How To Set up a SOCKS Proxy Using Putty & SSH – Security …
If you ever find yourself in front of a public computer connected to the Internet and are concerned about the security of the path between you and a website you wish to visit, a SOCKS proxy can come in handy.
SOCKS proxies generally allow you to “bounce” a TCP connection off another server transparently– basically instructing another computer to make a connection on your behalf. When used in combination with Secure Shell (SSH), it can form an encrypted tunnel that insulates you from anyone attempting to grab traffic off the wire.
The following is a simple step-by-step tutorial about how to do this.
You will need:
-Putty SSH client: -An account on an Internet-accessible server that accepts SSH connections and allows connection forwarding (enabled by default)
-A popular web browser or other software that supports SOCKS communications
Fire up Putty and navigate to the Session Category
Enter the hostname/IP address and port of the server on which you have an account.
(Note: The default SSH port is 22)
This tells Putty how to connect to the SSH server.
Under the SSH->Tunnels Category
Enter the following:
Source port: 8888 (or any port of your choosing. Just be sure to remember what it is)
Destination: hostname/IP address of the server on which you have an account
Also, select the “Dynamic” radio button.
This tells Putty that, upon a successful connection, a SOCKS tunnel should be opened from a port on the computer you are using to the SSH server.
The forwarded port is now added to the connection settings.
Click “Open” to start the connection
Putty will ask for your login credentials. In most cases, this will be a username and password. (For extra security and bonus cool points, have your SSH server only accept certificates)
At this point, your Putty-enabled SOCKS proxy should be active. But how do we test it out? Keep reading…
Fire up your web browser and navigate to its proxy connection properties menu.
For Firefox 3, it is in Tools->Options->Advanced->Network(tab)->Connection, Settings
For IE6, it is Tools->Internet Options->Connections(tab)->LAN Settings(button)->Advanced(button)
Find the SOCKS settings text box and enter the following:
Proxy Address/Host: localhost OR 127. 0. 1
Port: 8888 (or whatever port you decided to use in Step 3)
Ensure SOCKS Version 4 is selected
Note: DO NOT enter any other proxy settings for other protocols (this includes the “use proxy server for all protocols” option. Don’t enable it. I’m serious. If you do, things might not work correctly. )
Click “OK” until you’re back to your browser.
Go to and check your IP address. It should be different from the machine you’re on. In fact, it SHOULD be the IP address of the SSH server (or whatever machine is handling its connections).
Pat yourself on the back. Or have your buddies do it for you– they’ll no doubt be impressed by your newfound computer skills. Enjoy browsing the web using your own personal SSH proxy.
NOTE: Although this could be useful when using a public computer– it won’t protect you from local machine monitoring tools (keyloggers, screen captures, etc). Always exercise due diligence when using untrusted computers.
Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!
Using PuTTY to setup a quick SOCKS proxy – ForwardProxy
Using a SOCKS proxy allows you to encrypt all your web traffic between your machine and the proxy server, making it impossible for any local devices to inspect your traffic. Besides the obvious use-cases, this can often mean a significant impact on your browsing speed as it allows your traffic to exit from a different geographical location.
Whether or not you can use a SOCKS proxy is highly dependent on your environment: is this a home PC behind a simple router, a work computer behind the corporate firewall or your school issued laptop on a public WiFi? There are three basic things you need:
The ability to run PuTTYConnectivity to the internet that is not inspected by any “smart” devicesA server with shell access (SSH) enabled
To check if you can run PuTTY, simply download “” from the official PuTTY download page (direct link to) and run it. If you do not get an error: great! If Applocker prevents you from running it, you might get stuck here. This is often deployed on corporate devices.
In corporate environments typically internet connectivity is impossible except from the corporate proxy to the outside. To test this, you’ll need to run PuTTY and see if you can open a SSH session to your server, use following settings:
If you get a warning about a private key or password prompt you have everything you need to setup a SOCKS tunnel.
Navigate to Connection -> SSH -> Tunnels and do the following:
Instead of 8080 you can type in any local port, but higher port numbers (>1023) are required as the lower ports require administrative access. After this step, go back to Session and do the following:
Saving the session is useful so you don’t have to do this every time you open up PuTTY. Click Open and log in into your server. Now go to your browser and change the proxy settings to use the SOCKS proxy. In Firefox:
Don’t forget to change the 8080 if you changed it in the previous step.
Testing the proxy
Go to one of the million “what is my IP? ” websites, it should show the IP from your server.
Often corporate networks don’t allow port 22 going out, so you can change the config on your server to listen on a different port. To do this (on 99% of Linux installations at least) open a CLI window and edit the /etc/ssh/sshd_config config file, add following lines:
Port 22Port 10022
Change the port 10022 to any port you find to be open. After this restart sshd:
systemctl restart rvice
You can also try to be clever and use a less conspicuous port such as 443, but these are often subject to protocol detection on a firewall. This means you won’t be able to get any SSH traffic over them, only actual HTTPS traffic.
Creating an SSH Proxy Tunnel with PuTTY – UCLA Math
Some websites available to Math Department members are filtered by the network the traffic originates on. In particular, connections to must come from a registered UCLA Math IP address to gain full access. If you are browsing this site from off-campus, and you have a Mathnet Linux account, you can use this proxy setup to make it appear that your traffic comes from one of our IP addresses. A proxy setup can be configured using OSX, Linux, or Windows using various browsers. This example shows a connection from a Windows machine using Firefox. Things you’ll need: A Linux Mathnet account, PuTTY (ssh client), and Firefox.
1. Launch PuTTY and enter the hostname (
– The hostname should be your UCLA homesite followed by “”. Login to a linux machine and type “home” and this will display your homesite.
2. On the left side, in the Category window, go to Connection -> SSH -> Tunnels.
3. For ‘Source Port’ enter ‘31415’ (this can be configured to whatever you want, just remember it).
4. Under ‘Destination’ select the ‘Dynamic’ radio button and leave the ‘Auto’ button selected.
5. Press the ‘Add’ button. You should see ‘D31415’ in the ‘Forwarded ports:’ box.
6. Then select the ‘Open’ button. This should open and terminal window and you should be prompted to login.
Once the tunnel is established, you now need to set up a SOCKS proxy in your web browser.
1. Launch Firefox.
2. Go to Tools -> Options.
3. On the left side of the window, select Advanced.
4. Under Advanced, in the middle of the page, select Network -> Connection -> Settings.
5. Under ‘Configure Proxies to Access the Internet’ select the ‘Manual proxy configuration’ radio button.
6. In the ‘SOCKS Host’ box enter ‘localhost’ and for ‘Port’ enter ‘31415’ (or whatever you set your SSH Tunnel up with).
7. Make sure ‘SOCKS v5’ is selected and select the ‘OK’ button to save.
As long as your PuTTY SSH connection remains connected, your proxy tunnel will be open and you will be able to use the internet through this proxy.
To determine that the proxy is up:
1. Go to and confirm that your IP address matches the host IP that you are tunneling through.
2. Also, if you are trying to gain access to MathSciNet, go to and look for “Univ of Calif, Los Angeles” in the top right of the page.