Socks Proxy Ubuntu
Create a SOCKS proxy on a Linux server with SSH to bypass …
Mattias Geniar, January 19, 2017
Follow me on Twitter as @mattiasgeniar
Are you on a network with limited access? Is someone filtering your internet traffic, limiting your abilities? Well, if you have SSH access to _any _server, you can probably set up your own SOCKS5 proxy and tunnel all your traffic over SSH.
From that point on, what you do on your laptop/computer is sent encrypted to the SOCKS5 proxy (your SSH server) and that server sends the traffic to the outside.
It’s an SSH tunnel on steroids through which you can easily pass HTTP and HTTPs traffic.
And it isn’t even that hard. This guide is for Linux/Mac OSX users that have direct access to a terminal, but the same logic applies to PuTTy on Windows too.
You set up a SOCKS 5 tunnel in 2 essential steps. The first one is to build an SSH tunnel to a remote server.
Once that’s set up, you can configure your browser to connect to the local TCP port that the SSH client has exposed, which will then transport the data through the remote SSH server.
It boils down to a few key actions;
You open an SSH connection to a remote server. As you open that connection, your SSH client will also open a local TCP port, available only to your computer. In this example, I’ll use local TCP port:1337.
You configure your browser (Chrome/Firefox/…) to use that local proxy instead of directly going out on the internet.
The remote SSH server accepts your SSH connection and will act as the outgoing proxy_/vpn_ for that SOCKS5 connection.
To start such a connection, run the following command in your terminal.
$ ssh -D 1337 -q -C -N
What that command does is;
-D 1337: open a SOCKS proxy on local port:1337. If that port is taken, try a different port number. If you want to open multiple SOCKS proxies to multiple endpoints, choose a different port for each one.
-C: compress data in the tunnel, save bandwidth
-q: quiet mode, don’t output anything locally
-N: do not execute remote commands, useful for just forwarding ports
the remote SSH server you have access to
Once you run that, ssh will stay in the foreground until you CTRL+C it to cancel it. If you prefer to keep it running in the background, add -f to fork it to a background command:
$ ssh -D 1337 -q -C -N -f
Now you have an SSH tunnel between your computer and the remote host, in this example
Next up: tell your browser to use that proxy. This is something that should be done per application as it isn’t a system-wide proxy.
In Chrome, go to the chromesettings/ screen and click through to Advanced Settings. Find the Proxy Settings.
In Firefox, go to Preferences > Advanced > Network and find the Connection settings. Change them as such:
From now on, your browser will connect to localhost:1337, which is picked up by the SSH tunnel to the remote server, which then connects to your HTTP or HTTPs sites.
This has some advantages and some caveats. For instance, most of your traffic is now encrypted.
What you send between the browser and the local SOCKS proxy is encrypted if you visit an HTTPs site, it’s plain text if you visit an HTTP site.
What your SSH client sends between your computer and the remote server is always encrypted.
What your remote server does to connect to the requested website may be encrypted (if it’s an HTTPS site) or may be plain text, in case of plain HTTP.
Some parts of your SOCKS proxy are encrypted, some others are not.
If you’re somewhere with limited access, you might not be allowed to open an SSH connection to a remote server. You only need to get an SSH connection going, and you’re good to go.
So as an alternative, run your SSH server port on additional ports, like:80, :443 or:53: web and DNS traffic is usually allowed out of networks. Your best bet is:443, as it’s already an encrypted protocol and less chance of deep packet inspection middleware from blocking your connection because it doesn’t follow the expected protocol.
The chances of:53 working are also rather slim, as most DNS is UDP based and TCP is only use in either zone transfers or rare DNS occasions.
Visit any “what is my IP” website and refresh the page before and after your SOCKS proxy configuration.
If all went well, your IP should change to that of your remote SSH server, as that’s now the outgoing IP for your web browsing.
If your SSH tunnel is down, crashed or wasn’t started yet, your browser will kindly tell you that the SOCKS proxy is not responding.
If that’s the case, restart the ssh command, try a different port or check your local firewall settings.
Want to subscribe to the newsletter?
I write a weekly-ish newsletter on Linux, open source & webdevelopment called
It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.
No spam. Just some good, practical Linux & open source content.
connect over SOCKS4/5 proxy – Ubuntu Manpage
Provided by: connect-proxy_1. 105-1_amd64 NAME connect-proxy — connect over SOCKS4/5 proxy
SYNOPSIS connect-proxy [-dnhst45] [-R resolve] [-p local-port] [-w secs] [-H [user@]proxy-
server[:port]]] [-S [user@]socks-server[:port]]] [-T proxy-server[:port]] [-c
telnet-proxy-command] [host] [port]
DESCRIPTION connect-proxy open connection over SOCKS4/5 proxies
Please, note that any HTTP-Proxy tunnel won’t work with content-inspection firewall
(unless using SSL).
OPTIONS -H specifies a hostname and port number of the proxy server to relay. If port
is omitted, 80 is used. You can specify this value in the environment variable
HTTP_PROXY and pass the -h option to use it.
-S specifies the hostname and port number of the SOCKS server to relay. Like -H,
port number can be omitted and the default is 1080. You can also specify this
value pair in the environment variable SOCKS5_SERVER and give the -s option to
use it.
-4 specifies SOCKS relaying and indicates protocol version to use. It is valid
only when used with ‘-s’ or ‘-S’. Default is ‘-5’ (protocol version 5)
-R method to resolve the hostname. Three keywords (“local”, “remote”, “both”) or
dot-notation IP address are acceptable. The keyword “both” means, “Try local
first, then remote”. If a dot-notation IP address is specified, use this host as
nameserver. The default is “remote” for SOCKS5 or “local” for others. On SOCKS4
protocol, remote resolving method (“remote” and “both”) requires protocol 4a
supported server.
-p will forward a local TCP port instead of using the standard input and output.
-P same to ‘-p’ except keep remote session. The program repeats waiting the port
with holding remote session without disconnecting. To connect the remote
session, send EOF to stdin or kill the program.
-w timeout in seconds for making connection with TARGET host.
-d used for debug. If you fail to connect, use this and check request to and
response from server.
USAGE To use proxy, this example is for SOCKS5 connection to connect to “host” at port 25 via
SOCKS5 server on “firewall” host.
connect-proxy -S firewall host 25
SOCKS5_SERVER=firewall; export SOCKS5_SERVER; connect-proxy -s host 25
For a HTTP-PROXY connection:
connect-proxy -H proxy-server:8080 host 25
HTTP_PROXY=proxy-server:8080; export HTTP_PROXY; connect-proxy -h host 25
To forward a local port, for example to use ssh:
connect-proxy -p 5550 -H proxy-server:8080 host 22 ssh -l user
To use it along ssh transparently:
# file~/
# not using proxy on lan
Host 192. *
ProxyCommand connect-proxy%h%p
# mandatory to access the internet
Host *
ProxyCommand connect-proxy -H proxyserver:8080%h%p
Or for all users ( /etc/ssh/ssh_config)
ENVIRONMENT SOCKS5_USER, SOCKS5_PASSWORD, HTTP_PROXY_USER, HTTP_PROXY_PASSWORD, CONNECT_PASSWORD,
LOGNAME, USER
SEE ALSO ssh (1).
WWW
AUTHOR This manual page was written by Philippe Coval for the Debian system (but may
be used by others). Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU General Public License, Version 2 any later version published
by the Free Software Foundation.
On Debian systems, the complete text of the GNU General Public License can be found in
/usr/share/common-licenses/GPL.
CONNECT-PROXY(1)
How to setup a Socks5 Proxy server on Ubuntu with Dante
Dante Socks5 Server
Dante is a socks5 server that you can use to setup a socks5 proxy on your ubuntu or debian machine. In this quick tutorial we shall learn how to setup dante and use authentication.
With authentication enabled, the dante proxy server would require all clients to provide login details in order to use the proxy server. This is a good idea.
1. Install Dante on Ubuntu
The default Ubuntu repositories have the dante-server package but it is outdated. The version present is 1. 1. 19 which is quite old and also has some bugs. The authentication feature does not work properly.
If you don’t need authentication then you can install it.
sudo apt-get install dante-server
The version in repository was
# danted -v
danted: dante v1. 19
Known authentication issues
Like mentioned earlier, the authentication feature does not properly work with it. The log file shows the following error messages –
Mar 11 14:05:05 (1489241105) danted[5020]: pass(1): tcp/accept]: username%[email protected] -> 104. 131. 115. 128. 1080: system username/password failed
Trying to test with curl shows the following error message –
$ curl -v -x socks5username:[email protected]:1080 * Trying 104. 128…
* User was rejected by the SOCKS5 server (1 1).
* Closing connection 0
curl: (7) User was rejected by the SOCKS5 server (1 1).
Some users have reported similar issues at this reddit post -Install newer version directly from file
So we need to install a newer version. There is a ppa for dante-server at –
but it is no longer being maintained. But we can use the deb file from the ppa to install dante on Ubuntu 16. 10
The download url is this:
using the wget command:
# wget Install using gdebi command:
$ sudo apt-get install gdebi-core
$ sudo gdebi
2. Configure
The next task is to configure the dante server before starting it. The configuration file can be found here –
nano /etc/
The contents should look similar to this –
# /etc/
logoutput: syslog
ivileged: root
user. unprivileged: nobody
# The listening network interface or address.
internal: 0. 0. 0 port=1080
# The proxying network interface or address.
external: eth0
# socks-rules determine what is proxied through the external interface.
# The default of “none” permits anonymous access.
socksmethod: username
# client-rules determine who can connect to the internal interface.
clientmethod: none
client pass {
from: 0. 0/0 to: 0. 0/0
log: connect disconnect error}
socks pass {
Now start the danted proxy server
# service danted start
Use the netstat command to check the port number
# netstat -nlpt | grep dant
tcp 0 0 0. 0:1080 0. 0:* LISTEN 6342/danted
3. Create a User
Dante can use the system unix user accounts to authenticate the connecting clients. For this you should create a separate user. Any client that will be connecting to this proxy server will be sending the password in plain text over the network, so beware of that.
$ adduser mike
4. Test with curl
Once you have setup everything, its time to test that the proxy server is working as expected. Use the curl command to do this. Specify the username, password, server ip and port number and try fetching some url.
curl -v -x socks5mike:[email protected]
Conclusion
Dante is a socks5 server that can be used as a proxy server. For instance you can setup an online linux server and use it as a proxy server to access other websites. Such proxy servers are useful when you need to change your ip address on the internet or access a website from a different geo location.
If you need an proxy server or caching solution try Squid Proxy which supports, etc.
Resources
Config documentation can be found here –
If you want to compile the latest version of dante from source then check out these links –
Frequently Asked Questions about socks proxy ubuntu
How do you make a proxy for a sock?
Steps to create SOCKS proxy using SSH:Launch a terminal application.Test your SSH connection to the remote host (optional). … Connect to the remote host using bind_address option to create an SSH SOCKS proxy from your local machine to the remote SSH server. … Check if the tunnel is running in your local host.More items…
What does a SOCKS proxy do?
SOCKS is designed to route any type of traffic generated by any protocol or program. A SOCKS proxy server creates a Transmission Control Protocol (TCP) connection to another server behind the firewall on the client’s behalf, then exchanges network packets between the client and the actual server.Sep 27, 2019
How use SOCKS5 proxy in Linux?
To use it, just make your software use SOCKS5 proxy on your Linux computer’s IP, port 1080, and you’re done – all your requests will now get proxied. The first rule says, allow anyone from 1.2. 3.4 to connect to port 1080 , and the other rule says, deny everyone else from connecting to port 1080 .