and are blocked from 99% of websites and this way was a viable alternative.

    I run firefox portable tunneling through PuTTY. There is data saved in my Application Data folder, but due to network restrictions, I am unable to view this. Would the /history folder contain all the data, or just binary/encrypted information?

  7. On 12/11/2007 at 1:17 pm Nemo Said:

    The data transfered through the tunnel would not be readable by an IT department, no. They can obviously see the traffic, but to them it’s just encrypted SSH. As far as stuff saved on your local computer, if you configure Firefox Portable to not cache anything, remember no history, et cetera, you should be fairly safe. A lot depends on what you’re doing on the web; whether you need cookies, for example. Worst-case scenario, “they” may know where you’ve been browsing, but not what, exactly, you’ve been seeing – assuming there’s no spyware, keylogger, et cetera on your workstation…

  8. On 12/20/2007 at 6:41 pm tony Said:

    Putty does not seem to support SOCKS5, I could only get 4a to work with FTP programs.

  9. On 12/20/2007 at 6:57 pm Nemo Said:

    Putty supports SOCKS5 just fine – but, to quote the article above:

    One thing you absolutely, positively cannot tunnel thru a connection like this is FTP traffic, for purely (and unavoidably) technical reasons.

    FTP is the problem, not Putty. Use SFTP instead.

  10. On 12/31/2007 at 6:40 am Omar Said:

    Please, if it’s not too much trouble; can you give me a brief description/tutorial on how to connect my xbox 360 through a proxy? The one I use requires authentication. I need to do this because my university limits the bandwidth on torrents and Xbox Live. I started using this proxy on uTorrent and not only does it work now, I download at 1 mbps. If I can do the same for xbox, no more lag!!! Please help guys, please!

  11. On 12/31/2007 at 12:28 pm Nemo Said:

    Omar;

    I don’t have an XBox, nor any other console, so I can’t say for sure if this will work; I’m not sure the XBox understands SOCKS proxies. If it does, you get to delve into the realm of advanced SSH tunneling. :) Basically, what you have to do is proxy the XBox through another, local, computer – your desktop, laptop, or whatever, which has an SSH tunnel running as described above. There are two changes that need to be made:

    In the third step above, where you’re creating the dynamic port to use for the proxy, tick the “local ports accept connections from other hosts” box/button, and proceed as normal. Then, assuming the XBox can be proxied, use the LAN address of the computer as the console’s proxy address – i.e., rather than using “127.0.0.1”, use “192.168.0.5” or whatever, with whatever port you have set – 4567, in the examples above. Assuming the XBox can speak SOCKS4 or SOCKS5, this should work; you might need to change settings in, or even disable, any software firewalls (ZoneAlarm, et cetera) running on the computer for this to work.

  12. On 1/9/2008 at 8:04 pm KevDog Said:

    If using Firefox through the SOCKS proxy, how does the user confirm packets are being sent through the proxy rather than through the open network?

  13. On 1/9/2008 at 8:27 pm Nemo Said:

    Well… you could just put your blind faith in Firefox and trust that it’s going to do what you tell it to. :) Otherwise your options range from hardware/software firewalls to packet sniffers (or a combination of the above.)

    Basically, the “most foolproof” way is to create an environment where Firefox cannot access the network directly. With ZoneAlarm – which I use as an example simply because I’m familiar with it, not because I necessarily recommend it – you can deny Firefox access to the “internet zone”, and allow access to the “local zone”, which is where the local – duh – end of the proxy tunnel is.

  14. On 1/13/2008 at 6:08 pm Omar Said:

    Thanks a million Nemo. I had no idea I would get a reply, let alone one that fast! I’m sorry to bother you with my n00biness in this field but I was just wondering whether SSH tunneling only works for socks proxies. The one I use is an http proxy, would that work? Thanksin advance :).

  15. On 1/13/2008 at 7:10 pm Nemo Said:

    An HTTP proxy is fundamentally different than a SOCKS proxy, alas; SOCKS proxies are protocol-agnostic, whereas HTTP proxies are really only designed to handle HTTP traffic. They can be made to do a little more, but I’m unfortunately fairly confident that handling gameserver traffic is way, way beyond what they can be stretched to handle.

    At the risk of sounding like Ted Stevens, an SSH tunnel or SOCKS proxy is basically a big tube; just about anything can go in one end, and come out the other. HTTP proxies are more like narrow keyholes; stuff needs to be the right shape and size (i.e. an HTTP request, or look like one, in the case of CONNECT requests) to pass through.

  16. On 1/21/2008 at 7:20 am Omar Said:

    I see. Looks like I’ll have to settle with laggy Halo :(. Thanks though Nemo, I really appreciate it!

  17. On 1/21/2008 at 3:27 pm Omar Said:

    One more question guys please. Once again I apologize for sounding like a complete moron. Is there any way to tunnel all incoming and outgoing connections through an http proxy? If not, will purchasing an American Socks proxy make my connection slower? (considering I live in the Middle East). And last but not leaset, are there any free socks proxies that are fast and reliable? You guys rule, and thank you Nemo for your ever so useful replies. Peace!

  18. On 1/21/2008 at 4:07 pm Nemo Said:

    Tunnel everything through an HTTP proxy? Not really, at least as far as I’m aware. As far as speed goes, it will almost certainly add a little bit of latency to your connection – not nearly as much as, say, using TOR will – but in my limited experience, your real-world transfer speeds will be unaffected, or even improve slightly.

    I don’t believe there are any “free” socks proxies (there are free shell providers, but making an SSH tunnel is probably against their terms of service); there are many proxies that are (presumably) accidentally open to the world, and free to (illegally) exploit; they tend to be heavily abused by spammers and other internet miscreants, so are rarely fast or terribly reliable. There’s also the whole question of whose machine you’re proxying through, and whether you’d like them to be able to see all your internet traffic; it’s widely believed that at least a few “open” socks proxies on the ‘net are “honeypots”, but I’m not sure that’s ever been proven in a meaningful way…

  19. On 1/22/2008 at 10:20 am Omar Said:

    Thank you very much Nemo, I believe all my questions have been professionally answered :D. Good day to you all. Cheers.

  20. On 2/19/2008 at 5:27 pm Justin Said:

    Ok, i’m not sure i know what i’m doing but i’ll explain what i’ve done so far. I’m on a wireless connection at a hotel which blocks utorrent. So i have set up an ssh tunnel and i’m able to download now, however utorrent is saying that the listening port is not open so utorrent is not making any incoming connections. The proxy connection is good but do you have any advice on what i can do to correct the problem with the listening poart?

  21. On 2/19/2008 at 6:01 pm Nemo Said:

    Justin: That sounds like a NAT problem, and one you’re unlikely to be able to fix (without access to the hotel’s router, anyway). If you’re able to download (and upload) stuff via utorrent, then it’s working as well as it’s going to. Utorrent likes to complain when things aren’t “perfect”, but still works perfectly well under all sorts of less-than-ideal circumstances. Remember, you’re using bittorrent in a fashion it was never meant to be used. :)

    If you’re able to transfer data, I wouldn’t worry about it.

  22. On 3/17/2008 at 3:45 pm binarythrottle Said:

    Thanks for a nice post with pics that make this painless. I have directed friends here to help them get out around websense.

    Another thing that you want to do is go to the config for firefox and enable. network.proxy.socks_remote_dns

    If you don’t your local company or school can still see your DNS lookups before they go out over the tunnel.

    To do this just type about:config in the address bar of firefox and then click on network.proxy.socks_remote_dns so it says true.

  23. On 10/21/2008 at 9:24 pm coffeekid Said:

    Great post . . . stumbled across it while I was having problems. I previously posted my “problem” with a Linux forum and a Firefox forum. Still no fix, so I thought I might try here as well, I’ve grown a little tired of posting it so here are two links:

    http://www.linuxquestions.org/questions/linux-general-1/cannot-browse-firefox-through-ssh-proxy-connection-678058/

    http://www.firefoxforum.com/showthread.php?t=961

    In short, I’ve done all the above and still can’t browse through my SSH connection. Any guidance, insight would be VERY appreciated!

  24. On 8/30/2009 at 10:38 am bkp Said:

    Nemo, Sorry to resurrect this, but you seem like one of the few people on the ‘net who actually knows what he’s talking about yet can still make it comprehensible to us noobs. I’m in Kuwait right now and although it’s not as restrictive as KSA or Iran, there are still a *lot* of websites that are inexplicably blocked. (Skype for example.) I have both Windoze XP and Xubuntu 8.10 installed and have used VPN, but it’s been 10+ years since I was a full-time techie, so my brain’s a bit rusty.

    Every “free” proxy I’ve found on Google has already been found by the Ministry of Interior and so is already blocked, so now I’m looking for a more elegant solution that I can actually make work here. Any suggestions?

  25. On 8/30/2009 at 1:23 pm Nemo Said:

    You need to use a non-public, non-free proxy, that’s all. Get a VPS from someone like VPS4LESS (2Mbit unmetered bandwidth, 4 Euros per month) or any of the offers listed here; either use that as an SSH tunnel, or set up a VPN on it, and you should have no problems. Because it won’t be a public, open proxy, the MoI won’t be able to *tell* it’s a proxy, ergo… they won’t block access to it. It’ll cost a couple bucks, but problem solved. (There’s nothing stopping you from getting a small VPS for, say, $8/mo, setting it up as a private VPN or whatever, and selling access to a handful of coworkers for a couple bucks each. The cost of a can or two of 3.2 near-beer a month is a small price to pay for access to Facebook, YouTube, et cetera…)

    By the way, not all the site blocks are really inexplicable, when you remember that a lot of businesses in Kuwait are state-run and don’t want competition. That’s almost certainly why Skype is blocked – every VOIP call is lost revenue for the state-run telecom operation.

Leave a Comment