While VPN’s are great for virtual private networks (hence the name), it is often overkill if you just want to bypass a firewall or get an encrypted tunnel to protect yourself from snooping (e.g. on public Wi-Fi). More often than not, a VPN is also a paid service unless you set it up yourself, but for many the setup is too much. I will show you how to use an SSH tunnel for free!
If you’re on Mac, Linux or BSD, chances are you already have OpenSSH (or compatible) and everything you need installed. On Windows, you can use PuTTY or WSL.
- A computer with OpenSSH or compatible client installed.
- A server with OpenSSH or compatible server installed, and accessible from the internet (e.g. a Raspberry Pi or a VPS).
- If you want to bypass firewalls, you need to edit the OpenSSH server config to also listen on port 443/tcp.
The idea is simple: The OpenSSH client will act as a SOCKS proxy running locally on your machine, accepting local connections and forwarding them to the SSH server, from which the traffic will then go out to the internet. The forwarding happens inside an encrypted SSH tunnel, which means no one can snoop on the traffic (useful on public Wi-Fi and untrusted networks) and because all traffic will exit through the SSH server, it also means you will bypass firewall restrictions. If you are on a very restrictive firewall, port 22/tcp might be blocked so you’ll have to make OpenSSH listen on port 443/tcp (either instead or in addition to 22/tcp).
Configuring the SSH server ports
It is advised that your OpenSSH server listens on 443/tcp to be reachable from restrictive firewalls.
If this is not needed for you, you can skip to the client setup.
/etc/ssh/sshd_config with your favorite editor, e.g. nano:
You will see a commented out line:
Change it to this:
Port 22 Port 443
This will make sure SSH will be listening both to port 22 and port 443, so you can keep using SSH as normal!
Restart SSH with:
systemctl restart sshd
service ssh restart, and if that does not work either, reboot.
Make sure that port 443/tcp is accessible. If you are using UFW, simply run:
ufw allow 443/tcp
Also note, that you cannot use SSH on 443/tcp if you are running a web server on 443/tcp (unless you install a special proxy like SSLH to allow that).
Luckily, you don’t need to configure anything on the client side! Assuming you already know how to use SSH and can already connect to the server.
ssh -p 443 -D 1080 -N [email protected]
Where -p defines the server port, and -D starts a local SOCKS listener at port 1080 (the default SOCKS port) and -N means no command will be sent to the server (so you won’t see a prompt) and then the user and server address as normal. If successful, you should see nothing (it will look like it froze). Keep the terminal open.
Now on your software like the web browser, XMPP or IRC client and the like, set it up so that it uses the local SOCKS server, by telling it to connect to localhost at port 1080. If you are on a Mac, you can set up a system-wide proxy in the network settings. If asked, it’s SOCKS version 4 or 5 and it does not need authentication.
To end your SSH tunnel session, first undo the proxy settings in your client software, and then exit out of SSH in the terminal with ^C (control + C).
Setting up Firefox to use SOCKS
Click on the hamburger menu (three lines at the top right) and choose “Options”, in the “General” tab, scroll all the way down to “Network Settings”, click on “Settings…” and choose “Manual proxy configuration”, and enter “SOCKS Host”: localhost on port 1080 and click OK.
Remember, when you disconnect from SSH, to undo this setting or you will not be able to surf the web. If available, choose to proxy DNS through SOCKS too, or better yet you might want to use DNS over HTTPS to protect yourself further.
That’s pretty much it!
Questions or suggestions? Let me know in the comments!