Your Own Personal Proxy Over Any SSH

Written on August 14th, 2013. We've got comments, too!

If you have a web host or server that allows SSH, then you can probably set up a proxy to let you browse safely via that server. It’s quick, it’s simple, and it’s only a few keystrokes away.

Warning: Please read the disclaimer at the bottom of this post.

There are many cases where you want your web browsing to be (semi) private. You want to get around a firewall, you need to access a website from a public wifi without getting sniffed, or something else is blocking your access to the free web.

Well, if you have a web host or server allowing you to SSH, you can probably get around it. Before you start, make sure you know how to SSH into your server. Go ahead, I’ll wait.

OpenSSH (OS X/Linux, though PuTTY works for Windows too) includes dynamic forwarding functionality, which uses something called a SOCKS Proxy. This is the simplest form of a proxy you could imagine: supporting applications would go through a designated port for their data, and the client forwards it to the SSH server. Packets are sent forth, and the results are returned, again, via SSH.

This way, you gain the protection provided SSH: communication from your computer to the SSH server is fully encrypted and bypass pretty much everything. Note that it doesn’t encrypt traffic beyond the SSH server, as that is being transmitted normally over the net. But it will protect you for the other half of the way. The sites you visit will think you’re coming from your SSH server.

To start, simply go to your terminal and login to SSH normally with the added -D option set to a port number:

ssh -D 1234 user@server.example.com

The value doesn’t need to be 1234; it can be any valid port. Just make sure you remember it. You can also set a domain (-D 192.168.100.100:1234) to allow other machines on your network to use the proxy.

Leave the SSH session sitting open (or use -ND instead of -D to maintain a “silent” session). Your SOCKS proxy is now open on localhost:1234. By default, it’s on version 5.

SOCKS support can either be by OS or per app. To start browsing through it on Chrome, I suggest the Proxy SwitchySharp extension. After installing it, create a new profile and set a SOCKS host:

switchysharp

And enable it via the extension’s icon.

Boom. You’re done!

Note that you need SOCKS5 in order to route DNS lookups, which is pretty important if you need to hide what sites you’re browsing. At the moment, Proxy SwitchySharp seems to do this by default.

Important warning about relying on a proxy for security:
SOCKS is far from a “complete” solution. It is limited to TCP and relies on different levels of application support. If you need more control or more hiding, a VPN may work better.

If your goal is to circumvent censorship or protect yourself from network snooping, other, safer services such as Tor may be preferable. Tor hides all communication via multiple points, making it much safer. It is, however, slower.

This blog post isn’t a conclusive resource, and I’m not a security expert. Please make sure you are fully aware of the limitations and requirements of your setup and local laws.

Similarly, make sure you have permission from your hosting company before you do this. I use WebFaction, which allows personal use only. Observe your company’s Acceptable Use Policy and Terms of Use. If in doubt, email them for written permission.