Use SSH to proxy web traffic

 November 28, 2022

As discusse in a previous post, I use nebula to create a VPN connection between the various machines I use. Usually what I really care about this setup is the ability of consuming services those machine expose on my nebula network.

When I travel, I prefer to proxy my data through my nebula network. This allows me to not have to care about the limitations imposed in those networks, as long as I’m able to open my tunnel. The second advantage I have, is that I can choose the location where my traffic leaves my VPN, since I have multiple machines in multiple nations. Another advantage is that I can be sure that no data is visibile by the network manager, even if this is becoming less and less relevant, since the majority of the traffic is encrypted nowadays.

Nebula can be configured to be used as a full VPN, but the configuration is more complex than what I think it’s sensible. I also know there are very fancy ways of doing this, but I tend to be lazy and I really like to use the tools I already have, since I have already spent time to configure them in a way that is aligned to my needs, and if I add a new tool I’ll have to spend time on it.

The solution I use to do this is leveraging sshd, which I already have on all machines.

On my machine I simply run:

ssh -D PORT HOST

Where:

-D PORT is the local port the to bind the SOCKS. The PORT string should be replaced with a port number.
HOST is the name of the system I want to use as proxy.

Although I usually don’t use them, there are other flags that can be used such as

-N to disable command prompt on the remote host, so it will only bind the SOCKS port.
-f this will put the command in the background, so it will not keep your terminal busy.

The final command to have it the less intrusive way possible woule therefore be:

ssh -NfD PORT HOST

Once the connection is up, it’s enough to go to the browser’s settings page and set the proxy with the following details:

SOCKS proxy: 127.0.0.1 which is your local machine.
Port: PORT which is the same port that you set in the previously run command.
Proxy DNS when using SOCKS v5: This is not mandatory, but I prefer to use it, since this allows me to use a DNS setup that behaves as I expect.

The best option would be for nebula to be smarter about this and be able to manage ths use case in an immidiate way, but for now this is the simplest solution I’ve found.

Although I do it via my VPN solution, this is not required. The only required part is that you have SSH access to a machine. I hope this small tricks can help you the next time you travel.

 CLI, Linux, Networking, Security, Self-hosting

 Nebula, VPN, WireGuard

Say something

Comments

PresGas on 2022-11-30 13:35:18 UTC said:

I was wondering if you ever looked at sshuttle to go even beyond the browser for your tunneling?

https://github.com/sshuttle/sshuttle

Not sure how it would work with Nebula underneath that, however. Reading over your posts about it along with upstream docs now…

Fabio Alessandro Locati on 2022-12-05 06:03:21 UTC said:

I’ve looked at sshuttle as well. It does work with Nebula. Although it partially removes one step, it is “one additional tool” to use, so in the end, the added complexity it brings is not justified by the benefits, at least from my perspective.

Dmitry on 2023-01-13 11:47:52 UTC said:

The sshuttle didn’t work for me, and I couldn’t troubleshoot it. Your solution does the job. Thanks, Fabio!

Fabio Alessandro Locati on 2023-01-13 15:21:04 UTC said:

Hey Dmitry, glad to hear that this article helped you :).