Establishing a SOCKS proxy using an SSH client

You can establish a Socket Secure (SOCKS) server on a Secure Shell (SSH) server using the -D option to the ssh client command.

     -D [bind_address:]port
             Specifies a local “dynamic” application-level port forwarding.
             This works by allocating a socket to listen to port on the local
             side, optionally bound to the specified bind_address.  Whenever a
             connection is made to this port, the connection is forwarded over
             the secure channel, and the application protocol is then used to
             determine where to connect to from the remote machine.  Currently
             the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
             as a SOCKS server.  Only root can forward privileged ports.
             Dynamic port forwardings can also be specified in the configura-
             tion file.

             IPv6 addresses can be specified by enclosing the address in
             square brackets.  Only the superuser can forward privileged
             ports.  By default, the local port is bound in accordance with
             the GatewayPorts setting.  However, an explicit bind_address may
             be used to bind the connection to a specific address.  The
             bind_address of “localhost” indicates that the listening port be
             bound for local use only, while an empty address or ‘*’ indicates
             that the port should be available from all interfaces.

E.g., if I wished to create a SOCKS proxy server at the SSH server end from an SSH client using the registered port commonly used as the listening port for a SOCKS proxy, i.e., TCP port 1080, I could use the command below, assuming that I have a jdoe account on the SSH server at

$ ssh -D 1080

I could then configure browsers on the system where I issued the SSH command to connect to to use a SOCKS proxy on the localhost address, You don't need to install any SOCKS proxy software on the remote server end; the SSH client command causes the SSH server to create a SOCKS proxy server for use during the SSH session.

If I wanted to use some other port, rather than the standard port of 1080, I could put that port number after the -D.

The command above will give me an interactive login session on the remote SSH server. I.e., after I enter the password to log into the remote SSH server, I will see a shell prompt. But suppose I only need to establish the SSH connection for port forwarding or to set up the SOCKS proxy connection and would rather not have an interactive login session. In the case where I wish to use a SOCKS proxy, but have a noninteractive SSH connection, I can also specify the -N option.

     -N      Do not execute a remote command.  This is useful for just for-
             warding ports (protocol version 2 only).

E.g., I could use a command similar to the one below:

$ ssh -D 1080 -N

After I supplied the password for the account at the password prompt, I would not see any other response from the remote system, which might lead you to believe that the connection wasn't established, but at this point you should be able to configure browsers to use the the SOCKS proxy connection successfully.

But, if you wished to be returned to the shell prompt on the client system, i.e., the one from which you issued the command, then you can also include the -f option.

     -f      Requests ssh to go to background just before command execution.
             This is useful if ssh is going to ask for passwords or
             passphrases, but the user wants it in the background.  This
             implies -n.  The recommended way to start X11 programs at a
             remote site is with something like ssh -f host xterm.

             If the ExitOnForwardFailure configuration option is set to “yes”,
             then a client started with -f will wait for all remote port for-
             wards to be successfully established before placing itself in the

E.g., I could use a command similar to the one below:

$ ssh -D 1080 -fN

The -f and -N options can be separated or combined. e.g. -fN. By including the -f option, I can continue working at the shell prompt on the local system from which I entered the command with the SSH connection that established the SOCKS proxy connection continuing to run in the background.

You can see other options supported by the SSH command by viewing the ssh man page.


TechRabbit ad 300x250

Justdeals Daily Electronics Deals1x1 px