Results 1 to 24 of 24
  1. #1
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    826

    Proxy Connections With SSH or PUTTY

    There are four very good reasons why you'd want to proxy internet applications thru a SSH tunnel - either for security (local traffic between you and the server running SSH will be encrypted), for privacy (hiding your "real" IP address), for technical reasons (such as IP-based authentication mechanisms that you'd like to be able to access even from multiple locations or with dynamically-assigned IPs) or, of course, just because you can.

    Since there have been a number of questions here lately about how to proxy connections thru a server - often phrased something like "how do I use Squid, which is hellaciously complicated to setup and gross overkill for what I want to do, to browse the web from my server's IP address?" (Well, that's how I remember the questions, anyway. ) - I've put together this little tutorial on using PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/) and plain old SSH to do this.

    First, you need access to, and an SSH account on, a server. For the examples below, this server is "example.tld", and we'll pretend your account is "foo". While there's nothing stopping you from doing this as root, it's a bad idea to allow direct root login, and an equally bad idea to login as root needlessly.

    Second, you need either PuTTY (see above) on Windows or older Macs; on Linux and Unix machines, you need SSH or SSH2; the former is generally included in the base system of most distributions, and the latter is an optional package.

    First, PuTTY instructions. Get PuTTY, and load it up. You'll see a screen somewhat like this:
    In the address bar, enter your server's hostname or IP address (here example.tld). Make sure the "SSH" button is checked, and that you're using port 22.

    Then, in the left-hand menu, click on "SSH". You should see a screen like that below:


    Tick "enable compression", and set your preferred SSH version to "2". Now, click on the "tunnels" line under SSH; you should see a screen like this:



    Tick the "dynamic" button, then put in a source port - here I've used 4567, but you can use pretty much anything not otherwise in use - 1234, 2525, 6666, or whatever. Click the "add" button, and you should see something like this:



    With me so far? Good. Now, go back to the "session" tab at the top of the menu:



    Enter a name for this connection - here the imaginative "My SSH Proxy" - and click "Save".

    Now, to use this tunnel, fire up PuTTY, enter your username and your password; you should log in as normal. Then, fire up the SOCKS-compatible application you'd like to use - in this case, everyone's favorite web browser, Firefox. Click Tools -> Options -> General -> Connection Settings, and you should get to a screen like this:



    Tick "Manual Proxy Configuration", then put in "127.0.0.1" in the "SOCKS Host" line, and the port you setup in PuTTY earlier - in this case again, 4567. Tick the "Socks 5" button, hit OK, and you should be browsing the web via an encrypted connection to your server. Check out one or more of those "what's my IP address" sites, and you should see your server's IP address.

    People on Linux and Unix boxes can eschew the whole Putty thing by simply opening up a shell window and typing:

    ssh -C -2 -D 4567 foo@example.tld
    Login with your password, and proceed as above, setting up Firefox. IE, Mozilla, Konqueror, and other programs are setup to use the SSH tunnel pretty much the same way as Firefox - the basic thing you need to do is point it to your local IP - 127.0.0.1 - and the port - 4567, or whatever you chose.

    Hopefully that answers some of the questions people have been having...
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  2. #2
    thanks for sharing !! but is it safe to login using proxy ?

  3. #3
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    826
    Is it safe to login where or to what using a proxy?
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  4. #4
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    Thanks Ankheg...I've been looking for a solution to do this for a *long* time...never really checked too much into it though. Gonna give it a whirl right now..I'll post back with how it works out. Cheers!

    edit - works great!
    Last edited by layer0; 08-13-2006 at 09:03 PM.
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  5. #5
    Ankheg: great tutorial! Thanks for sharing this with us!

  6. #6
    That works a treat - now if only I could find a way to proxy SSH through my work proxy and then procy my brosers through SSH - lol

    Long winded way of doing what I want

  7. #7
    thanx dear

  8. #8
    I have done this on both a linux machine and a windows machine. I set my browser up to go through the proxy but all that results is a white page.

    Is there any special server-side configuration that might need to be done in order to get this forwarding to work?

  9. #9
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    826
    It shouldn't require any special settings, no. I'd double check /etc/ssh/sshd_config to make sure there aren't any settings that are set which possibly shouldn't be (AllowTcpForwarding no, for instance, or GatewayPorts no).

    Assuming the remote machine is running a reasonably default configuration of a reasonably current mainstream server OS, this technique should - and does - work fine as described; I'm using it right now, actually, to post this. I'd look at a firewall issue, perhaps, or a DNS issue at the remote end. You don't have any egress filtering or anything going on with APF or anything, right?
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  10. #10
    It's not a DNS issue, I don't think. I can normal ssh into the server and get to all the websites with lynx.

    I didn't set up anything, to my knowledge, to do egress filtering or APF. I don't know what those are, though, to be honest, so I couldn't honestly tell you whether or not they are.

    What kind of thing with a firewall (it is behind a router/hardware firewall) would I need to watch out for that might cause this kind of problem?

  11. #11
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    826
    Offhand, I can't immediately think of how a router/firewall would create problems with this, but I was thinking more of a software firewall - like APF - at the far end.

    If that's not the case, I'd suggest you double-check you've got everything set up correctly. Maybe try a different port, make sure you're using the right settings for the dynamic SSH port, back off to Socks4, disable compression... even try a different browser (I'm open to the possibility that some toolbar or plugin could cause problems, especially some of the proxy-switcher, tor, or privoxy plugins for Firefox.)

    Usually, if you've screwed up somewhere, you'll get a "the proxy server is refusing connections" message. A blank screen is a new one on me.
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  12. #12
    Is there a way to bind the proxy connection to another ip other than the main server ip?

    A great tutorial here I'm using it fine.
    ServerTweak Networks, LLC >> ServerTweak.com
    Experience the fastest network and superior servers, feel the power of ServerTweak!
    Fremont, CA DataCenter | Dedicated Servers | Colocation | Cross Connects HE.net | 1/4 - Full Cab Sales

  13. #13
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    826
    Quote Originally Posted by eymbo View Post
    Is there a way to bind the proxy connection to another ip other than the main server ip?
    Generally, whatever IP address you connect to, is the IP address you connect from. So if you want to use 123.45.67.89, for example, you use that IP, rather than server.foo.com, which might be 123.45.67.88. Or whatever.
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  14. #14
    Quote Originally Posted by Ankheg View Post
    Generally, whatever IP address you connect to, is the IP address you connect from. So if you want to use 123.45.67.89, for example, you use that IP, rather than server.foo.com, which might be 123.45.67.88. Or whatever.
    Yeah that was what I was thinking however I did try and it didn't work. :?
    ServerTweak Networks, LLC >> ServerTweak.com
    Experience the fastest network and superior servers, feel the power of ServerTweak!
    Fremont, CA DataCenter | Dedicated Servers | Colocation | Cross Connects HE.net | 1/4 - Full Cab Sales

  15. #15
    Quote Originally Posted by eymbo View Post
    Yeah that was what I was thinking however I did try and it didn't work. :?
    Then you are not doing it correctly. Make sure that you have your browser pointed to the proxy you are creating with putty.

    You can also use remote port settings to forward email ports and such through your ssh connection, very handy if you want to check your POP account on the go.

  16. #16
    Join Date
    Apr 2005
    Location
    Bangladesh
    Posts
    583
    works great =D

    thanksssss
    WebHosting.com.bd - Web Hosting Bangladesh
    Limited Sites Per Server | cPanel | RVSiteBuilder PRO | Rapid Support | Pay-As-You-Go Reseller
    DomainDokan.com - Domain Registration Bangladesh
    Real-time Registration | Online Control Panel | Rapid Support | Turn-key Reseller

  17. #17
    Join Date
    Apr 2005
    Location
    Bangladesh
    Posts
    583
    Quote Originally Posted by Ankheg View Post
    Generally, whatever IP address you connect to, is the IP address you connect from. So if you want to use 123.45.67.89, for example, you use that IP, rather than server.foo.com, which might be 123.45.67.88. Or whatever.
    I did it.

    but its showing my servers default address.

    I have the ssh proxy set on xx.xx.92.77.
    But "what is my ip" sites are showing xx.xx.92.74 which is the main proxy of my (cpanel) server
    WebHosting.com.bd - Web Hosting Bangladesh
    Limited Sites Per Server | cPanel | RVSiteBuilder PRO | Rapid Support | Pay-As-You-Go Reseller
    DomainDokan.com - Domain Registration Bangladesh
    Real-time Registration | Online Control Panel | Rapid Support | Turn-key Reseller

  18. #18
    Join Date
    Dec 2002
    Location
    USA
    Posts
    337
    Works great with Putty.

    But, Is there a tutorial to get this to work with WinSCP?

  19. #19
    Join Date
    Apr 2005
    Location
    Bangladesh
    Posts
    583
    Anyone been able to use any ip other than the main server ip?
    WebHosting.com.bd - Web Hosting Bangladesh
    Limited Sites Per Server | cPanel | RVSiteBuilder PRO | Rapid Support | Pay-As-You-Go Reseller
    DomainDokan.com - Domain Registration Bangladesh
    Real-time Registration | Online Control Panel | Rapid Support | Turn-key Reseller

  20. #20
    I have tried binding SSH to another IP and have yet to figure out how to make it work. I've tried using a user specified configuration in the ~/.ssh directory but to no success. Is anyone able to figure this out?
    ServerTweak Networks, LLC >> ServerTweak.com
    Experience the fastest network and superior servers, feel the power of ServerTweak!
    Fremont, CA DataCenter | Dedicated Servers | Colocation | Cross Connects HE.net | 1/4 - Full Cab Sales

  21. #21
    Join Date
    May 2006
    Posts
    307
    Quote Originally Posted by Ankheg View Post

    People on Linux and Unix boxes can eschew the whole Putty thing by simply opening up a shell window and typing:

    ssh -C -2 -D 4567 foo@example.tld
    Login with your password, and proceed as above, setting up Firefox. IE, Mozilla, Konqueror, and other programs are setup to use the SSH tunnel pretty much the same way as Firefox - the basic thing you need to do is point it to your local IP - 127.0.0.1 - and the port - 4567, or whatever you chose.

    Hopefully that answers some of the questions people have been having...
    I am on a Mac Powerbook, but could not access by this way. I have tried to
    - connect ssh to my server through terminal, using port 2221
    - config my Firefox to use SOCK5 with IP 127.0.0.1 and port 2221

    but after that, cannot connect to the Internet anymore. How to fix it?
    Traditional music traveling

  22. #22
    this thread is somewhat old, but the priciples are still valid I guess. I have a similar problem with browsing over the tunnel: I can perfectly get a ssh connection via putty (over a authorizing proxy), but when I remove all proxy settings in firefox and only enter the socks proxy, I get a "Server not found" message from firefox (which sounds to me like a dns problem). I can open a site on the remote server with lynx, so dns should work there. Any way to trace the problem?

  23. #23

    some common mistakes

    May be I am digging up an old thread.

    I had tried this long time back, but were not able to browse. This was because I was using the systems IP itself and not the localhost IP to setup the proxy port.

    Also I made the mistake of not setting the proxy at the SOCKS entry.

    Just adding to this so that someone comin along this thread will benfict
    Mathew Augustine
    Systems Engineer
    "Drink nothing without seeing it; sign nothing without reading it."

  24. #24
    I used PuTTY for SSH tunneling before. It was quite boring to run PuTTY each time I needed to setup the tunnel and to re-configure new apps to use the local SOCKS proxy. Also, not all apps support proxies.

    Now I'm using ProxyCap. It will create the ssh tunnel and will redirect other programs to this tunnel.

  25. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •