socks5 over ssh

Scenario: A client behind a firewall that allows ssh and http outgoing traffic but blocks everything else (eg. the wireless network of cs.uoi.gr). A non-firewalled server running sshd somewhere on planet earth.

How:
a) download/install dante on the server.
b) edit /etc/socks/sockd.conf
internal: 127.0.0.1 port = SOCKS.LISTENING.PORT
external: REAL.SERVER.IP
clientmethod: none
method: none
client pass { from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0 }
pass { from: 127.0.0.0/8 to: 0.0.0.0/0 protocol: tcp udp }
user.privileged: SOCKS-USER
user.notprivileged: SOCKS-USER
user.libwrap: SOCKS-USER

c) start dante

d) from the client machine:
ssh USERNAME@REAL.SERVER.IP -L:SOCKS.LISTENING.PORT:127.0.0.1:SOCKS.LISTENING.PORT
more on ssh port forwarding

e) Use socks5 proxy:
host 127.0.0.1
port SOCKS.LISTENING.PORT

with your favorite program.

Notes:
REAL.SERVER.IP = I really hope I don’t need to explain this.
SOCKS.LISTENING.PORT = the port that the socks server will listen. Try a non-priviledged port like 33333.
SOCKS-USER = the username that the socks server will run under (on gentoo this is: sockd). Don’t use root. Just don’t.

Tip: You don’t need to use the same listening port for the socks server and for the local redirection port. It’s just for ease of use.

Results: Internet access though socks5 proxy over an ssh (encrypted!) connection. The socks server is not accessible to the world since it only listens for connections on the local loopback interface of the server.

8 Responses to “socks5 over ssh”

  1. July 6th, 2007 | 18:40
    Using Mozilla Firefox Mozilla Firefox 2.0.0.4 on Windows Windows Vista

    Thank you sir

    After a server reboot I suddenly lost my socks server and had no idea why (apparently an emerge dante-sockd killed my config). This was just what I needed.

  2. man of the world
    May 29th, 2008 | 03:31
    Using Opera Opera 9.27 on Linux Linux

    A non-firewalled server running sshd somewhere on planet earth …. and other dante server?, thanks

  3. May 29th, 2008 | 10:06
    Using Mozilla Firefox Mozilla Firefox 2.0.0.14 on Linux Linux

    You need to create a tunnel between you and a non-firewalled ssh server that does not filter your traffic.
    That means that you must have an account and/or control a server somewhere that does not filter traffic so the tunneled data from you to the world through the ssh tunnel don’t get filtered at the end of the tunnel.

  4. chrischan
    June 14th, 2008 | 02:39
    Using Mozilla Firefox Mozilla Firefox 2.0.0.14 on Fedora Linux Fedora Linux

    Hey,

    what do I have to insert in my Firefox settings?

    I used the above ones, but I don’t get any connection with miy FF 🙁

  5. June 21st, 2008 | 11:58
    Using Mozilla Firefox Mozilla Firefox 3.0 on Gentoo Linux Gentoo Linux

    Firefox needs a http proxy server. I don’t know whether it can work with socks. Never tested it. If it doesn’t work just set up a squid server on the machine you run the sshd server and point firefox to use the port of the squid server.

  6. Konrad
    March 4th, 2009 | 12:07
    Using Mozilla Firefox Mozilla Firefox 3.0.6 on Windows Windows XP

    I’m wondering what would be the advantage using Dante to OpenSSH server. The only thing I can think of is more control over the remote server.

  7. polib
    December 1st, 2010 | 01:01
    Using Opera Opera 9.80 on Linux Linux

    You can do the same without installing anything on the server:
    ssh -D 1080 USERNAME@REAL.SERVER.IP
    then socks5 is listening at your localhost

  8. forcedalias
    December 16th, 2017 | 05:35
    Using Google Chrome Google Chrome 63.0.3239.84 on Windows Windows NT

    As people mentioned, if you just want a simple, secure (encrypted), general purpose SOCKS proxy, you can just create an SSH tunnel:
    ssh -D 1080 user@yourserver.com

    Tunneling Dante over SSH, however, does have its uses.
    For instance if you need more control over the proxy (block certain sites, etc.).

    Another would be if you require authentication. Think of a shared linux box but you only want to give certain users access to your SOCKS tunnel, whereas “ssd -D 1080” will, and correct me if I’m wrong, give everyone on the system access as long as they can access port 1080.

    Finally, it can make it possible to use multiple WAN IP addresses if your server has more than one. Not something you can do with OpenSSH as far as I’m aware.

    This is something I needed to do and eventually figured out how. Thought I’d share in case it helps someone who lands here via Google. Tested on 64bit CentOS and Dante 1.4.2. Don’t forget to replace the “_IP_ADDRESS_OF_eth0:X_” parts with your own server’s IPs.

    sockd.conf:

    logoutput: syslog stdout stderr /var/log/sockd.log
    internal: eth0:0 port = 1080
    internal: eth0:1 port = 1080
    internal: eth0:2 port = 1080
    external: eth0:0
    external: eth0:1
    external: eth0:2
    external.rotation: same-same
    user.privileged: root
    user.unprivileged: sockd
    #user.libwrap: sockd
    clientmethod: none
    socksmethod: none
    client pass {
    from: _IP_ADDRESS_OF_eth0:0_/32 to: 0.0.0.0/0
    log: error # connect disconnect
    }
    client pass {
    from: _IP_ADDRESS_OF_eth0:1_/32 to: 0.0.0.0/0
    log: error # connect disconnect
    }
    client pass {
    from: _IP_ADDRESS_OF_eth0:2_/32 to: 0.0.0.0/0
    log: error # connect disconnect
    }
    socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    command: bind connect udpassociate
    log: error # connect disconnect iooperation
    }
    socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    command: bindreply udpreply
    log: error # connect disconnect iooperation
    }

    Then just create 3 local tunnels, one for each IP:

    ssh -L 10801:_IP_ADDRESS_OF_eth0:0_:1080 -L 10802:_IP_ADDRESS_OF_eth0:1_:1080 -L 10803:_IP_ADDRESS_OF_eth0:2_:1080

    You now have 3 x SOCKS proxies (ports 10801, 10802 and 10803). If you want to add authentication (user/pass) that’s a bit of extra work. You’d have to google it but I doubt it’s THAT much extra work.

Leave a reply