software

SSH SOCKS5 Proxy in 2026: macOS, Linux, Windows & sshuttle: Complete Guide

Published: (March 11, 2026 at 05:08 PM EDT)
4 min read
Source: Dev.to

Source: Dev.to

Creating an SSH SOCKS5 Tunnel

The -D flag creates a dynamic port forward: SSH listens on a local port and acts as a SOCKS5 proxy. Traffic exits from the SSH server’s network.

Your app → localhost:1080 (SOCKS5) → SSH (encrypted) → remote server → internet

Start the tunnel in the background

ssh -D 1080 -f -C -q -N user@your-server.com

Verify it is running

pgrep -a ssh

Confirm traffic routes via the server

curl --socks5 127.0.0.1:1080 https://ipinfo.io/ip

Flag meanings

FlagDescription
-D 1080SOCKS5 proxy on local port 1080
-fFork to background after authentication
-CEnable gzip compression
-qQuiet mode
-NDo not execute a remote command (tunnel only)

macOS System‑wide SOCKS Proxy Script

Save the script below as ~/bin/tunnel, make it executable (chmod +x ~/bin/tunnel), and run it with sudo.

#!/usr/bin/env bash
NET_SERVICE="Wi‑Fi"   # run: networksetup -listallnetworkservices
PORT=1080
SERVER="user@your-server.com"

if [[ "$EUID" -ne 0 ]]; then
  echo "Run as root: sudo $0"
  exit 1
fi

PID=$(pgrep -f "ssh -D ${PORT}")

if [[ -n "$PID" ]]; then
  echo "Disconnecting (PID $PID)..."
  kill -9 "$PID"
  networksetup -setsocksfirewallproxystate "${NET_SERVICE}" off
  echo "Tunnel closed."
else
  echo "Connecting to ${SERVER}..."
  ssh -D "${PORT}" -f -C -q -N "${SERVER}"
  networksetup -setsocksfirewallproxy "${NET_SERVICE}" 127.0.0.1 "${PORT}"
  networksetup -setsocksfirewallproxystate "${NET_SERVICE}" on
  echo "Connected. System SOCKS proxy active on :${PORT}."
fi

networksetup configures the macOS system‑wide SOCKS proxy, so any app that respects the system proxy will route through the tunnel.

Linux: Using ProxyChains

Install

# Debian/Ubuntu
sudo apt install proxychains4

# Fedora
sudo dnf install proxychains-ng

Configure /etc/proxychains4.conf

# Comment out the default Tor line:
# socks4 127.0.0.1 9050

# Add your SSH SOCKS5 proxy:
socks5 127.0.0.1 1080

Start the SSH tunnel (same command as above)

ssh -D 1080 -f -C -q -N user@your-server.com

Route any CLI tool through the proxy

proxychains4 curl https://ipinfo.io/ip
proxychains4 git clone https://github.com/someorg/private-repo

Transparent TCP Proxy with sshuttle (Linux/macOS)

Install

# macOS (Homebrew)
brew install sshuttle

# Ubuntu
sudo apt install sshuttle

Route all traffic (excluding the SSH server to avoid a loop)

sshuttle -r user@your-server.com 0.0.0.0/0 --exclude your-server.com

Route only a private subnet behind the server

sshuttle -r user@your-server.com 10.0.0.0/8

Press Ctrl+C to stop. No browser configuration is needed; every TCP connection is intercepted transparently.

Windows Clients

ToolSteps
Bitvise SSH Client1. Install Bitvise.
2. Open Services → SOCKS/HTTP Proxy Forwarding.
3. Enable SOCKS5 on 127.0.0.1:1080.
4. Connect to your server.
Proxifier1. Install Proxifier.
2. Add a new proxy: address 127.0.0.1, port 1080, type SOCKS5.
3. Create rules targeting the applications you want to route (e.g., chrome.exe).

Keep the Tunnel Alive (SSH Config)

Add a host entry to ~/.ssh/config to maintain the connection through idle periods.

Host tunnel-server
  HostName your-server.com
  User youruser
  IdentityFile ~/.ssh/id_ed25519
  ServerAliveInterval 60
  ServerAliveCountMax 3
  Compression yes

Start the tunnel with the alias:

ssh -D 1080 -f -C -q -N tunnel-server

Feature Comparison

FeatureSSH -DsshuttleWireGuard
Setup complexityLowLowMedium
Routes all trafficNo (per‑app SOCKS)Yes (all TCP)Yes (all protocols)
UDP supportNoNoYes
Server prerequisitesSSH onlySSH onlywireguard-tools
SpeedGoodGoodExcellent
Best forSingle‑app routingFull TCP proxyPermanent VPN

Hardening the SSH Server

  • Key‑based authentication only

    ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519

  • Restrict access to a specific user – add to /etc/ssh/sshd_config

    AllowUsers youruser

  • Use a non‑standard port to reduce automated brute‑force attempts

    Port 2222

  • Rotate SSH keys annually and remove old keys from ~/.ssh/authorized_keys.

With these steps you can quickly spin up an SSH SOCKS5 proxy on macOS, Linux, or Windows, use it per‑application or system‑wide, and optionally replace it with a full‑traffic solution like sshuttle or WireGuard.

0 views
#software #programming #community
View source
Share:
Back to Blog

Related posts

Read more »

Travigo

Travel as fast as you speak with Gemini! Where live agents meet immersive storytelling & 3D navigation. This project was created for entering the Gemini Live Ag...

Micro games

Hey Gamers! 👾 As part of the Rapid Games Prototyping module, we are tasked with reviewing a peer's game. The challenge is to analyse a prototype built in just...