Proxies serve as intermediary hosts, allowing you to route connections through them to access different hosts. With an SSH tunnel through a proxy, you can reach hosts within private networks or behind a NAT, bypassing the need for complicated VPN setups.

OpenSSH's client supports connections via SOCKS and HTTPS proxies. To establish a proxied connection, you'll need the ProxyCommand option and third-party tools like nc or netcat.

Steps to connect to SSH server via SOCKS or HTTPS proxy:

  1. Set up a SOCKS or HTTPS proxy if you don't already have one.
  2. Check if the SOCKS or HTTPS proxy is reachable from the SSH client's host (optional).
    $ nc -zv 127.0.0.1 2222
    Connection to 127.0.0.1 2222 port [tcp/*] succeeded!
    -v      Produce more verbose output.
    -z      Only scan for listening daemons, without sending any data to
            them.  Cannot be used together with -l.
  3. Use ProxyCommand as an option for the SSH client.
    $ ssh -o ProxyCommand='nc -X4 -x 127.0.0.1:2222 %h %p' remoteuser@remotehost
    -X proxy_protocol
            Use proxy_protocol when talking to the proxy server.  Supported
            protocols are 4 (SOCKS v.4), 5 (SOCKS v.5) and connect (HTTPS
            proxy).  If the protocol is not specified, SOCKS version 5 is
            used.
    
    -x proxy_address[:port]
            Connect to destination using a proxy at proxy_address and port.
            If port is not specified, the well-known port for the proxy pro‐
            tocol is used (1080 for SOCKS, 3128 for HTTPS).  An IPv6 address
            can be specified unambiguously by enclosing proxy_address in
            square brackets.  A proxy cannot be used with any of the options
            -lsuU.
  4. Add ProxyCommand to SSH client configuration file to persist the option.
    $ cat .ssh/config
    Host remotehost
        hostname 192.168.1.10
        user remoteuser
        ProxyCommand nc -X4 -x 127.0.0.1:2222 %h %p
  5. Connect again using the SSH client with just the Host name as parameter.
    $ ssh remotehost
Discuss the article:

Comment anonymously. Login not required.