How to establish an SSH connection through a proxy

Routing SSH connections through a proxy enables access to remote hosts that are otherwise blocked by firewalls, NAT, or strict egress rules. A SOCKS or HTTPS proxy server forwards the encrypted SSH stream so that traffic appears to originate from the proxy rather than the local workstation.

The OpenSSH client supports proxy traversal through the ProxyCommand option, which launches a helper such as nc (netcat) to create the TCP connection on its behalf. The helper connects to the proxy, negotiates the target address and port using the selected protocol, and then simply passes the SSH byte stream through that tunnel.

Proxy use introduces extra moving parts, so configuration and testing matter. The proxy host and port must be reachable, the chosen mode (SOCKS v4, SOCKS v5, or HTTPS CONNECT) must match the server, and any authentication or access control enforced by the proxy must be satisfied. Settings can be validated interactively at the command line and then stored in ~/.ssh/config for repeatable use without retyping options.

Steps to connect to SSH server via SOCKS or HTTPS proxy:

Ensure a SOCKS or HTTPS proxy server is available and listening on a known host and port.

Related: How to create an SSH SOCKS proxy
Related: How to create SOCKS proxy on Windows
Install nc (netcat) from the distribution package repository.
```
$ sudo apt install --assume-yes netcat-openbsd
```

Verify that the proxy port accepts TCP connections from the local machine.

$ nc -zv 127.0.0.1 2222
Connection to 127.0.0.1 2222 port [tcp/*] succeeded!

-v      Produce more verbose output.
-z      Only scan for listening daemons, without sending any data to
        them.  Cannot be used together with -l.

Open an SSH session through the proxy using ProxyCommand with nc.

$ ssh -o ProxyCommand='nc -X5 -x 127.0.0.1:2222 %h %p' remoteuser@remotehost

-X proxy_protocol
        Use proxy_protocol when talking to the proxy server.  Supported
        protocols are 4 (SOCKS v.4), 5 (SOCKS v.5) and connect (HTTPS
        proxy).  If the protocol is not specified, SOCKS version 5 is
        used.

-x proxy_address[:port]
        Connect to destination using a proxy at proxy_address and port.
        If port is not specified, the well-known port for the proxy pro‐
        tocol is used (1080 for SOCKS, 3128 for HTTPS).  An IPv6 address
        can be specified unambiguously by enclosing proxy_address in
        square brackets.  A proxy cannot be used with any of the options
        -lsuU.

Incorrect ProxyCommand settings or proxy address can prevent new SSH sessions from starting; keep a fallback access method available when changing connection parameters.

Add a host definition with the proxy configuration to the user SSH configuration file.

$ cat ~/.ssh/config
Host remotehost
    HostName 192.168.1.10
    User remoteuser
    ProxyCommand nc -X5 -x 127.0.0.1:2222 %h %p

Connect to the configured host name to confirm the SSH session works through the proxy.

$ ssh remotehost
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-1045-azure x86_64)
##### snipped #####

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.