title | description | level | updated_at | slug | author_name | author_url | author_image | author_bio | tags | netcup_product_url | language | available_languages | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Setup and Usage of a Simple SSH Proxy |
Learn how to set up a simple SSH proxy and use it as jump host or SOCKS proxy. |
|
2021-10-21 |
ssh-proxy-setup-and-usage |
Author Name |
add a link to your Github profile here |
|
en |
|
This tutorial describes how to set up and use a simple SSH proxy that allows you to utilize an SSH connection to your own servers in environments with a blocked port 22.
This is useful, for example, when traveling or if internet access is limited in hotels or vacation homes.
The reading time of this tutorial is about five minutes; implementation will take approximately 45 minutes.
The most important requirement for implementation is a basic understanding of the Unix command line and the use of SSH services and proxy servers. All examples were tested on a current Debian/Ubuntu (October 2021) and can be easily adapted to other distributions.
Use of the proxy is described from a Unix user's point of view and it works similarly under macOS. For its use under Windows, further adjustments are necessary, which are not part of this tutorial.
The tutorial uses the example hostname v11111111.quicksrv.de
. This hostname needs to be replaced by the name of your own server when you perform the workflow described in this tutorial.
Since the presented technology is optimized for short deployment times ranging from days to a few weeks, the server should meet the following requirements:
- It should be economical,
- have sufficient CPU power, and
- it should have a German IP address.
The hard disk capacity, on the other hand, is not relevant.
The simplest VPS from netcup meets these requirements thanks to hourly billing.
At the time of the creation of this tutorial (October 2021), the recommended product to be used as SSH proxy is VPS 200 G8. Existing customers can add the product easily and quickly.
After provisioning of the server and the first login with the username root
and the password sent by email, the first step is to update the basic configuration of the server.
- Change the root password by means of
passwd
. - Import the current security updates with
apt-get update && apt-get upgrade -y
. - It is recommended to set up an SSH key at this point and to disallow password login for the root user. These procedures are not part of this tutorial and as the latter functionality requires root capability, the setup of an unprivileged user is omitted at this point.
Info Note that the SSH daemon usually listens on port 22.
To make it accessible even from restricted networks, it is configured to listen also on ports 443 (HTTPS) and 80 (HTTP). These ports are usually less restricted or not restricted at all, so there is a good chance that they can be used to gain free access to the proxy and thus to the internet.
- Open the file
/etc/ssh/sshd_config
in an editor likevi
ornano
. - Search for the line
port 22
. It probably starts with a#
to indicate that this is the basic configuration. - Change the file to:
port 22 port 80 port 443
- Save and exit the editor.
- Restart SSH daemon with
systemctl restart ssh
. The current session should remain active. - Use
ssh -p 443 [email protected]
to test if the configuration was set up successfully. Please replacev11111111.quicksrv.de
with your own hostname.
SSH daemon is now successfully configured and can be reached via ports 22, 80 and 443.
To use Chrome or another browser in such a way that it handles all traffic through the SSH proxy, you use it as a SOCKS proxy. This way, you can show streaming services, for example, that you are actually located in Germany if the geolocation of your own IP doesn't work properly.
Technically, in this case, your own computer is the SOCKS proxy that uses SSH proxy for forwarding. Therefore, localhost
is specified as the (SOCKS) proxy server (see figure below).
Start an SSH session on your own computer with the following command:
ssh -p 443 -D8080 -N [email protected]
. Replace the example v11111111.quicksrv.de
with the correct server name.
Then start Chrome in a second window with the following command:
google-chrome --proxy-server="socks5://localhost:8080" --host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost"
.
This results in Chrome using the SOCKS proxy as nameserver for name resolution, which protects your privacy.
To access other servers whose SSH daemon is bound only to port 22 (or another), use the command:
ssh -J [email protected]:443 [email protected]
Replace our example v11111111.quicksrv.de
with the correct proxy server name. Instead of myserver.com
you must specify the server to which you want to connect through the proxy.
SSH proxy can now be used. It is recommended to perform tests before productive use.
Copyright (c) 2021 netcup
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicence, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
By making a contribution to this project, I certify that:
-
The contribution was created in whole or in part by me and I have the right to submit it under the licence indicated in the file; or
-
The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate licence and I have the right under that licence to submit that work with modifications, whether created in whole or in part by me, under the same licence (unless I am permitted to submit under a different licence), as indicated in the file; or
-
The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.
-
I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the licence(s) involved.