How to connect to SSH server through a proxy

Using SSH through a network proxy enables secure access to remote hosts from locations where direct outbound connections are blocked or tightly filtered. Combining OpenSSH with a proxy-aware helper keeps traffic encrypted from end to end while still conforming to local outbound policies.

The ProxyCommand directive in /etc/ssh/ssh_config or /home/user/.ssh/config instructs ssh to launch an external program and tunnel all traffic for a session through that command’s standard input and output. Typical helpers include nc or ncat for HTTP or SOCKS proxies and another ssh process when chaining through a jump host, using tokens such as %h and %p that expand to the target hostname and port.

Because ProxyCommand runs a local process for each connection attempt, incorrect commands, unreachable proxies, or stored credentials can all affect connectivity and security. Reliable operation depends on correct proxy details, suitable helper syntax for the installed nc variant or other tool, and strict permissions on configuration files so only the owning account can read proxy-related settings in /home/user/.ssh/config.

1. Open a terminal on a system that initiates the outbound SSH connection.
2. Confirm basic TCP reachability to the proxy host and port using a simple tool such as nc or telnet.

   $ nc -vz proxy.example.net 3128
   Connection to proxy.example.net 3128 port [tcp/*] succeeded!

3. Open /home/user/.ssh/config in a text editor for the account that will connect through the proxy.
4. Add a host block that defines the remote target and a ProxyCommand line using an HTTP CONNECT capable netcat helper.

   Host app-via-proxy
     HostName server.example.com
     User alice
     ProxyCommand nc -x proxy.example.net:3128 -X connect %h %p

   The tokens %h and %p expand to the hostname and port passed to ssh so the helper contacts the correct destination through the proxy.

5. Secure the configuration file so only the owner can read or modify it.

   $ chmod 600 ~/.ssh/config

   Too-permissive permissions on /home/user/.ssh/config cause ssh to ignore the file and skip the ProxyCommand rule.

6. Initiate the connection using the host alias from the configuration file so ssh automatically starts the proxy helper.

   $ ssh app-via-proxy
   Welcome to Ubuntu 22.04.4 LTS
   Last login: Thu Dec 12 10:15:34 2024 from 10.10.10.5
   ##### snipped #####

7. Invoke ssh with an inline ProxyCommand option for a one-off connection without editing configuration files.

   $ ssh -o ProxyCommand='nc -x proxy.example.net:3128 -X connect %h %p' alice@server.example.com

   Inline ProxyCommand strings are useful for quick testing of proxy syntax before copying a working command into /home/user/.ssh/config.

8. Increase verbosity when troubleshooting proxy-related failures to observe the helper command execution.

   $ ssh -vvv app-via-proxy
   OpenSSH_9.6p1, OpenSSL 3.0.13 30 Jan 2024
   debug1: Executing proxy command: nc -x proxy.example.net:3128 -X connect server.example.com 22
   ##### snipped #####

   Look for lines such as debug1: Executing proxy command: nc -x proxy.example.net:3128 -X connect server.example.com 22 to confirm that ssh invoked the expected helper through the proxy.

9. Verify the proxy path by inspecting connection details reported by the remote host.

   $ ssh app-via-proxy 'printf "SSH from: %s\n" "$SSH_CONNECTION"'
   SSH from: 10.10.10.5 53412 192.0.2.10 22

   The first IP address in $SSH_CONNECTION corresponds to the client as seen by the server, which is typically the proxy or jump host when ProxyCommand is used.