Turn any Linux computer into a SOCKS5 proxy with one …
Last updated
2 weeks ago
I thought I’d write a shorter article this time. It goes hand in hand with my upcoming article series on 100% technical guide to anonymity and it’s much easier to write larger articles by splitting them into smaller pieces. I can then just edit them together and produce the final article.
This article will be interesting to everyone who didn’t know this awesome fact already – you can turn any Linux computer into a SOCKS5 (and SOCKS4) proxy with just one ssh command command and no extra tools.
ssh -N -D 0. 0. 0:1080 localhost
Even better – it doesn’t require root privileges. The ssh command starts up dynamic -D port forwarding on port 1080 and talks to the clients via SOCSK5 or SOCKS4 protocols, just like a regular SOCKS5 proxy would. The -N option makes sure ssh stays idle and doesn’t execute any commands on localhost.
If you also want the command to go into background as a daemon, then add the -f option:
ssh -f -N -D 0. 0:1080 localhost
To use it, just make your software use SOCKS5 proxy on your Linux computer’s IP, port 1080, and you’re done – all your requests will now get proxied.
Access control can be implemented via iptables. For example, to allow only people from the ip 1. 2. 3. 4 to use SOCKS5 proxy, add the following iptables rules:
iptables -A INPUT –src 1. 4 -p tcp –dport 1080 -j ACCEPT
iptables -A INPUT -p tcp –dport 1080 -j REJECT
The first rule says, allow anyone from 1. 4 to connect to port 1080, and the other rule says, deny everyone else from connecting to port 1080.
However, executing iptables requires root privileges. If you don’t have root privileges, and you don’t want to leave your proxy open (and you really don’t want to do that), you’ll have to use some kind of a simple TCP proxy wrapper to do access control.
Here, I just wrote one in Perl. It’s called and it uses IO::Socket::INET to abstract sockets, and IO::Select to do connection multiplexing.
#! /usr/bin/perl
#
use warnings;
use strict;
use IO::Socket::INET;
use IO::Select;
my @allowed_ips = (‘1. 4’, ‘5. 6. 7. 8’, ‘127. 1’, ‘192. 168. 1. 2’);
my $ioset = IO::Select->new;
my%socket_map;
my $debug = 1;
sub new_conn {
my ($host, $port) = @_;
return IO::Socket::INET->new(
PeerAddr => $host,
PeerPort => $port) || die “Unable to connect to $host:$port: $! “;}
sub new_server {
my $server = IO::Socket::INET->new(
LocalAddr => $host,
LocalPort => $port,
ReuseAddr => 1,
Listen => 100) || die “Unable to listen on $host:$port: $! “;}
sub new_connection {
my $server = shift;
my $client = $server->accept;
my $client_ip = client_ip($client);
unless (client_allowed($client)) {
print “Connection from $client_ip denied. n” if $debug;
$client->close;
return;}
print “Connection from $client_ip accepted. n” if $debug;
my $remote = new_conn(‘localhost’, 55555);
$ioset->add($client);
$ioset->add($remote);
$socket_map{$client} = $remote;
$socket_map{$remote} = $client;}
sub close_connection {
my $client = shift;
my $remote = $socket_map{$client};
$ioset->remove($client);
$ioset->remove($remote);
delete $socket_map{$client};
delete $socket_map{$remote};
$remote->close;
print “Connection from $client_ip closed. n” if $debug;}
sub client_ip {
return inet_ntoa($client->sockaddr);}
sub client_allowed {
return grep { $_ eq $client_ip} @allowed_ips;}
print “Starting a server on 0. 0:1080n”;
my $server = new_server(‘0. 0’, 1080);
$ioset->add($server);
while (1) {
for my $socket ($ioset->can_read) {
if ($socket == $server) {
new_connection($server);}
else {
next unless exists $socket_map{$socket};
my $remote = $socket_map{$socket};
my $buffer;
my $read = $socket->sysread($buffer, 4096);
if ($read) {
$remote->syswrite($buffer);}
close_connection($socket);}}}}
To use it, you’ll have to make a change to the previous configuration. Instead of running ssh SOCKS5 proxy on 0. 0:1080, you’ll need to run it on localhost:55555.
ssh -f -N -D 55555 localhost
After that, run the
perl
TCP proxy will start listening on 0. 0:1080 and will redirect only the allowed IPs in @allowed_ips list to localhost:55555.
Another possibility is to use another computer instead of your own as an exit node. What I mean is you can do the following.
ssh -f -N -D 1080
This will set up a SOCKS5 proxy on localhost:1080 but when you use it, ssh will automatically tunnel your requests (encrypted) via This way you can hide what you’re doing on the Internet from anyone who might be sniffing your link. They will see that you’re communicating with but the traffic will be encrypted so they won’t be able to tell what you’re doing.
That’s it. You’re now the proxy king!
Download
Download link:
I also pushed to GitHub. You can fork it and contribute. For example, you could make it redirect between any number of hosts:ports, not just two, implement onion routing, and better access control.
I’ll also soon write the definitive guide to ssh port forwarding because it’s an interesting but little understood topic.
See you next time!
Thanks for reading my post. If you enjoyed it and would like to receive my posts automatically, you can subscribe to new posts via rss feed or email.
Create a SOCKS proxy on a Linux server with SSH to bypass …
Mattias Geniar, January 19, 2017
Follow me on Twitter as @mattiasgeniar
Are you on a network with limited access? Is someone filtering your internet traffic, limiting your abilities? Well, if you have SSH access to _any _server, you can probably set up your own SOCKS5 proxy and tunnel all your traffic over SSH.
From that point on, what you do on your laptop/computer is sent encrypted to the SOCKS5 proxy (your SSH server) and that server sends the traffic to the outside.
It’s an SSH tunnel on steroids through which you can easily pass HTTP and HTTPs traffic.
And it isn’t even that hard. This guide is for Linux/Mac OSX users that have direct access to a terminal, but the same logic applies to PuTTy on Windows too.
You set up a SOCKS 5 tunnel in 2 essential steps. The first one is to build an SSH tunnel to a remote server.
Once that’s set up, you can configure your browser to connect to the local TCP port that the SSH client has exposed, which will then transport the data through the remote SSH server.
It boils down to a few key actions;
You open an SSH connection to a remote server. As you open that connection, your SSH client will also open a local TCP port, available only to your computer. In this example, I’ll use local TCP port:1337.
You configure your browser (Chrome/Firefox/…) to use that local proxy instead of directly going out on the internet.
The remote SSH server accepts your SSH connection and will act as the outgoing proxy_/vpn_ for that SOCKS5 connection.
To start such a connection, run the following command in your terminal.
$ ssh -D 1337 -q -C -N
What that command does is;
-D 1337: open a SOCKS proxy on local port:1337. If that port is taken, try a different port number. If you want to open multiple SOCKS proxies to multiple endpoints, choose a different port for each one.
-C: compress data in the tunnel, save bandwidth
-q: quiet mode, don’t output anything locally
-N: do not execute remote commands, useful for just forwarding ports
the remote SSH server you have access to
Once you run that, ssh will stay in the foreground until you CTRL+C it to cancel it. If you prefer to keep it running in the background, add -f to fork it to a background command:
$ ssh -D 1337 -q -C -N -f
Now you have an SSH tunnel between your computer and the remote host, in this example
Next up: tell your browser to use that proxy. This is something that should be done per application as it isn’t a system-wide proxy.
In Chrome, go to the chromesettings/ screen and click through to Advanced Settings. Find the Proxy Settings.
In Firefox, go to Preferences > Advanced > Network and find the Connection settings. Change them as such:
From now on, your browser will connect to localhost:1337, which is picked up by the SSH tunnel to the remote server, which then connects to your HTTP or HTTPs sites.
This has some advantages and some caveats. For instance, most of your traffic is now encrypted.
What you send between the browser and the local SOCKS proxy is encrypted if you visit an HTTPs site, it’s plain text if you visit an HTTP site.
What your SSH client sends between your computer and the remote server is always encrypted.
What your remote server does to connect to the requested website may be encrypted (if it’s an HTTPS site) or may be plain text, in case of plain HTTP.
Some parts of your SOCKS proxy are encrypted, some others are not.
If you’re somewhere with limited access, you might not be allowed to open an SSH connection to a remote server. You only need to get an SSH connection going, and you’re good to go.
So as an alternative, run your SSH server port on additional ports, like:80, :443 or:53: web and DNS traffic is usually allowed out of networks. Your best bet is:443, as it’s already an encrypted protocol and less chance of deep packet inspection middleware from blocking your connection because it doesn’t follow the expected protocol.
The chances of:53 working are also rather slim, as most DNS is UDP based and TCP is only use in either zone transfers or rare DNS occasions.
Visit any “what is my IP” website and refresh the page before and after your SOCKS proxy configuration.
If all went well, your IP should change to that of your remote SSH server, as that’s now the outgoing IP for your web browsing.
If your SSH tunnel is down, crashed or wasn’t started yet, your browser will kindly tell you that the SOCKS proxy is not responding.
If that’s the case, restart the ssh command, try a different port or check your local firewall settings.
Want to subscribe to the newsletter?
I write a weekly-ish newsletter on Linux, open source & webdevelopment called
It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.
No spam. Just some good, practical Linux & open source content.
can you set socks5 proxy from Linux command line? – Ask …
I’ve managed to set a socks5 proxy server from Linux towards another server like this:
ssh -D 9090 -N -f user@192. 168. 76. 102
Then I changed the settings in mozilla browser to use the socks proxy, and it works, I can surf the internet. What I want do is to set this setting in Linux command line, so I can have access to the internet from there, like so: wget.
First I tried editing the /etc/environmental file:
export _proxy=socks5127. 0. 1:9090
But it doesn’t work:
wget
Error parsing proxy URL socks5127. 1:9090: Unsupported scheme ‘socks5’.
Then I installed proxychains4, and added in /etc/:
socks5 127. 1 9090
But still doesn’t work:
Resolving ()… failed: Temporary failure in name resolution.
wget: unable to resolve host address ‘
Do you have any ideas how I can make this work?
Thanks.
Frequently Asked Questions about socks5 proxy linux
How use SOCKS5 proxy in terminal?
2 Answers. You can use http_proxy environmentvariable like this: export http_proxy=”socks5://localhost:9050″ Now the terminal will use that as proxy.Apr 17, 2015
What is the best proxy for SOCKS5?
The best VPNs for SOCKS5 – In-depth AnalysisNordVPN. www.nordvpn.com. NordVPN is a reliable VPN that provides security, privacy. … Private Internet Access. www.privateinternetaccess.com. … IPVanish. www.ipvanish.com. … Hide.me. www.hide.me. … Windscribe. Windscribe provide a SOCKS5 proxy on their premium plan.Sep 29, 2021
How do I create a proxy for SOCKS5?
Select Network and then Proxies. Click the Advanced button to access the Network settings and navigate to the Proxies tab. Click the SOCKS Proxy checkbox and enter the host and port information.Jan 12, 2017