Ssh – Run SSH over a SOCKS proxy

dnssocksssh

I need VPN-like behavior locally, without using a VPN.

I've created a SOCKS proxy to a given server which is reachable from the WAN, and I want all of my traffic forwarded through that proxy so I can reach hosts inside of that network.

My SOCKS proxy looks like this:

ssh -t -D 8088 user@proxy-host 'watch -n 1 date'

I've setup my system to proxy though this using the System Settings:

I've verified that my environment variables are being set properly:

naftuli@macbook-nkay:~$ env | grep socks_proxy
socks_proxy=socks://127.0.0.1:8088/

However, when I go to SSH to a given server, I can't reach it:

$ ssh internal-host
ssh: Could not resolve hostname internal-host: Name or service not known

I think that the problem is that DNS isn't being forwarded over the SOCKS tunnel. Is there a way to set that up? I was able to configure Firefox to manually use remote DNS and it worked great. Is there an environment variable for this?

Best Answer

Similar topic was discussed in SU:

openssh itself doesn't understand the socks_proxy environment variables. You need to use for example netcat to direct the traffic over the proxy:

 ssh -o ProxyCommand='nc -X 5 --proxy 127.0.0.1:8088 %h %p' user@host

To forward DNS requests, it will be more complicated, because low-level functions in openssh do not respect environmental variables. You will probably need to set up your local DNS resolver, which will forward the requests to the proxy. There is dns-tcp-socks-proxy, which should handle.

./dns_proxy --socks_port=8088 --listen_port=53

When you will have this daemon running, you should set up the your /etc/resolv.conf (hope Mac respects this one) to use this DNS.

nameserver 127.0.0.1

Simple test should be possible using dig again, but when this resolver if functional, you will not need the proxy part:

dig example.com

Alternative as jumpbox:

As an easy alternative, I can recommend using normal the host as a jumphost, skip the proxy part and do IO redirect using -W switch:

ssh -oProxyCommand="ssh -W %h:%p jumpbox" destination_host

It should do the dns resoving and routing on the jumpbox. This option can be easily incorporated into your ~/.ssh/config

Related Solutions

Ssh – SOCKS proxy without ssh command

You'll need to install and configure an actual SOCKS server on the server, such as Dante, SS5, Delegate or Srelay.

SSH Over Socks Proxy – How to Connect Without Username or Password

It sounds to me like you need a socks client, or a ssh client that understand socks. -D is for ssh to be a socks server/proxy.

You could use ssh under tsocks, or another SOCKS wrapper. Or use ssh's ProxyCommand in conjunction with socat or nc -X:

ssh -o ProxyCommand='socat - socks:B:%h:21,socksport=1080' C

To have a HTTP proxy that uses the SOCKS server to send HTTP requests, you can run a small proxy (like tinyproxy) under tsocks.

Note that not all applications play nicely with tsocks or any similar wrapper that relies on LD_PRELOAD, but tinyproxy does.

Also note that you may have issues with domain name resolution (depending on whether you want the names to be resolved on either side of the tunnel). tsocks doesn't work well for resolving names remotely. The only way it can work is when your nameserver (in /etc/resolv.conf) is reachable from the other end and you're using TCP for domain resolution (which tsocks can attempt to enforce but generally fails in my experience). socksify from dante's SOCKS client/server works better in that instance as it also wraps resolving functions and can also use a nice little trick to fake name resolution so that SOCKS by-name connections can be used.

Best Answer

Alternative as jumpbox:

Related Solutions

Ssh – SOCKS proxy without ssh command

SSH Over Socks Proxy – How to Connect Without Username or Password

Related Question