We can set up a socks proxy on top of a SSH tunnel. Besides the common proxy functions, such as web browsing, the proxy on top of SSH tunnel also ensures the security between the browser and the proxy server (the SSH server). In this post, we introduce and explain how to set up a proxy over SSH tunnel and the mechanism of it.

A simple example

Let’s start with a simple example. We can access a sshd server sshd_server and we want to use it as a socks5 proxy server. It is simple by using ssh:

$ ssh -D 8080 username@sshd_server

After that, set the browser such as firefox’s proxy option to use socks5 proxy That’s it!

Then, check whether your IP is from the proxy from the websites’ view: Who am I.


Once upon a time the Internet was bidirectional and everyone could run a server at their end. Unfortunately, these days are long gone and many ISPs today, especially cable providers, do not assign a public IPv4 address to their customers. Not even when you ask them nicely. Not even for money, unless you are a business customer who is willing to pay through the nose for the privilege. Fortunately, there is a way to run servers at home and make them accessible to the outside world and an easy one at that.

The program that makes this straight forward is ssh, or secure shell. Despite its name, ssh is the Swiss army knife when it comes establishing tunnels between different parts of the Internet through which TCP packets can be forwarded.

So making a server at home available despite a provider double NAT can be done by renting a server with a public IP address, preferably from a local cloud provider and then use it for forwarding packets. In my case, I pay €3 a month for such a server, that, by the way, I also use to run this blog on!

In the example, the server at home uses TCP port 7324 but should be accessible from the Internet on TCP port 8080. One would usually use the same ports but I thought an example with different ports is better to show if the local or the remote port is meant in my example below. In addition I use TCP port 39122 for ssh on the remote server instead of port 22 as my access log would otherwise be full with connection requests from bots on a mission.

Once things are working, autossh and crontab can be used to put the tunnel process into the background, to restore the tunnel automatically when it fails and to even survive reboots without administrative action. Have fun!


Heute mal was nützliches.
Natürlich dürft ihr das nachfolgende Wissen nicht anweden, wenn ihr nicht die Erlaubnis dazu habt.
Aber wer würde das denn schon tun? 😉

Reverse SSH Shell
Ihr habt bestimmt davon schonmal gehört.

Einen SSH-Revere Tunnel benötigt man um beispielsweise auf einen Rechner zuzugreifen, der hinter einem Firewallsystem steht und zwar selbst ins Internet kommt, jedoch eine sogenannte private IP-Adresse besitzt. Da man den Rechner von ausserhalb nicht erreichen kann, muss dieser von innen einen SSH-Tunnel (ggf. durch die Firewall) zu einem externen Rechner aufbauen. Bis dahin wäre das ein „normaler“ SSH-Tunnel. Dieser wird aber so eingerichtet, dass er auch Verbindungen von externen Rechner nach innen zulässt.

Beispielsweise Verwendungszwecke:
– Testserver im Unternehmen an dem man von daheim weiterarbeiten möchte
– Heimserver im Studentenwohnheim
Backdoor in gehackten Geräten (natürlich macht das keiner) 😉