SSH Reverse socks tunnel

ssh -D can make a socks port at local machine, which pass the traffic to the remote, then to other places.

ssh -L port:host:hostport, listen port at local machine, pass the traffic to "host:hostport" from the point of view of the remote machine.

ssh -R port:host:hostport is the counterpart of ssh -L, which listen port at remote machine, and pass the traffic to "host:hostport" from the point of view of the local machine.

But what is the counterpart of ssh -D, i.e., how to open a socks port at remote machine, which will pass the traffic to the local, then to other places?

Berry

Posted 2011-12-23T09:56:18.713

Reputation: 281

the question loses value because you accepted an answer that doesn't and cannot work. This(which the answerer mentioned in comment) does it though http://stackoverflow.com/questions/842021/ssh-d-port-usernameserver-com-but-in-reverse

– barlop – 2015-06-06T22:05:05.253

Answers

With -D & -L you have a way to communicate either way between the two machines.

So...

From the local machine, use -R to create a listening port on the remote machine pointed at the local machine's sshd.
Use -D on the remote machine, pointed at the port you created above.

I "think" filling in the below will make it work...

ssh remotehost -R remoteport:localhost:localport "ssh -D 9050 localhost -p remoteport"

'remotehost', 'remoteport' & 'localport' in the above need changing. A socks proxy will be formed on 9050.

Pricey

Posted 2011-12-23T09:56:18.713

Reputation: 4 262

If we put numbers in that then ssh remotehost -R 11234:localhost:33333 "ssh -D 9050 localhost:11234 I don't really understand that.. For example, ssh -D doesn't use that syntax. You don't do ssh -D 9050 localhost:11234 do you? ssh -D just takes a port or bindaddress:port Not -D port bindaddress port it just doesn't.. And in the answer you link to, seems quite different. If you see my comment to the answer you link to, his answer involves doing ssh -R and ssh -D(which he does in separate commands) but he does them from the same comp. Your ssh -D runs on the remote comp. That's different. – barlop – 2014-08-28T22:12:29.453

Could you put some numbers in.. and/or rexplain that ssh -D syntax to clarify? – barlop – 2014-08-28T22:13:15.707

@barlop Whoops, forgot that ssh doesn't do host:port. I've corrected it above to host -p port which should work. – Pricey – 2014-09-08T14:01:40.563

Do you mean like $ ssh user@10.0.0.5 -t -R 1234:127.0.0.1:9050 "ssh -D 9050 127.0.0.1 -p 22" So, would that create a SOCKS Proxy on the remote computer(10.0.0.5)on port 9050 as well as a port on the remote computer(1234) to access that SOCKS proxy? Funnily enough when I've tried it, it seems it doesn't work(for me in my test at least). The user at 10.0.0.5 can access his SOCKS proxy but can't access it through his other proxy port(1234). As seen here http://pastebin.com/raw.php?i=ZAzviVxt tested from 10.0.0.5 with e.g. $ curl --socks5 127.0.0.1:1234 http://www.google.com

– barlop – 2014-09-08T16:46:48.503

1@barlop and that won't work because say you run the ssh executable from 10.0.0.10 the -R says to forward to 10.0.0.10:9050 But the SOCKS server is running on 10.0.0.5 – barlop – 2015-05-25T16:38:56.260

1@PriceChild did you actually test your command? – barlop – 2015-05-25T16:39:16.437

5-1 You didn't bother to test it and your command is completely wrong. You tried to make it like the other SO answer but you failed to. SSHing from A to B, The one you link to has ssh -D listen on A. Your one has it listen on B. Your one is wrong. You have the SOCKS proxy listening on the side that is listening. – barlop – 2015-06-06T18:57:39.367

This is plain wrong. – Federico – 2018-04-06T11:31:30.780

Oh, looks like this was asked on SO: http://stackoverflow.com/questions/842021/ssh-d-port-usernameserver-com-but-in-reverse Only answer is the same idea. I'm sure one will work ;-) EDIT - yep, that one was more right than mine. I've patched mine up.

– Pricey – 2011-12-23T10:14:39.790

Actually, I did use this indirect method in my own situation. But in my firend's situation, he did not have the root privilege, so he can't have sshd service, he has only the OpenSSH client. So I want to figure out there is a direct method, but OpenSSH seems not...Thanks you the same – Berry – 2011-12-23T15:48:35.440

Can be achieved transparently with this snippet in ~/.ssh/config:

Host sockstunnel
    ProxyCommand ssh -D 3128 localhost nc -q 1 localhost 22

Host target
    RemoteForward 3128 localhost:3128
    ProxyCommand ssh -W target:22 sockstunnel

Details

We want a reverse DynamicForward. This is achieved using two ssh commands:

ssh -D 3128 localhost
ssh -R 3128:localhost:3128 target

This way target has a SOCKS tunnel to the SSH client.

What I did is to use the classical way of chaining ssh to reach a remote target through intermediate hosts so that the SOCKS tunnel creation is handled transparently while logging into the target. The first ProxyCommand + nc trick is mandatory because -W implies ClearAllForwardings.

user305311

Posted 2011-12-23T09:56:18.713

Reputation: 141

1this is worth a gold medal. – Dakatine – 2016-07-21T14:57:47.980

Could you provide a more detailed explanation of what your commands do? – alonso s – 2018-03-12T19:54:43.347

local$ ssh -R 1080 remote
remote$ curl --socks5 localhost https://example.com

since OpenSSH 7.6

ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported.

https://www.openssh.com/txt/release-7.6

zmx

Posted 2011-12-23T09:56:18.713

Reputation: 159

Can you provide a reference for this? – Scott – 2019-05-09T08:59:21.440

By the way, there's a bug in openssh-client 8.0 in which you cannot choose a bind address with the port (ssh -R 127.0.0.3:1080 remote), you can currently bind a reverse SOCKS proxy only to a port. – Adam Katz – 2019-10-03T00:15:45.493

There is no facility for providing a reverse socks tunnel with OpenSSH, so you must run the ssh command providing the socks proxy on the "remote" machine.

If the remote machine cannot ssh into the local machine, create first a ssh connection from local to remote which forwards port 22 to e.g. 2222. Then the remote machine can ssh into the local machine on port 2222.

Thorbjørn Ravn Andersen

Posted 2011-12-23T09:56:18.713

Reputation: 291