Run your own SOCKS5 proxy server on Windows/Mac/*nix with nothing but SSH. Access restricted web sites, use instant messenger, ftp, and other protocols from school/work by leveraging your cable/DSL connection at home!
Who is this tutorial for?
- This is an advanced topic.
- This tutorial is for the person who needs to access restricted web sites, use instant messenger, ftp, and other protocols from a location with a restricted internet connection (e.g., work, school)
- You should be comfortable using SSH
- You should have a decent understand of the internet and networks in general
- You should know what a proxy is (read this if you don’t).
- An unrestricted internet connection. Perhaps you have this at home (instead of school/work) or at a friend’s house.
- A computer which you can leave turned on while you’re at school, work, or wherever the restricted internet connection is.
- ssh. If you are using linux, os/x, unix, debian, freebsd, or any variant of these, ssh is already installed. If you’re using Windows, download cygwin or copSSH.
- From a command prompt, run this command on the linux/unix/osx computer with the unrestricted internet connection:
ssh -D8080 -g www.paypal.com
The -D option starts ssh as a SOCKS server listening on port 8080. It also enables port forwarding so that any connection made to port 8080 is forwarded to its actual destination host and port. The www.paypal.com does nothing here; ssh examines the application protocol of the inbound connection to determine the ultimate destination of the connection. The -g option allows remote hosts to connect. Without this option, only connections to port 8080 from localhost would be allowed. See the ssh man page for more info.
- If your IP address is in one of these ranges:
- 10.0.0.0 – 10.255.255.255
- 172.16.0.0 – 172.31.255.255
- 192.168.0.0 – 192.168.255.255
you are most likely behind a router using NAT addressing. If so, configure port forwarding on your router to forward the port you chose in the previous step to the NAT’d IP address of the PC which will run ssh (e.g., 198.168.x.x).
Selecting a Port For Your Proxy Server
In the example above, our proxy server is listening on port 8080. Here are some tips to consider when selecting a port:
- If this proxy server will be running on a residential cable/DSL connection, many ISPs prevent inbound connections to residential connections on ports 80 and 25 as well as others. Make sure you choose a listening port for ssh that isn’t blocked by your ISP. To find out which inbound ports your ISP prevents connection to, find the FAQ for your ISP at http://www.dslreports.com/faqnew.
- If you will be connecting to this proxy server from a corporate environment, be aware that some corporate firewalls only permit outbound connections on a few ports to machines outside their firewall. Often outbound ports 21, 23, 80, and 443 are permitted because they are typically used for FTP, telnet, HTTP, and SSL, respectively.
Configuring FoxyProxy to Use Your Proxy Server
What if my unrestricted internet connection has a dynamic IP address?
If your ISP periodically changes your IP address as many cable/dsl ISPs do, get a free No-IP or DynDNS account. These services grant you a free domain name; for example, myproxy.bounceme.net. You run client software on your PC which “phones home” to DynDNS/No-IP every 30 minutes, informing them of your current IP address. Note that many modern consumer-oriented routers from Linksys, Netgear, D-Link, etc. have this software built-in so you don’t need to run a client on your PC.