Routing Web Traffic without a VPN using SOCKS Tunnel-

Routing Web Traffic without a VPN using SOCKS Tunnel

When it comes to securing your footprint on the web, you may have heard about VPNs, right? VPN acts as a middleman between your computer and the internet. All the traffic passes through the VPN server, effectively masking your IP address and location.

However, VPN isn’t the only form of a proxy server. SOCKS (Socket Secure) is a similar network protocol that allows communicating with servers through a firewall by routing the network traffic on behalf of a client. Compared to VPN, SOCKS offers more flexibility and control over the network configuration. It’s useful when you can’t install the VPN client or don’t trust a VPN provider.

This guide will demonstrate how to establish an SSH SOCKS 5 proxy tunnel and route your web traffic through the tunnel.

Prerequisites

For demonstration, we used a local machine running Ubuntu desktop and a remote machine running Ubuntu server. You need to have SSH configured prior to making it work smoothly. As we’re using SOCKS proxy, to test the connection, we need an app that can use it. Firefox is a perfect example. It’s a modern-day web browser that supports the SOCKS 5 proxy tunnel.

If you’re on Windows, then you either use WSL (Windows Subsystem for Linux) to set up a local Linux environment or use PuTTY, an open-source app that can implement various network protocols like Telnet, rlogin, etc.

Configuring the SOCKS Tunnel

  • Setting up the SOCKS tunnel (macOS/Linux)

On the local computer, we need to configure an SSH key to ensure a secure connection. The SSH key must also be registered to the remote system. This guide on configuring SSH key-based authentication demonstrates the process in detail.

The following SSH command will establish a SOCKS tunnel to the remote server:

Let’s break down the command:

  • -i: It tells SSH which SSH key to use for the connection.

  • -D: It tells SSH that we want to establish a SOCKS tunnel. As for the port, we are using port 1024. It’s not a fixed value. You can choose any port between 1024 and 65536.

  • -f: The SSH process will be forked in the background.

  • -C: SSH will compress the data before sending it to the remote server. It can save both data consumption and increase effective bandwidth.

  • -q: Run the tool in quiet mode.

  • -N: It tells SSH that after establishing the tunnel, no command will be sent.

Once run, we can verify if the process started properly. The following command will print info about all the running SSH processes:

Routing grep ssh

Now, you can safely close the terminal window. The SSH process will function as intended from the background.

  • Setting up SOCKS tunnel (Windows)

For Windows users, using PuTTY is an easier solution. First, you need to download PuTTY:

Routing download putty

Once installed, launch PuTTY:

Routing putty screen1

From the Session tab on the left panel, enter the Host Name (or IP address) of your server. As for the Connection type, select SSH. Next, go to Connection >> SSH >> Tunnels. Here, under the Destination field, select the options shown in the screenshot:

Routing putty screen2

Next, click Open. A terminal window will pop up to connect to the remote server via SSH. Log in to the remote server:

Routing putty screen 3

Implementing the SOCKS Tunnel

The tunnel is now set. Any app supporting SOCKS can use the tunnel. For demonstration, Firefox is a great example.

First, open Firefox. From the top-right corner, click the menu icon. Go to Settings:

ubuntu screen1

Next, search for proxy. Click Settings on Configure how Firefox connects to the internet:

firefox preferences

After that, select Manual proxy configuration. As for the SOCKS Host, use localhost or 127.0.0.1. Then, for the port, enter the port we dedicated for the SOCKS tunnel. Don’t forget to select SOCKS_v5:

firefox proxy conf

Lastly, check the option Proxy DNS when using SOCKS_v5. Click OK to continue.

Next, open a new tab and try accessing any webpage. For example, you can check your IP address from CheckMyIP.

Reverting the Proxy

When you no longer need the proxy connection to the SSH tunnel, you can safely disable it from the Firefox proxy settings:

Routing firefox reverting proxy conf

From the window, select Use system proxy settings and click OK.

Closing the SOCKS Tunnel

  • Closing the tunnel on macOS/Linux

To close the tunnel, we need to manually kill the SSH process. We need the PID (process ID) of the SSH process. The following command will reveal the PIDs of all the running SSH processes:

Note the SSH process that’s running with the command to create the tunnel. Kill the process:

If no option is defined, the kill command will send a generic SIGTERM signal to the target process. You can learn more about Linux process management from this tutorial.

  • Closing the tunnel on Windows

Closing the PuTTY window should close the tunnel connection.

Troubleshooting

Here are some common issues that you may face when trying to use SOCKS to route traffic.

  • Firewall

If you can’t establish a connection because of a firewall restriction, then it’s likely that the firewall is configured to block connection to port 22. This is the default port that SSH uses to connect to remote systems. Some ports remain open by default, for example, port 80 (general web traffic) and port 443 (TLS, secure web traffic).

If the SSH server isn’t serving web content, then we can use one of the default ports ( 80 or 443 ) instead of port 22. It’s recommended to use port 443 as it expects encrypted traffic by default. It will also encrypt the outgoing traffic. To make the change, we need to modify the SSH configuration file. Open the file in a text editor:

SSH can use multiple ports for its purpose. Scroll down the configuration file and find the port section:

Routing sshd config

Once the changes are made, save the file and close the editor. Restart the SSH service to apply the change:

To verify if the new port is working, try connecting to the remote server using the new port:

If the connection was successful, we can safely use port 443 for SSH tunneling. Here’s the revised command to establish the SOCKS tunnel:

Here, the flag -p tells SSH to use port 443.

Final Thoughts

In this day and age, privacy and security are some of the biggest concerns. There are many ways to browse securely when you’re on a hostile network. In most cases, using a VPN will offer sufficient security to your network traffic. On the other hand, a SOCKS tunnel will offer you the necessary security if you can’t or don’t trust a VPN. Having a SOCKS tunnel also gives you full control over the setup.

Happy Computing!