with SSH only: reverse tunnel web access via ssh SOCKS proxy

Solution 1:

I finally managed to accomplish this with ssh only:

  1. start a local SOCKS proxy on your client machine (using ssh -D)
  2. connect to remote server and setup a reverse port forwarding (ssh -R) to your local SOCKS proxy
  3. configure the server software to use the forwarded proxy

1. Start local socks proxy in the background

Connect to localhost via SSH and open SOCKS proxy on port 54321.

$ ssh -f -N -D 54321 localhost

-f runs SSH in the background.

Note: If you close the terminal where you started the command, the proxy process will be killed. Also remember to clean up after yourself by either closing the terminal window when you are done or by killing the process yourself!

2. connect to remote server and setup reverse port forwarding

Bind remote port 6666 to local port 54321. This makes your local socks proxy available to the remote site on port 6666.

$ ssh root@target -R6666:localhost:54321

3. configure the server software to use the forwarded proxy

Just configure yum, apt, curl, wget or any other tool that supports SOCKS to use the proxy 127.0.0.1:6666.

Voilá! Happy tunneling!

4. optional: install proxychains to make things easy

proxychains installed on the target server enables any software to use the forwarded SOCKS proxy (even telnet). It uses a LD_PRELOAD trick to redirect TCP and DNS requests from arbitrary commands into a proxy and is really handy.

Setup /etc/proxychains.conf to use the forwarded socks proxy:

[ProxyList]
# SSH reverse proxy
socks5  127.0.0.1 6666

Tunnel arbitrary tools (that use TCP) with proxychains:

$ proxychains telnet google.com 80
$ proxychains yum update
$ proxychains apt-get update

Solution 2:

Newer versions of SSH allow to use the very simple option of ssh-R <[bind_address:]port>. Using only the port on the host and maybe the bind address, but not specifying the client side port will create a reverse SOCKS proxy.

This is also stated in the man pages of newer SSH versions:

[...] if no explicit destination was specified, ssh will act as a SOCKS 4/5 proxy and forward connections to the destinations requested by the remote SOCKS client.

You can test this with curl connecting to a simple "give me my IP"-API like http://ifconfig.io.

$ curl ifconfig.io

vs

$ curl --socks5 localhost:<PORT> ifconfig.io

Tags:

Ssh Tunnel

Recent Posts