How to establish an SSH connection through a proxy

Using a proxy with SSH allows you to access remote hosts that are behind firewalls or NAT. This method routes your connection through a SOCKS or HTTPS proxy server, which can help you bypass network restrictions. It is a practical solution for secure access to private networks without using a VPN.

The OpenSSH client supports connections through proxies. You can configure the client to use a proxy by setting the ProxyCommand option. This approach enables you to establish an SSH connection that is routed through the proxy server, ensuring that your traffic reaches the intended destination securely.

To set up this connection, you need to ensure that the proxy server is accessible from your machine. You also need to configure the SSH client to use the proxy. Finally, you can save these settings in your SSH configuration file for easy reuse.

Steps to connect to SSH server via SOCKS or HTTPS proxy:

Set up a SOCKS or HTTPS proxy server if you don't already have one.

Related: How to create an SSH SOCKS proxy
Related: How to create SOCKS proxy on Windows
Install nc (netcat) if it is not already installed.
```
$ sudo apt install netcat #Ubuntu
```

Ensure the proxy server is reachable from your machine.

$ nc -zv 127.0.0.1 2222
Connection to 127.0.0.1 2222 port [tcp/*] succeeded!

-v      Produce more verbose output.
-z      Only scan for listening daemons, without sending any data to
        them.  Cannot be used together with -l.

Configure the SSH client to use the ProxyCommand option.

$ ssh -o ProxyCommand='nc -X4 -x 127.0.0.1:2222 %h %p' remoteuser@remotehost

-X proxy_protocol
        Use proxy_protocol when talking to the proxy server.  Supported
        protocols are 4 (SOCKS v.4), 5 (SOCKS v.5) and connect (HTTPS
        proxy).  If the protocol is not specified, SOCKS version 5 is
        used.

-x proxy_address[:port]
        Connect to destination using a proxy at proxy_address and port.
        If port is not specified, the well-known port for the proxy pro‐
        tocol is used (1080 for SOCKS, 3128 for HTTPS).  An IPv6 address
        can be specified unambiguously by enclosing proxy_address in
        square brackets.  A proxy cannot be used with any of the options
        -lsuU.

Add the proxy configuration to your SSH client’s configuration file.

$ cat .ssh/config
Host remotehost
    hostname 192.168.1.10
    user remoteuser
    ProxyCommand nc -X4 -x 127.0.0.1:2222 %h %p

Connect to the SSH server using the configured proxy settings.
```
$ ssh remotehost
```

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.