Dynamic Port Forwarding with SOCKS over SSH is probably the easiest and cheapest secure method to connect a client application to a remote host over a preferred port.

This method allows an application on a client computer to make request to a local port, then the requests are forwarded to a remote host, which processes the requests and returns the data back to the client. This is very similar to a simple proxy, with the exception that in a proxy set up the application sends data directly to the remote host, while in this configuration we have an emulated local SOCKS server that handles the requests first and then directs them to the remote computer… oh yeah… and the network traffic is encrypted.

Dynamic Port Forwarding over SSH is in a way a simple alternative to VPN.

Why would anyone need this? Two main reasons immediately come to mind. First, if you are on a public, non secure, non trusted, unencrypted network (for example at the local coffee shop) you can use this method to securely connect to a remote host and have your network traffic encrypted and thus protect your data and privacy. Second, if you need to bypass local network restrictions and monitoring services. A good example here is circumventing surf control restrictions. In most cases, surf control is implemented by monitoring the traffic and examining the tcp/ip packets over port 80. By using Dynamic Port Forwarding over SSH, we channel http traffic through a different port and furthermore all http requests/responses are encrypted via ssh and thus cannot be examined or filtered.

Now let’s see how it is done.

Remote Host Setup.

A remote host is needed that will receive and process the requests from the client. Any computer or device can be the remote host as long as it runs ssh. In this respect any Linux box is ideal for that purpose.
From a practical standpoint, your home router is probably one of the best candidates for being your remote host. You need to run open source software on it, like OpenWRT, DD-WRT, Tomato, etc. and have ssh enabled on it. If you are still running the original firmware that you router came with, you are only using a fraction of the hardware’s capabilities and you are missing out on a lot of great features.

If you plan on using a computer on your home network as the remote ssh host, do not forget to set up the port forwarding on your router accordingly.

Client Setup.

If your client is a Linux box, you hardly have to set up anything. All you have to do is connect to the remote host with the following command:

ssh –D port_number user_name@remote_host (for example: ssh –D 8080 dimitar@

And then the only thing that is left is to configure your application to use SOCKS. Look at the Firefox setup below as an example (Step 7).

If your client is a Windows box, you have to install an ssh client. PuTTY is a good ssh client for Windows and it is free:

Step 1. Download PuTTY.
Step 2. Open up PuTTY and put in the host IP address or domain name. Leave the port as the default 22 and give the connection a name under “Saved Sessions” and click “Save”:

PuTTY Session Screen
PuTTY Session Screen

Step 3. Click the “SSH” on the left hand side under “Connections” and make sure that the “Preferred SSH protocol version” is set to 2.

Step 4. Click on “Auth” and select “Allow agent forwarding”:

PuTTY Auth Screen
PuTTY Auth Screen

Step 5. Go to “Tunnels” and enter the port in the “Source Port” field, select the “Dynamic” radio button and click the “Add” button. Here optionally you can check “Enable X11 forwarding”, which will come in handy if you want to run graphical applications from the remote host. For this piece to work though, you will need an X11 client running on your Windows client, like Cygwin, Reflections X, Humming Bird, etc., but this is beyond this discussion.

PuTTY Tunnels Screen
PuTTY Tunnels Screen

Step 6. Click “Session” on the top left to go back to the first screen and save your setting.

Step 7. Now you are ready to configure your application to use the Dynamic Port Forwarding with SOCKS. For this exercise we will configure Firefox. Open Firebox’s “Options” dialog (called “Preferences” if running on Linux) and go to “Advanced” and then “Network”, hit the “Settings” button under “Connection”. In the window that pops up select “Manual proxy configuration”, enter localhost for “SOCKS host” and the port number (8080 for this exercise). Select the “SOCKS v5” radio button and enter localhost, in the “No Proxy for” box:

Firefox Network Settings
Firefox Network Settings

Now when you browse the internet with Firefox, all the traffic will be directed to the local SOCKS proxy server on port 8080, then the packest will be encrypted and forwarded over ssh on port 22  to the remote host (you can alwasy change the default ssh port to any other port). It is important to notice, that the remote host will decrypt the packets from the client and then make the requests on port 80 without encryption.

Dynamic Port Forwarding with SOCKS over SSH

6 thoughts on “Dynamic Port Forwarding with SOCKS over SSH

  • April 15, 2013 at 4:56 am

    If I want set up SSH tunnel to connect to a proxy.
    For example: MyPC[] -> SSHServer[] -> PublicWebProxy[].
    Is it possible? What settings I should make?

  • Pingback: Install SSH as socks proxy for dynamic port forwarding | Steve Constine

  • May 17, 2013 at 12:59 pm


    Nice article. I wonder if it is possible to connect via the proxy to a server that is accessible via a tunnel.
    For example, my server A has a tunnel on my server B
    I connect to server B with dynamic port forwarding.

    I redirect port 80 on my server B but I could not get access via the dynamic forwarding. Any idea?

  • December 11, 2014 at 9:35 am

    Is it possibile to mage tunnel to sshd listening on custom port ? not 22 .. f.e. 3128 ?

  • December 15, 2014 at 9:01 pm

    Yes you can do that on any port including 3128. To do that you need to have your remote server configured so that the sshd is listing on port 3128 instead of the default 22.

  • Pingback: ????? » 2015?4?10?gae goagent?????

Leave a Reply

Your email address will not be published. Required fields are marked *