SSH SOCKS Proxy Tunnel

August 29, 2009

OpenSSH has built-in SOCKS proxy support, meaning that you can start an SSH process on your workstation or laptop, henceforth localhost, that will act as a SOCKS proxy server, forwarding all browser activity through some remote machine remotehost. To see why this is so extremely useful, consider the following two use cases.

First, suppose you are a university professor or student and need to access journal articles from an off-campus location. Most article archives (e.g., JSTOR) restrict full-text access to subscribers, such as universities, and subscriber access is typically granted automatically if you’re visiting from an university-owned IP address. By configuring your browser to use such an SSH proxy tunnel, through an on-campus machine remotehost to which you have access, you can easily download journal articles remotely.1

Now, suppose you are working in a public area over an unsecured wireless connection and you’re concerned about sending your data in plain text over this connection. A SSH SOCKS proxy tunnel to a secure remotehost machine will encrypt the data being sent over the unsecured connection (although, it will become plain text again after leaving remotehost unless it’s an encrypted session of some kind).

Starting the required SOCKS proxy is simple. First, on localhost, instruct SSH to act as a SOCKS server, forwarding connections to a pre-specified port, say 7777, to a remote machine called remotehost:

ssh -N -D 7777 remotehost

Replace 7777 with your favorite local port number. Leave this process open until you are finished browsing. Alternatively, with the -f switch, the SSH process will fork to the background, although you’ll then have to manually find the process ID to kill it when you’re finished (or just leave it open for later).

Now you must configure your browser to use the proxy. In Firefox, one selects Preferences | Advanced | Network | Settings on the menu and enters the following information in the “Manual proxy configuration” section:

SOCKS Host: 127.0.0.1
Port: 7777
SOCKS v5

By default, DNS lookups will still be performed by the local machine. To request that DNS lookups be performed on the proxy machine, you can visit about:config and change the value of network.proxy.socks_remote_dns to true. A quick way to avoid changing the proxy settings for each session is to create a separate profile with the appropriate proxy settings and then run Firefox with the -P profile_name option.

  1. Of course, university libraries typically provide either a proxy server or a login mechanism which will allow you to access articles remotely, after you’ve found the journal in the catalog, but I find this process to be unnecessarily tedious.