NeuroAgent

How SSH Proxying Works: Technical Mechanism

Understanding the technical mechanism of SSH proxying through dynamic port forwarding. Learn how SOCKS proxy works through SSH tunnel for secure resource access.

#ssh-proxying#dynamic-port-forwarding#socks-over-ssh#network-technologies#internet-security#bypassing-restrictions#ssh-tunnels

How does SSH proxying technically work? I’m trying to understand the mechanism by which the SSH daemon on the server receives requests from the client through a tunnel and then accesses the requested resources on the internet. Am I correct in understanding that the SSH daemon acts similarly to curl or wget, making requests on behalf of the client and returning the received data? If so, why was this functionality added to SSH, which existed long before blocking systems like Roskomnadzor (RKN)?

NeuroAgent

SSH proxying through dynamic port forwarding creates a SOCKS proxy on the local machine that redirects all network traffic through an encrypted SSH tunnel to a remote server. Technically, this works by allocating a local socket to listen on a port, which then routes requests through the SSH connection, where the server acts as a proxy server to access external resources. The SSH daemon does not operate like curl or wget, but rather acts as an intermediary, forwarding packets between the client and target hosts without needing to decode the traffic content.

Table of Contents

Basic Principles of SSH Proxying

SSH proxying, also known as dynamic port forwarding, uses the -D option to create a local SOCKS proxy server. When you execute the command ssh -D 1080 user@server, the SSH client:

  1. Establishes an SSH connection with the remote server
  2. Allocates a local socket to listen on the specified port (usually 1080)
  3. Redirects network traffic through this connection

As explained in the Ubuntu documentation, “the -D option specifies dynamic port forwarding. 1080 is the standard SOCKS port”. Although any port number can be used, some programs only work with port 1080.

Technical Mechanism of SOCKS via SSH

Interaction Process

Technically, the mechanism works as follows:

  1. Local client opens a TCP connection to the dynamic forwarding port (SOCKS server)
  2. Sends a standard SOCKS request to connect to a specific IP address and port
  3. SSH client forwards this request through the encrypted tunnel to the remote SSH server
  4. Remote SSH server acts as a SOCKS proxy, establishing a connection with the target host
  5. All traffic passes in both directions through the SSH tunnel

As noted in Unix & Linux Stack Exchange research, “in dynamic SSH forwarding, the client opens a TCP connection to the dynamic forwarding port, sends a standard SOCKS request to connect to a specific IP address and port”.

SOCKS Protocol in SSH

SSH supports both SOCKS v4 and SOCKS v5 protocols. Unlike static port forwarding (which redirects specific ports), dynamic forwarding allows working with any target hosts and ports through a single SOCKS proxy.

Key difference: SSH does not decode the traffic content, but simply forwards packets between the client and target hosts, while providing encryption and authentication.

Difference between SSH Daemon and curl/wget

Your assumption is partially correct, but there are important differences:

Characteristic SSH Daemon curl/wget
Role in proxying Proxies traffic without decoding Performs HTTP requests directly
Content processing Does not process content Parses HTTP responses
Layer of operation Transport (TCP) Application (HTTP/S)
Protocol support Any TCP/UDP via SOCKS Only HTTP/S/FTP

The SSH daemon in proxying mode does not make requests on behalf of the client like curl or wget. Instead, it acts as a transport layer, forwarding packets between the client and target hosts without understanding their content.

As explained in the Baeldung article, SSH creates a reverse tunnel that redirects any connections received on the remote SSH server to the local client host.

Historical Development and Purpose

Original Development Goals

The SOCKS proxying functionality in SSH was added not for bypassing blocks, but for other reasons:

  1. Secure access to internal resources - allowed secure connection to internal networks through an external gateway
  2. Firewall bypass - initially for bypassing corporate firewalls blocking specific ports
  3. Access unification - providing a single gateway for access to various services
  4. Authentication and encryption - ensuring secure access to resources through an encrypted tunnel

As noted in the historical SOCKS protocol overview, SOCKS was originally developed by David Koblas to work through firewalls, and was later expanded and modified.

Evolution of Usage

Modern use of SSH for bypassing blocks (including RKN) is a secondary application that became popular later. The main reasons for adding this functionality included:

  • Enhanced security when working with untrusted networks
  • Simplified access to internal resources through a single gateway
  • Traffic masking to bypass simple filtering systems

Modern Applications and Use Cases

Bypassing Blocks and Censorship

One of the most popular modern applications of SSH proxying is bypassing network restrictions. SSH tunneling allows:

  • Hiding the user’s real IP address
  • Bypassing geographical restrictions
  • Bypassing corporate firewalls
  • Access to blocked resources

As described in the article on bypassing content filters, “the remote SSH server accepts your SSH connection and acts as an outbound proxy/VPN for SOCKS5 connections”.

Penetration Testing and Offensive Security

In the field of cybersecurity, SSH proxying is used for:

  • Pivoting - accessing internal networks through a compromised machine
  • Proxy chaining - creating proxy chains for anonymity
  • Bypassing network segmentation in corporate networks

According to the SpecterOps guide, SSH-based SOCKS proxy is “a primary tool for penetration testers when working with internal networks”.

Remote Resource Access

Other common scenarios include:

  • Access to corporate resources from remote locations
  • Ensuring security when working with public Wi-Fi
  • Centralized management of network access

Setup and Practical Examples

Basic SOCKS Proxy Setup via SSH

bash
# Creating a SOCKS proxy on local port 1080
ssh -D 1080 user@remote-server

# With compression for text traffic
ssh -D 1080 -C user@remote-server

# Binding to a specific interface
ssh -D 127.0.0.1:1080 user@remote-server

Browser Configuration for SOCKS Proxy

  1. Open browser settings
  2. Go to the network proxy section
  3. Select manual SOCKS proxy configuration
  4. Specify: localhost:1080
  5. Apply settings

As described in the Linuxize article, “dynamic forwarding allows creating a socket on the local machine (SSH client) that acts as a SOCKS proxy server”.

Configuration via SSH Config File

bash
Host my-proxy
    User username
    HostName remote-server.com
    DynamicForward 1080
    Compression yes
    ServerAliveInterval 60

Security and Limitations

Advantages of SSH Proxying

  • Encryption of all traffic through the SSH tunnel
  • User authentication via SSH keys
  • Minimal requirements for server configuration
  • Versatility - works with any TCP/protocols

Limitations and Issues

  1. DNS requests - by default SOCKS4 does not handle DNS requests
  2. Performance - additional encryption layer can slow down traffic
  3. Detection - SSH traffic may be blocked or monitored
  4. Setup complexity requires understanding of network concepts

As warned by SuperUser, “don’t forget that DNS won’t work through a SOCKS4 tunnel”.

Security Practices

  • Use SSH keys instead of passwords
  • Restrict proxy access through firewall
  • Monitor proxy usage
  • Regularly update the SSH server
  • Use additional encryption for sensitive traffic

Conclusion

SSH proxying through dynamic port forwarding is a powerful mechanism for secure network traffic redirection. Technically, it works by creating a local SOCKS proxy that routes all traffic through an encrypted SSH tunnel to a remote server, which then acts as an intermediary for accessing external resources.

Key takeaways:

  • The SSH daemon does not operate like curl/wget, but rather acts as a transport proxy
  • SOCKS functionality in SSH was added for security and access to internal resources, not for bypassing blocks
  • Modern use for bypassing RKN and other blocking systems is a secondary application
  • The technology provides encryption and authentication, but has limitations in DNS processing and performance

For practical use, it is recommended to study the SSH and SOCKS protocol documentation, as well as consider the network architecture and security requirements in your environment.

Sources

  1. SSH/OpenSSH/PortForwarding - Ubuntu Community Help Wiki
  2. SSH Port Forwarding: Local, Remote, and Dynamic Explained - DigitalOcean
  3. How to create a SOCKS proxy with ssh - Super User
  4. OpenSSH Port Forwarding and SOCKS Proxy - IONOS DevOps Central
  5. SOCKS - Wikipedia
  6. A Deep Dive into SOCKS Proxy Protocol - Bomberbot
  7. SSH SOCKS Proxy: A Comprehensive Guide - Bomberbot
  8. Offensive Security Guide to SSH Tunnels and Proxies - SpecterOps
  9. How to Set Up SSH Tunneling (Port Forwarding) - Linuxize
  10. Create a SOCKS proxy on a Linux server with SSH - Mattias Be
How to set up SSH proxying to bypass restrictions in Russia?How does SSH proxying differ from VPN and which method is better to use?What are the limitations and risks of using SSH SOCKS proxy?How to configure a browser to use SSH SOCKS proxy in Linux and Windows?Can SSH proxying be used to access company internal networks?How to enhance SSH proxying security and protect traffic from interception?
Ask NeuroAgent