SSH Reverse socks tunnel

networking ssh tunnel ssh-tunnel socks

40,641

Solution 1

With -D & -L you have a way to communicate either way between the two machines.

So...

From the local machine, use -R to create a listening port on the remote machine pointed at the local machine's sshd.
Use -D on the remote machine, pointed at the port you created above.

I "think" filling in the below will make it work...

ssh remotehost -R remoteport:localhost:localport "ssh -D 9050 localhost -p remoteport"

'remotehost', 'remoteport' & 'localport' in the above need changing. A socks proxy will be formed on 9050.

Solution 2

Can be achieved transparently with this snippet in ~/.ssh/config:

Host sockstunnel
    ProxyCommand ssh -D 3128 localhost nc -q 1 localhost 22

Host target
    RemoteForward 3128 localhost:3128
    ProxyCommand ssh -W target:22 sockstunnel

Details

We want a reverse DynamicForward. This is achieved using two ssh commands:

ssh -D 3128 localhost
ssh -R 3128:localhost:3128 target

This way target has a SOCKS tunnel to the SSH client.

What I did is to use the classical way of chaining ssh to reach a remote target through intermediate hosts so that the SOCKS tunnel creation is handled transparently while logging into the target. The first ProxyCommand + nc trick is mandatory because -W implies ClearAllForwardings.

Solution 3

local$ ssh -R 1080 remote
remote$ curl --socks5 localhost https://example.com

since OpenSSH 7.6

ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported.

https://www.openssh.com/txt/release-7.6

Solution 4

There is no facility for providing a reverse socks tunnel with OpenSSH, so you must run the ssh command providing the socks proxy on the "remote" machine.

If the remote machine cannot ssh into the local machine, create first a ssh connection from local to remote which forwards port 22 to e.g. 2222. Then the remote machine can ssh into the local machine on port 2222.

Solution 5

Newer versions of OpenSSH (>= 7.6) support natively the reverse dynamic TCP forwarding. From the (current) manual at the -R option:

... if no explicit destination [is] specified, ssh will act as a SOCKS 4/5 proxy and forward connections to the destinations requested by the remote SOCKS client.

Please, refer to the friendly man page for the details.

That's it!

View more solutions

40,641

Berry

Linux System Administrator at NetEase Game.

Updated on September 18, 2022

Comments

Berry over 1 year

ssh -D can make a socks port at local machine, which pass the traffic to the remote, then to other places.

ssh -L port:host:hostport, listen port at local machine, pass the traffic to "host:hostport" from the point of view of the remote machine.

ssh -R port:host:hostport is the counterpart of ssh -L, which listen port at remote machine, and pass the traffic to "host:hostport" from the point of view of the local machine.

But what is the counterpart of ssh -D, i.e., how to open a socks port at remote machine, which will pass the traffic to the local, then to other places?
- barlop almost 9 years
  
  the question loses value because you accepted an answer that doesn't and cannot work. This(which the answerer mentioned in comment) does it though stackoverflow.com/questions/842021/…
Pricey over 12 years

Oh, looks like this was asked on SO: stackoverflow.com/questions/842021/… Only answer is the same idea. I'm sure one will work ;-) EDIT - yep, that one was more right than mine. I've patched mine up.
Berry over 12 years

Actually, I did use this indirect method in my own situation. But in my firend's situation, he did not have the root privilege, so he can't have sshd service, he has only the OpenSSH client. So I want to figure out there is a direct method, but OpenSSH seems not...Thanks you the same
barlop over 9 years

If we put numbers in that then ssh remotehost -R 11234:localhost:33333 "ssh -D 9050 localhost:11234 I don't really understand that.. For example, ssh -D doesn't use that syntax. You don't do ssh -D 9050 localhost:11234 do you? ssh -D just takes a port or bindaddress:port Not -D port bindaddress port it just doesn't.. And in the answer you link to, seems quite different. If you see my comment to the answer you link to, his answer involves doing ssh -R and ssh -D(which he does in separate commands) but he does them from the same comp. Your ssh -D runs on the remote comp. That's different.
barlop over 9 years

Could you put some numbers in.. and/or rexplain that ssh -D syntax to clarify?
Pricey over 9 years

@barlop Whoops, forgot that ssh doesn't do host:port. I've corrected it above to host -p port which should work.
barlop over 9 years

Do you mean like $ ssh [email protected] -t -R 1234:127.0.0.1:9050 "ssh -D 9050 127.0.0.1 -p 22" So, would that create a SOCKS Proxy on the remote computer(10.0.0.5)on port 9050 as well as a port on the remote computer(1234) to access that SOCKS proxy? Funnily enough when I've tried it, it seems it doesn't work(for me in my test at least). The user at 10.0.0.5 can access his SOCKS proxy but can't access it through his other proxy port(1234). As seen here pastebin.com/raw.php?i=ZAzviVxt tested from 10.0.0.5 with e.g. $ curl --socks5 127.0.0.1:1234 http://www.google.com
barlop almost 9 years

@barlop and that won't work because say you run the ssh executable from 10.0.0.10 the -R says to forward to 10.0.0.10:9050 But the SOCKS server is running on 10.0.0.5
barlop almost 9 years

@PriceChild did you actually test your command?
barlop almost 9 years

-1 You didn't bother to test it and your command is completely wrong. You tried to make it like the other SO answer but you failed to. SSHing from A to B, The one you link to has ssh -D listen on A. Your one has it listen on B. Your one is wrong. You have the SOCKS proxy listening on the side that is listening.
Dakatine almost 8 years

this is worth a gold medal.
alonso s about 6 years

Could you provide a more detailed explanation of what your commands do?
Federico about 6 years

This is plain wrong.
Scott - Слава Україні almost 5 years

Can you provide a reference for this?
Adam Katz over 4 years

By the way, there's a bug in openssh-client 8.0 in which you cannot choose a bind address with the port (ssh -R 127.0.0.3:1080 remote), you can currently bind a reverse SOCKS proxy only to a port.
Akira Yamamoto about 3 years

More details medium.com/faun/…
Michael Herrmann over 2 years

This answer is so sparsely explained that it is basically impossible to understand.
Ivan Gonzalez about 2 years

This should be the answer
Shimon Rura about 2 years

This is definitely the best approach now that the feature exists in OpenSSH. Thanks!