Jump to content

Check out our Community Blogs

- - - - -

Day 9 - How to SSH tunnel!

Posted by Sundance, 20 February 2014 · 14341 views

cli ssh tunnel tunneling security tutorial

How to SSH Tunnel!


After reading many various posts on SSH tunneling I failed to find a decent one that really explained how to do it without giving you a wall of text to read, so I have decided to write a little tutorial!

What is an SSH Tunnel?
An SSH Tunnel is a way to send unencrypted information over an encrypted network, it is an excellent method for security and browsing the internet without restrictions that may be placed by your router for an example in the UK ISP providers forbid access to various torrent sites, using an SSH Tunnel you can circumvent this whilst also managing to keep your browsing information hidden from your ISP, however this should not be a method used to access illegal content, rather a way to stay anonymous on the internet, because privacy is important!

By following this tutorial you accept that I hold no responsibility to anything you do whilst SSH Tunneling, SSH Tunneling is not illegal and should only be used for your own privacy.

A server (either remote or local is fine, this tutorial is for learning purposes however a remote server is better for seeing the magic happen)
A browser of your choice (For this tutorial I will be using Firefox/Iceweasel)
Either a terminal that supports the SSH command OR PuTTy

PuTTy can be found here

Step one - Start your terminal / PuTTy Client
Open up PuTTy OR your Terminal

Posted Image

Posted Image

Step Two - Configure the ports!
For PuTTy enter in your servers IP and port (by default the SSH Port is 22)
Then under the "connection" option on the left of PuTTy, click the right facing arrow that is next to "SSH"
Select "Tunnels" and you will be presented with the following screen

Posted Image

In source port input a port of your choice for me it is 9090, then select "Dynamic" from the radio buttons and click "Add" to the right of "Source Port"

Posted Image

You will then see your PuTTy window looks something like this

Posted Image

For the Terminal use the following example replacing user with your servers main username (normally it will be root unless you have specified a different username) and then replace ip with your server's IP and then type -D and replace the XXXX with the port you would like to tunnel out of.
Posted Image
Here's an example of the terminal code and what it would look like for me
ssh kadence@ -D9090
Then for PuTTy just press "Open" on the bottom right and enter in your password when prompted and move on to the next step!
For terminal just press enter and enter your password when prompted, once logged in move on to the next step!

Step Three - Configure your browser!

Open up your browser (For me it is Iceweasel but Firefox has an identical GUI.) and open up prefrences and navigate to Advanced > Network > Settings

Posted Image

You will see this menu

Posted Image

Select "Manual Proxy Configuration" from the radio buttons and inside "SOCKS HOST" enter in and then in the box directly to the right enter in the port you designated earlier, for me it is 9090 you do NOT have to include the -D part if you are using a terminal / seen the -D pop up in PuTTy

Then press "OK".

After this is done, exit the "preferences" menu and try connecting to a site, to test it has worked type into google "What is my IP?" it should tell you the IP of your server you have SSH'd into.

If all is okay and you can see your servers IP then you are done!

Congratulations you have just done your first SSH Tunnel!

- You MUST leave your PuTTy window / Terminal open at all times, otherwise you will not be SSH Tunneled OR your browser will throw an error such as "The proxy server is refusing connections"
- This will only work for programs / applications you have changed the SOCKS proxy configuration to match.

If you have any questions feel free to PM me OR tweet me here!

  • 1

Very nice.. Would this better serve as a tutorial on the forums rather than a blog entry, due to its completeness? It seems a number of people have found this either way!


If this is for your own personal use, a firewall on the host side with incoming access from your desired clients' IPs only to port 9090 is recommended.


Using a non-standard port is useful to prevent runby login attempts, however you still cannot guarantee traffic will only come from where you want it to come from.

    • 0
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download