How to connect through a proxy with SSH ProxyCommand

Using SSH through a network proxy enables secure access to remote hosts from locations where direct outbound connections are blocked or tightly filtered. Combining OpenSSH with a proxy-aware helper keeps traffic encrypted from end to end while still conforming to local outbound policies.

The ProxyCommand directive in /etc/ssh/ssh_config or /home/user/.ssh/config instructs ssh to launch an external program and tunnel all traffic for a session through that command’s standard input and output. Typical helpers include nc or ncat for HTTP or SOCKS proxies and another ssh process when chaining through a jump host, using tokens such as %h and %p that expand to the target hostname and port.

Because ProxyCommand runs a local process for each connection attempt, incorrect commands, unreachable proxies, or stored credentials can all affect connectivity and security. Reliable operation depends on correct proxy details, suitable helper syntax for the installed nc variant or other tool, and strict permissions on configuration files so only the owning account can read proxy-related settings in /home/user/.ssh/config.

Related: How to connect to an SSH server through a SOCKS or HTTPS proxy
Related: How to connect to an SSH server through a jump host
Related: How to view SSH client configuration

Steps to connect through a proxy with SSH ProxyCommand:

  1. Open a terminal on a system that initiates the outbound SSH connection.
  2. Confirm basic TCP reachability to the proxy host and port using a simple tool such as nc or telnet. 
    $ nc -vz proxy.example.net 1080
Connection to proxy.example.net (203.0.113.10) 1080 port [tcp/socks] succeeded!
  3. Open /home/user/.ssh/config in a text editor for the account that will connect through the proxy.
  4. Add a host block that defines the remote target and a ProxyCommand line using a SOCKS5-capable netcat helper. 
    Host app-via-proxy
  HostName host.example.net
  User user
  IdentityFile ~/.ssh/id_ed25519
  ProxyCommand nc -x proxy.example.net:1080 -X 5 %h %p

    The tokens %h and %p expand to the hostname and port passed to ssh so the helper contacts the correct destination through the proxy.

  5. Secure the configuration file so only the owner can read or modify it. 
    $ chmod 600 ~/.ssh/config

    Too-permissive permissions on /home/user/.ssh/config cause ssh to ignore the file and skip the ProxyCommand rule.

  6. Initiate the connection using the host alias from the configuration file so ssh automatically starts the proxy helper. 
    $ ssh app-via-proxy 'hostname'
host
  7. Invoke ssh with an inline ProxyCommand option for a one-off connection without editing configuration files. 
    $ ssh -o ProxyCommand='nc -x proxy.example.net:1080 -X 5 %h %p' alice@host.example.net 'hostname'
host

    Inline ProxyCommand strings are useful for quick testing of proxy syntax before copying a working command into /home/user/.ssh/config.

  8. Increase verbosity when troubleshooting proxy-related failures to observe the helper command execution. 
    $ ssh -vvv app-via-proxy
OpenSSH_9.6p1 Ubuntu-3ubuntu13.14, OpenSSL 3.0.13 30 Jan 2024
debug1: Executing proxy command: exec nc -x proxy.example.net:1080 -X 5 host.example.net 22
##### snipped #####

    Look for lines such as debug1: Executing proxy command: exec nc -x proxy.example.net:1080 -X 5 host.example.net 22 to confirm that ssh invoked the expected helper through the proxy.

  9. Verify the proxy path by inspecting connection details reported by the remote host. 
    $ ssh app-via-proxy 'printf "SSH from: %s\n" "$SSH_CONNECTION"'
SSH from: 203.0.113.10 52144 203.0.113.50 22

    The first IP address in $SSH_CONNECTION corresponds to the client as seen by the server, which is typically the proxy or jump host when ProxyCommand is used.