The **link** talks about TCP over TCP when http is used over SOCKS via SSH. I am trying to browse from Firefox (on Ubuntu 14.04) after setting up the SOCKS5 proxy option via localhost. I created a SOCKS5 connection using SSH (created using SSH -D) to another host (which then takes the packets and routes them out). The **link** says that SSH can be made to work in a none encryption mode, but after applying the small patch suggested there to OpenSSH's cipher.c, I see encrypted packets in wireshark even though it says (encryption:none mac:umac-64@openssh.com compression:none) SSH Protocol SSH Version 2 (encryption:none mac:umac-64-etm@openssh.com compression:none) Packet Length: 48 Encrypted Packet: 0932000000076d696e696e65740000000e7373682d636f6e... MAC: 1a7bf2cfa15def0f I would like to verify if this is actually a TCP over TCP connection. Edit: does it matter that I get prompted for a password when I start the SSH -D (ssh user@host2 -D 8080). Somehow, I am unable to get host2 to not prompt me for a password (even though I added host1's key into host2).

I have a local machine with CentOS 7. There is a Socks V5 proxy server on the local subnet that provides this machine with access to the internet. I am able to download files with,

curl  -x --proxy  socks5://ipaddress:1080 -u username:password www.google.com

On my local machine I am currently running Artifactory and Jenkins webapps in Tomcat. The systems do not natively provide socks proxy setup; and require access to the internet. I tried tsocks, however remote DNS requests are not resolved. How to I get this working?

I've seen a similar question but it's different enough for the answer not to quite work. I have two Debian Buster hosts - one in a private network (A); one in Azure (B). I'd like Host A to initiate a reverse SSH connection from Host B. Then Host B subsequently to open a SOCKS proxy listener so that connections to that are tunnelled back to Host A. I would like to achieve all of this just by entering commands on Host A. I know that I can set up the reverse SSH tunnel from Host B to Host A (initiated by Host A) like so:

ssh -R b:localhost:a b.b.b.b

a = the listening port on Host A b = the listening port on Host B and b.b.b.b is the IP address of Host B. How can I then get the second part - automatically creating a SOCKS proxy listener on Host B - to work? Is it even possible? Or would I need to create a script on Host B that creates the SOCKS proxy listener whenever netstat shows the reverse SSH tunnel is Established (or similar)? Editted to try and clarify based on first answer.

I've been trying to use a SOCKS Proxy which I have been using with success from an Ubuntu 11.4 box with GNOME on my Debian box with KDE.The socks server is bound to the local port 1080 through the following ssh command: ssh -p222 -D 1080 @socks_server_domain_name Following the advice I found here: http://emilsedgh.info/blog/index.php?/archives/14-SOCKS-proxy-on-KDE.html I edited my ~/.kde/share/config/kioslaverc file and now it looks like this: jason@debian-laptop:~$ cat ~/.kde/share/config/kioslaverc PersistentProxyConnection=true [$Version] socksProxy=socks://localhost:1080 update_info=kioslave.upd:kde2.2/r1,kioslave.upd:kde2.2/r2,kioslave.upd:kde2.2/r3 However, once I use System Settings->Network Settings->Proxy, I click on "Manually specify the proxy settings", but the dialog won't let me hit "apply" without prompting me to fill in information in the "setup" dialog: which is not helpful at all, because there is no "SOCKS" protocol option in the "setup" dialog. I'd also like to add that, when switching to GNOME in the same box, I am able to run the SOCKS proxy by specifying "localhost" and "1080" in System->Preferences->Network Proxy, in exact the same way I did it in my Ubuntu box.

I am using selektor, which is similar to vidalia tor bundle. The default settings, use safe socks with port number 9054. It is fine and when I set the firefox proxy to "use system proxy", I can access blocked website, e. g. www.torproject.org As I enter wget http://torproject.org , that will not use the vpn established. What can I do, in oder to make it work? I don't want to use a prefix such as foo wget www.torproject.org. Is there any way to define a socks_proxy variable? I see http_proxy which is not appropriate here. Any idea?

I nearly waste my 1 day for this issue. I have 2 PCs; 1. Windows as a client, 10.20.30.20 2. Debian(latest) as a server, 10.20.30.10 I install Dante(SOCKS proxy) and configure/restart it. I can use this SOCKS proxy(10.20.30.10/1080TCP) from "1". (Firefox, No auth) So I add this proxy to uTorrent's connection setting. Proxy Server: Type=SOCKS5, Proxy=10.20.30.10, Port=1080, No Auth uTorrent start using my SOCKS proxy, but it can't connect to DHT/UDP. uTorrent make these connections(example); *65432 = uTorrent's Listening Port TCP 10.20.30.20:(random)->10.20.30.10:1080 {Yeah, this is what I'm expected!} UDP 10.20.30.20:65432->10.20.30.10:(random) {Huh?} Since uTorrent make a UDP packet, and Dante doesn't open UDP port(s) UDP packet was ignored(drop) by a server. Dante is opening only 1 port(TCP 1080), and I can't understand why uTorrent is not using TCP protocol when relaying UDP. My questions are: 1. How can I force Dante to open UDP port dynamically, when asked? 2. If "SOCKS5 is supporting UDP" is true, why uTorrent can't send UDP to TCP port? --- dante setting logoutput: syslog internal: 10.20.30.10 port = 1080 external: tun0 method: username none clientmethod: none user.privileged: root user.notprivileged: nobody user.libwrap: nobody connecttimeout: 50 client pass { from: 10.20.30.20/32 port 1024-65535 to: 0.0.0.0/0 } client block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error } block { from: 0.0.0.0/0 to: 127.0.0.0/8 log: connect error } pass { from: 10.20.30.20/32 to: 0.0.0.0/0 protocol: tcp udp #command: bind connect udpassociate ##^ I already tried Enable/Disable command, change from to 0.0.0.0/0, and so on, but no success! } block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error }

Suppose I have UDP server that listen incoming message on 192.168.43.1:1234 and SOCKS5 proxy server that listen on 192.168.43.2:9999. How do I check whether SOCKS5 proxy server support UDP when accessed with a SOCKS5 client? I know that SOCKS5 support UDP, but I just want make sure if it's really supported. I expect UDP server receive message from client and client got reply from server with netcat or similiar tools.

How do I get rtorrent to use a socks5 proxy? I've tried to get socks5 to work with rtorrent, but it doesn't seem to have any impact. Setup the socks5 proxy on port 9800: ssh -ND 9800 user@otherhost in .rtorrent.rc http_proxy=127.0.0.7:9800 proxy_address=127.0.0.7:9800 It cannot download any data from tracker. Tracker: [Server returned nothing (no headers, no data)] And my ip does not appear to use the IP from "otherhost" when I check with http://www.checkmytorrentip.com/ I also tried using tsocks rtorrent server = 127.0.0.1 eserver_type = 5 server_port = 9800 This shows my IP as coming from 'otherhost', but after a few seconds rtorrent freezes up. I am using rTorrent 0.9.2/0.13.2

To reach an isolated network I use an [tag:SSH] -D [tag:socks] [tag:proxy]. In order to avoid having to type the details every time I added them to ~/.ssh/config: $ awk '/Host socks-proxy/' RS= ~/.ssh/config Host socks-proxy Hostname pcit BatchMode yes RequestTTY no Compression yes DynamicForward localhost:9118 Then I created a [tag:systemd-user] service unit definition file: $ cat ~/.config/systemd/user/SocksProxy.service [Unit] Description=SocksProxy Over Bridge Host [Service] ExecStart=/usr/bin/ssh -Nk socks-proxy [Install] WantedBy=default.target I let the daemon reload the new service definitions, enabled the new service, started it, checked its status, and verified, that it is listening: $ systemctl --user daemon-reload $ systemctl --user list-unit-files | grep SocksP SocksProxy.service disabled $ systemctl --user enable SocksProxy.service Created symlink from ~/.config/systemd/user/default.target.wants/SocksProxy.service to ~/.config/systemd/user/SocksProxy.service. $ systemctl --user start SocksProxy.service $ systemctl --user status SocksProxy.service ● SocksProxy.service - SocksProxy Over Bridge Host Loaded: loaded (/home/alex/.config/systemd/user/SocksProxy.service; enabled) Active: active (running) since Thu 2017-08-03 10:45:29 CEST; 2s ago Main PID: 26490 (ssh) CGroup: /user.slice/user-1000.slice/user@1000.service/SocksProxy.service └─26490 /usr/bin/ssh -Nk socks-proxy $ netstat -tnlp | grep 118 tcp 0 0 127.0.0.1:9118 0.0.0.0:* LISTEN tcp6 0 0 ::1:9118 :::* LISTEN This works as intended. Then I wanted to avoid having to manually start the service, or running it permanently with [tag:autossh], by using [tag:systemd] [tag:socket-activation] for on-demand (re-)spawning. That didn't work, I think (my version of) ssh cannot receive socket file-descriptors. I found the documentation ((http://0pointer.de/blog/projects/socket-activation.html),(http://0pointer.de/blog/projects/socket-activation2.html)) , and [an example](https://unix.stackexchange.com/questions/352495/systemd-on-demand-start-of-services-like-postgresql-and-mysql-that-do-not-yet-s) for using the [systemd-socket-proxyd](https://www.freedesktop.org/software/systemd/man/systemd-socket-proxyd.html)-tool to create 2 "wrapper" services, a "service" and a "socket": $ cat ~/.config/systemd/user/SocksProxyHelper.socket [Unit] Description=On Demand Socks proxy into Work [Socket] ListenStream=8118 #BindToDevice=lo #Accept=yes [Install] WantedBy=sockets.target $ cat ~/.config/systemd/user/SocksProxyHelper.service [Unit] Description=On demand Work Socks tunnel After=network.target SocksProxyHelper.socket Requires=SocksProxyHelper.socket SocksProxy.service After=SocksProxy.service [Service] #Type=simple #Accept=false ExecStart=/lib/systemd/systemd-socket-proxyd 127.0.0.1:9118 TimeoutStopSec=5 [Install] WantedBy=multi-user.target $ systemctl --user daemon-reload This *seems* to work, until ssh dies or gets killed. Then it won't re-spawn at the next connection attempt when it should. ### Questions: 1. Can /usr/bin/ssh really not accept systemd-passed sockets? Or only newer versions? Mine is the [one from up2date Debian 8.9](https://packages.debian.org/jessie/openssh-client) . 2. Can only units of root use the BindTodevice option? 3. Why is my proxy service not respawning correctly on first new connection after the old tunnel dies? 4. Is this the right way to set-up an "on-demand ssh socks proxy"? If, not, how do you do it?

There is a Wiregurad server that is working perfectly, but we need that Wireguard's server connect to the internet using socks proxy through the second server and ONLY Wireguard, Not other programs and whole server. **Additional Informations:** - Server 1 (Wireguard Server) is located in our country but Server 2 is located in another country. - Wireguard protocol has been blocked for outside servers such as Server 2, So I can not config Wireguard on the Server 2 and create a Multihop, I tested before. (and even tested with udp2raw) - We are accessing to the Server 2 using ssh -D $port_number $username@$hostname. - I don't want to lose the remote connection after setup. - I have some other programs running in the Wireguard server and I don't want to effect them as well. - I have limited knowledge and **I'm doing this for freedom of speak for the people**, So please give me some commands to copy and paste or guide me step by step, thanks! I'm trying for days and I tested every tutorial and article on the google for different ways of achieving my goal, even different alternatives of Wireguard and nothing worked (because of government limitations), **Only ssh tunneling works**, finish this nightmare please. Wireguard server config file wg0.conf: [Interface] Address = 10.200.0.1/24 ListenPort = 5553 PrivateKey = PreUp = iptables --table nat --append POSTROUTING --jump MASQUERADE --out-interface eth0 PreDown = iptables --table nat --delete POSTROUTING --jump MASQUERADE --out-interface eth0 MTU = 1500 [Peer] ## Client 1 AllowedIPs = 10.200.0.2/32 PublicKey =

I used to use a program called tsocks to route traffic through a SOCKS proxy server. tsocks appears to be discontinued or otherwise unavailable on oracle linux. Anything else one would suggest I use?

There are two SOCKS proxies that I know about that support transparent proxying for any outgoing TCP connection: [Tor](https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy) and [redsocks](http://darkk.net.ru/redsocks/) . Unlike HTTP proxies, these SOCKS proxies can transparently proxy **any** outgoing TCP connection, including encrypted protocols and protocols without metadata or headers. Both of these proxies require the use of NAT to redirect any outgoing TCP traffic to the proxy's local port. For instance, if I am running Tor with TransPort 9040 on my local machine, I would need to add an iptables rule like this: iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-port 9040 To my knowledge, this would replace the original destination IP and port with 127.0.0.1 and 9040, so given that this is an encrypted stream (like SSH) or one without headers (like [whois](http://en.wikipedia.org/wiki/Whois#Protocol)) , how does the proxy know the original destination IP and port?

I have a Raspberry Pi which establishes an SSH connection to a remote server (VPS) and opens a port on the Pi so I can use it as a SOCKS5 proxy. This is the command I use to establish the tunnel: ssh -D 1080 -f -C -q -N user@hostname The reason for this is that the network blocks VPN using DPI but not SSH. So I have setup a VPN on the LAN and setup a SOCKS5 proxy (same Pi). The problem is, if the proxy is down, then the VPN outbound traffic (so where it is no longer VPN traffic but just regular HTTP(S)) will not use it and attempt to send those requests through the network firewall anyway. I want to stop this from happening so that if the proxy is down, the VPN will not allow any connection outbound. This shows you how it is supposed to work ______________________________ | | | Client | |______________________________| | | L2TP over IPSEC ________________|_______________ __ | | | | VPN (192.168.1.XXX) | | |________________________________| | ________________|_______________ |-RaspberryPi | | | | SOCKS5 (127.0.0.1:1080) | | |________________________________|__| | | SSH tunnel ________________|________________ | | | VPS (Amazon EC2) | |_________________________________| | / \ / \ the internet These are my iptables: *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j MASQUERADE -A POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT -A INPUT -p udp -m udp --dport 1701 -j DROP -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i ppp+ -o eth+ -j ACCEPT -A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT -A FORWARD -d 192.168.43.0/24 -i eth+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.43.0/24 -o eth+ -j ACCEPT -A FORWARD -j DROP COMMIT This was the script used to make the VPN https://github.com/hwdsl2/setup-ipsec-vpn So my question is: How can I change these iptables to force the VPN clients to only use a SOCKS5 proxy on the LAN? (otherwise DROP their non-proxy destined packets)

I need some help with SOCKS proxy server based on SSH. I am running SSH SOCKS proxy using this command: ssh -N -D 0.0.0.0:1080 localhost Can I somehow enable it by default? The ssh deamon is on by default anyways, so there must be a way to configure it. Also, I am using 0.0.0.0 to allow all incomming ip addresses. Can I limit it to a subnet? For example 192.168.1.0/24. Or maybe at least an interface name.

I've been trying to run a wallet app in tails os ver 4.28 with no success. I'm getting denied error when using it with proxychains. Being a noob here, would someone assist me in letting me know what I'm doing incorrect here. I've included terminal & proxychain config info for reference here. amnesia@amnesia:~/Persistent$ chmod +x Neuron-v0.101.2-x86_64.AppImage amnesia@amnesia:~/Persistent$ proxychains ./Neuron-v0.101.2-x86_64.AppImage ProxyChains-3.1 (http://proxychains.sf.net) |S-chain|--127.0.0.1:9050--127.0.0.1:8114--127.0.0.1:9050-|DNS-request| localhost -127.0.0.1:8114--127.0.0.1:9050--127.0.0.1:8114-|DNS-request| localhost -127.0.0.1:9050-|DNS-request| localhost -127.0.0.1:8114--127.0.0.1:9050--127.0.0.1:8114-|DNS-request| localhost -127.0.0.1:9050--127.0.0.1:8114--127.0.0.1:9050--127.0.0.1:8114--127.0.0.1:9050-|DNS-request| localhost -127.0.0.1:8114--127.0.0.1:9050--127.0.0.1:8114--127.0.0.1:9050--127.0.0.1:8114-|DNS-request| localhost <--denied ^C|DNS-response|: localhost does not exist Aborted proxychain.config file #dynamic_chain strict_chain #random_chain #chain_len = 2 #quiet_mode proxy_dns # Some timeouts in milliseconds tcp_read_time_out 15000 tcp_connect_time_out 8000 [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks4 127.0.0.1 9050 Appreciate any assistance in this matter.

Is there any way to achieve this command:

APPX --listen=127.0.0.1:1111 --socks5=someproxy.com:2222 --connect=server.com:3333

Then, if I connect to 127.0.0.1:1111, it will be as if I connected to server.com:3333, except that it is transparently going through someproxy.com:2222. E.g. telnet 127.0.0.1:1111 will connect to server.com:3333 while transparently going through someproxy.com:2222. Is there any way to achieve APPX?

I have a main node on one dedicated server where all ports are opened. I have to additional dedicated servers where some ports that we are using to communicate between servers are closed by ISP provider. So, I can not establish a connection between them using the internet IP address of the main server. I have created SSH port forwarding from one of the dedicated servers with closed ports using a command like that: ssh -fNT -L 84xx:localhost:84xx user@main_server_IP It works when I have only one port forwarding but how to make that for 2 and more servers with closed ports? Also, I think localhost is not correct usage when I have more than one servers for forwarding connection. How I can create an Intranet address apart from a static IP address that each server have? Or I can use a static IP address instead of localhost? I need to forward only communication that node establishing via 84xx port all other connections should go in the regular way without a tunnel.

I'm using Pop!_OS 20.04. Firefox has built-in proxy settings. So, there's no problem. I can use proxy on wget, curl, apt using proxychains. But, it's not system wide. I tried gnome-control-center (Network > Network Proxy > Manual and added proxy server and port but, didn't work at all). I also tried nmcli - nmcli con edit CONNECTION_NAME - set proxy.method auto - set proxy.pac-script proxy.pac Here's my proxy.pac function FindProxyForURL(url, host) { SOCKS4 *proxy*:*host* } But, that's also not working.

i have telnet connection to device behind firewall (there is no SSH) and i want to use this connection as a proxy to give local network access to Firefox for example if is possible using Putty thanks

I connect to a remote ssh server by running this command: ssh -D 12345 bob@myserver.com This creates a socks proxy that I can use with Firefox to bypass censorship in my country. However, I can't take advantage of it to in the command line. Let's say my country blocks access to youtube. How can I use the ssh connection to run a command such as: youtube-dl "youtube.com/watch?v=3XjwiV-6_CA" Without being blocked by the government? How I can set a socks proxy for all terminal commands?