Expat tips: Tunneling Traffic with ‘ssh -D’ 10

I’ve been living outside the US for over a quarter of my life now. With this comes some minor annoyances. One annoyance is that certain Internet sites work ‘better’ when connecting from the US. Luckily we can easily make it look like we are connecting from a US location with the help of the following.

  • A US-hosted server with ssh access
  • A browser
  • ssh

I’ll assume you have the last two. The easiest way to get the first is in the form of a web host. I use Dreamhost which offers unlimited bandwidth for a pretty good price.

The first step to getting things to work is to login to the US-based server using the following command.

ssh -D PORT_NUMBER username@example.com

For the port number, it’s best to choose a number between 1024 and 49151 while avoiding any commonly used ports. Basically, avoid those listed here. In this example, I chose port 8421.

What this does is setup a SOCKS proxy on your local machine at the port given that can be used to tunnel traffic through to a remote machine, in our case a US-based server. Obviously, this connection needs to be maintained the entire time you want to send traffic through to the remote machine.

Now we just need to tell our browser to send all traffic through this port. In Firefox, go to Edit->Preferences->Advanced->Network->Settings. You should be presented with a window similar to this…

You’ll notice the (localhost works too) and 8421 in the SOCKS host fields. That’s all that’s required. If you later want to revert just chose ‘No Proxy’ again.

Now you can close the preference dialog and should be able to enjoy surfing the Interwebs as an American. Fuck yeah!

10 thoughts on “Expat tips: Tunneling Traffic with ‘ssh -D’

  1. Reply Stephane Feb 14, 2012 04:09

    I often use that method when traveling.

    I added an alias in my .ssh/config to simplify the creation of the tunnel: ssh tunnel

    Host tunnel
    Hostname example.com
    User bob
    DynamicForward localhost:8421

    I also use PAC files to configure the proxy behavior..

    For exemple, the following pac file works well at work where I also need to access some hosts on the internal network.

    function FindProxyForURL(url, host)
    if ( isPlainHostName(host)
    || dnsDomainIs(host, “atwork.com”)
    || isInNet(host, “″ , “″)
    || isInNet(host, “″ , “″)
    || isInNet(host, “″ , “″)
    //alert(“NO PROXY FOR “+host);
    return “DIRECT” ;
    //alert(“SOCKS5 FOR “+host);
    return “SOCKS5 localhost:8421 ; DIRECT” ;

    Create the PAC file and fill the field ‘Automatic proxy configuration URL:’ with its URL (e.g. file:///home/bob/tunnel.pac)

    PAC files are explained in several places (google for ‘proxy pac file’)

    ps: the commented ‘alert’ calls in the proxy file can be used to debug (see the error console in firefox)

  2. Reply Chris Feb 14, 2012 05:03

    That indeed looks like a better approach. I’ll have to try that once I get some time. Thanks.

  3. Reply Henrique Rodrigues Feb 14, 2012 05:41

    You might also want to take a look at sshuttle. It can transparently route all your traffic via ssh, including DNS, if you want to. I’ve been using it for a while and it is both simple, effective and available from official GNU/Linux distribution repositories:


  4. Reply Anonymous Feb 14, 2012 06:05

    For hosting, gandi.net provides unmetered bandwidth, a rarity in the US. They also support various FOSS projects.

  5. Reply Dan Nicholson Feb 14, 2012 11:02

    I use this trick from work all the time when certain sites are blocked. In your case it seems like you pretty much want to proxy all the time. If not, might I suggest the following Firefox addon?


    Now I can switch between proxy and no proxy with a single button click.

  6. Reply Simon Feb 14, 2012 12:43

    Don’t forget to set network.proxy.socks_remote_dns to true (in mozilla), so that DNS requests are tunneled too.

  7. Reply Jordi Feb 15, 2012 01:09

    I use the foxyproxy Firefox addon, with the «Patterns» config, combined with the necessary .ssh/config magic, so this is all automated. I never ever need to change my proxy settings, the browser knows what site needs what socks port, etc.

  8. Reply ReinoutS Feb 17, 2012 15:41

    Dude. Why not enter this in the Gnome network settings so that all apps can benefit? Firefox will pick the settings up if you pick the system proxy settings bullet.

  9. Reply Chris Feb 20, 2012 03:57

    @ReinoutS: Because I don’t care to have all my traffic (torrents, for example) going through the US server. Also, I was writing this in part for friends who don’t necessarily run Linux.

  10. Reply gnudoc Mar 19, 2012 10:36

    Thanks for this, Chris.

    I’ve used this method to route firefox traffic via ssh when at a cafe. Have you tried it in chrome? I can’t get it to work in chrome though – although the proxy dialog is almost exactly the same and it seems to have worked, websites like whatismyip.com and speedtest.net still report the traffiic as coming from me in chrome but from the states in firefox. Any idea why?

Leave a Reply