Recently I had an interesting encounter with SSH tunneling. I was searching for some option to access one VPS with Scaleway, with no public access from outside. I’ve another VPS in Scaleway with public access. Actually VPS with no public IP comes at €1.99/per month. I was thinking to host one MySQL server in that VPS. But the main problem arose, was how to access that server. After some search, I came to know, SSH tunneling is ideal for this scenario and it’s very easy to do also. In my office I use Windows workstation. There I’ve installed Git and for that I get Git Bash. And during installation I had checked the option to make all the unix tools available in path. So, I can use
sed all the useful commands. SSH is tunnel is also possible with Putty.
There are three types of tunnels can be made with
Of this three, the last one
dynamic is of real interest for us, in regard to the socks proxy. But before that, let’s get into that topic slowly. First let’s review the other two and see their possibility and scope.
Local tunnels make remote resources available locally. Suppose a MySQL server is running on the remote machine A behind a firewall and we have ssh access to another machine B in the same network as A. Then to access the MySQL server in A, we can invoke,
# -N: do not execute remote commands
This kind of tunnels are rarely used. It’s just opposite to the previous one. Instead of using
-L we have to use
# the host part is mandatory, so we have to use either of
This is of the most interest regarding the discussion about SOCKS proxy. For dynamic tunnels, we don’t have to give any specific remote port, though we have use one specific local port, that we want to pass all our traffic through.
# choice of local port is very important, but the ports
Dynamic tunnels creates light weight SOCKS proxy, that we can use to annonymize our browsing. SOCKS proxy is app level proxy. So it works at Application Chrome and IE uses system proxy. But in Firefox, we can set proxy. Paste
about:preferences#advanced in the address-bar of Firefox and enter. Click on the
Settings button related to
Manual Proxy Configuration, put
127.0.0.1 in the host and specified port for
Socks Host. Leave all the others blank.
Don’t forget to check the option
Proxy DNS when using SOCKS v5. This option is available in newer version of Firefox. If this is checked, Firefox will try to use the DNS of the remote host, through which the proxy has been configured.
Also, we need to prevent the
WebRTC leak. Type
about:config in the address-bar and enter. Click on the button containing the text
I accept the risk or similar like it. Search for
media.peerconnection.enabled and double click it to make this flag false.
Navigate to the site ipleak.net and see if the intended IP is shown. Also don’t forget to check the DNS list. Sometimes DNS list exposes our actual location. If the DNS of your ISP is shown, try to change the nameserver inside the router or network adapter of PC. Google DNS or Free DNS responses are quite fast.
Dynamic tunnels make use of SSH protocol to exchange network packets. A more sophisticated and secure option may be Shadowsocks. This uses altogether a new protocol. And it uses a different approach to encrypt and decrypt network packets. On top of Socks5, it uses a pre-specified password in server and client both to encrypt and decrypt. So, if the password is secure enough, it’s next to impossible to decrypt the packets.
Shadowsocks is very easy to configure. Unless we are deploying it as a service, it does not require much resource also. For personal use, low end servers from Linode, Vultr, Digital Ocean, Amazon Lightsail, Scaleway, Rackulous, Contabo can be used. All the them have reasonably good performance and reputation as VPS providers. Here three things should be considered during the selection of provider,
I’m using Linode with 1GB RAM, 1 shared CPU core, 1 TB bandwidth for the minimum plan of $5 per month. Performance of the VPS is pretty decent and as I’m using
shadowsocks-libev, it’s almost nothing on the server.
shadowsocks-libev is a Shadowsocks implementation in C. So, it’s fast and requires less resource. Other options can be viewed from here.
Here I’m giving a no-frill instructions to setup a Shadowsocks server on Ubuntu 16.04.
# install required softwares
Server configuration should be put in the file
There are a lot of options for clients of Shadowsocks. Install on Android or iPhone or on desktop and start to use proxy anywhere. I personally use on my Android set. It does not drain battery like the openVPN clients.
Though proxy is used for anonymity. It helps us to keep ourselves private. But let’s not use this to harm someone. Great power comes with great responsibility. Use them carefully.