Instant socks proxy over ssh


There is currently the situation that on some schools (and maybe also firms) in this region that only whitelisted ports to the outside world are opened. Connections are established through a socks proxy when you want to connect to a computer which is not part of the local network. They use simple pattern matching to find "dangerous" words before delivering the content to the client which of course creates many false positives. Most of time they disable encrypted versions of a protocol (like HTTPS or POP3S) so the users most use the unencrypted versions. The problem is that some content is only provided when you connect over https on some webpages (like login pages or svn commit support on sourceforge). "Unknown" ports will also be filtered - so git-fetch over git's own protocol will propably fail.

The first idea was to use a dedicated server to use a vpn connection but I found an easier way using the ssh and connect-proxy. OpenSSH has a so called dynamic ports forwarding mode. This is just a simple socks4/5 proxy which tunnels everything over a ssh tunnel. No root access is needed on your remote ssh server so it is quite easy to find a server and proxies I've tested also allowed ssh connections.

connect-proxy will allow us to tunnel our ssh session over the socks proxy. We only have to add an special Host entry to out ~/.ssh/config

Host local-proxy
      # SSH Server
      Hostname REMOTE_SSH_SERVER
      User SSH_USER
      # Proxy gateway to the outside
      ProxyCommand connect-proxy -S PROXY_HOST:PROXY_PORT %h %p
      # Local configuration
      DynamicForward localhost:1080

Afterwards it should be possible to use ssh -N local-proxy to start your local socks proxy and to use localhost:1080 as your normal socks proxy. If your program has no support for socks you can use tsocks as wrapper which loads a special library with LD_PRELOAD to override socket operations to support socks transparently in each application. You only have to create a ~/.tsocks.conf

server =
server_type = 5
server_port = 1080

You can use tsocks sh -c "wget -q -O-|grep 'LOOKUPADDRESS'" to test if your tunnel works and you send your data over the ip of the ssh server instead of your network proxy.