Ubuntu – ssh-tunneled SOCKS proxy connection refusals on Firefox 47.0 / Kubuntu 16.04

firefoxkubuntusocks5sshtunnel

I am having difficulty making connections to websites using Firefox over a tunneled SOCKS proxy. SOCKS4/SOCKS5 makes no difference.

I set up the tunnel with

ssh -D 1234 id@remotehost.example.com

then point Firefox's SOCKS proxy to localhost on tcp/1234.

One key point to note here is that the tunnel I am setting up is on a remote server I have been using for this purpose for many years. I have proxied FF and other browsers through it for many thousands of sessions on a dozen or more different platforms across all major OSes. Once I get it working, it always works smoothly. However, on this particular instance of FF, I get odd and intermittent problems.

The problem is that FF doesn't seem to "want" to establish a connection. I type in a URL or click a link and I instantly get "Unable to connect" / "Firefox can't establish a connection to the server at …" When I say "instantly," I mean this pops back to me in some small fraction of a second.

So I hit "Try again" or the little reload arrow. And I do it again, and again, and again, as rapidly as I can. And after a few tries — sometimes 3-4, sometimes as many as 15-20 — I get a connection and everything works! So the tunnel / SOCKS connection is available, it's just that FF refuses to use it until it is bullied into doing so. Once I get a connection, further reloads do not cause it to be lost.

I have some add-ons, but a) I've disabled them selectively with no help, and b) I have (of course) tried safe-mode. There is no change.

Any suggestions?

Best Answer

I have to use a proxy everyday at work in order to connect to servers on the other side of a firewall. I also use Firefox, Chrome and Ubuntu 16.04.

EDIT: I forgot one part of this. I have had to add a timeout to a ssh config file or my tunnel will timeout and I lose my connection. Once I added the following stuff, my connection stays open:

In ~/.ssh/config add the following information (if the file does not exist, create it.). This will send a server keepalive to your tunnel every 15 seconds.

Host *
ServerAliveInterval 15

I open my tunnel connection with the following command:

ssh -CfND 1234 username@proxyhost

Then in Firefox under the Connection Settings in the Manual proxy configuration I only fill in the SOCKS Host: with 127.0.0.1 and Port: 1234. Then I make sure that SOCKS v5 is selected. Also note that I don't have anything in the No Proxy for: box.

I am able to connect to my hosts that way without any problems.

enter image description here

Then for Chrome I run a command line so I don't have to set the settings to Chrome every time I want to go through the proxy, then no proxy. To connect Chrome to the proxy I run the following line:

nohup google-chrome-stable --proxy-server="socks5://127.0.0.1:1234" & > /dev/null 2>&1

from ssh manpage

 -C      Requests compression of all data (including stdin, stdout,
         stderr, and data for forwarded X11, TCP and UNIX-domain connec‐
         tions).  The compression algorithm is the same used by gzip(1),
         and the “level” can be controlled by the CompressionLevel option
         for protocol version 1.  Compression is desirable on modem lines
         and other slow connections, but will only slow down things on
         fast networks.  The default value can be set on a host-by-host
         basis in the configuration files; see the Compression option.

 -f      Requests ssh to go to background just before command execution.
         This is useful if ssh is going to ask for passwords or
         passphrases, but the user wants it in the background.  This
         implies -n.  The recommended way to start X11 programs at a
         remote site is with something like ssh -f host xterm.

 -N      Do not execute a remote command.  This is useful for just for‐
         warding ports.

 -D [bind_address:]port
         Specifies a local “dynamic” application-level port forwarding.
         This works by allocating a socket to listen to port on the local
         side, optionally bound to the specified bind_address.  Whenever a
         connection is made to this port, the connection is forwarded over
         the secure channel, and the application protocol is then used to
         determine where to connect to from the remote machine.  Currently
         the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
         as a SOCKS server.  Only root can forward privileged ports.
         Dynamic port forwardings can also be specified in the configura‐
         tion file.

Hope this helps!

Related Question