Foreword
I needed a way to get inside my work firewall from home. There was a DMZ linux machine that I could SSH to, but no VPN available. What I really needed was a way to configure the router/firewall, but the only way to do that was to be on the internal network and browse to it using a browser. Trying text based browsers didn’t work, the only way to access and administer the router was to use a full featured browser from behind the firewall itself. To make a long story short, I figured out how to do it using Putty and Firefox, and this is how you do it.
Getting Started
First things first, make sure you have Putty and Firefox installed. Next you’ll want to be able to establish an SSH connection to a remote server using Putty. For example, launch putty, enter the host name or IP and make sure you can connect and login. Once you have that, you’re ready to setup the SSH tunnel and browse through it.
Configuring The SSH Tunnel
Now open Putty and Enter the hostname or IP of the machine you want to establish a remote connection to. Next under Connection->SSH->Tunnels find the radio boxes under the Destination field and make sure Dynamic is selected. Next under where it reads Add new forwarded port: enter a source port. For this example lets use 1024, enter this in the source port field and click the Add button. You should see a value in the Forworded ports: list that reads D1024. That’s all there is to the Putty side of things. Next go back to the session area and save the current configuration as a saved session if you’d like, then Open the SSH connection.
Configuring Firefox
Now, launch Firefox, select Tools->Options and click the Advanced tab. Within the Advanced tab, click on the Network tab and click the Settings button.
Within the Network Settings dialog, select the Manual proxy configuration radio button and enter the following for the SOCKS Host: and Port:
SOCKS Host: localhost
SOCKS Port: 1024
Click OK on the Settings dialog, then Click OK on the Options dialog. Now you should be good to go. Enter a new URL in the Firefox address bar and you’ll be browsing from the remote end of the SSH connection.
54 Comments
Daniel V · December 11, 2011 at 10:19 pm
Excellent article.
It worked perfectly !
For those who wnt to smetimes proxy and sometimes not, one solution is to configure the SOCKS proxy on only one browser. I have configured my Internet explorer with Proxy and my Firefox without, it makes the switch easy.
NOTE: This is not said in the article, because it is pretty obvious, but PUTTY needs to be launched, and THE LOGIN ON THE REMOTE MACHINE MUST BE MADE AND SUCCESSFUL, before the tunnel will work
Insert Real Name · November 2, 2012 at 6:31 pm
Firefox users need only set up a separate, *non-default* Firefox profile that is already configured to use the SOCKS proxy, and then use a separate shortcut that starts Firefox with that non-default profile: firefox.exe -no-remote -P “SOCKS Profile”
The “-no-remote” option allows starting multiple instances of the same Mozilla product at once: http://kb.mozillazine.org/Opening_a_new_instance_of_Firefox_with_another_profile
jamie · February 20, 2013 at 2:49 pm
to quickly check if your tunnel is successful, just go to one of the many “what is my ip” websites. you should see the IP of your tunnel far side endpoint.
probably good to test before you surf porn at work.
son_of_ · June 4, 2013 at 8:57 pm
AWESOME BRO THANK YOU!
GodLikeMouse · June 5, 2013 at 5:51 am
No problem, glad to help.
Martin B · September 13, 2013 at 9:14 am
Brilliant! It works like a charm! Seems a lot less messy than VPN for accessing device GUIs on the remote LAN. Thanks for your posting!!!
godlikemouse · September 13, 2013 at 9:26 am
No problem, glad to help.
Charles · September 13, 2013 at 9:41 pm
Hey I wanted to thank the OP for this post. It really helped me. I needed a cheap VPS to login to paypal and youtube. I found one but since it was un-managed with no remote desktop access, I wasn’t sure what to do. This helped tremendously. Also there is a youtube video to help with the profiles setup real fast, it’s [youtube.com/watch?v=pA1Q5a43QB8]. Thanks again for the awesome, detailed post.
Bob · September 27, 2013 at 8:34 pm
awesome tutorial – Thank you!
godlikemouse · September 28, 2013 at 5:07 pm
You’re very welcome.
Stathis · October 23, 2013 at 5:43 am
Great article! Additionally, if you are running a local server on the ssh machine, you should clear the “No proxy for: localhost, 127.0.0.1”. This way I was to develop with flask on a remote machine but browse the results from my local machine with firefox! Awesome stuff..
Anyonymous · January 7, 2014 at 2:17 pm
Excellent article!! I have spent all day working with a hosting environment and they could not answer this. Great Job!!
godlikemouse · January 7, 2014 at 3:55 pm
Glad it helped 🙂
Sgreene · June 4, 2014 at 10:14 am
This is genius. No idea how it works but I really appreciate it.
sriram r · December 17, 2014 at 6:36 pm
Excellent writeup – Simple and easy VPN! Thanks a ton
Dinesh · December 21, 2014 at 8:42 am
Do you whats the equivalent command line for it ?
I tried below , i want to use tunelling on 192.168.1.110 is the below command correct ?
ssh -C -D 1080 192.168.1.110
And what should go to my proxy setting of my client ?
Dinesh · December 21, 2014 at 8:43 am
Note : I want to create the tunnel and use it on same device..
godlikemouse · January 6, 2015 at 11:44 am
I believe you can do something like the following: ssh -L [port:host:hostport]
For example: ssh -L 1080:192.168.1.110:80
Dinesh · January 6, 2015 at 7:58 pm
Tried didnt worked the command should be like but it didnt worked.
ssh -L 1080:192.168.1.110:80 root@192.168.1.110
godlikemouse · January 7, 2015 at 12:44 pm
What do you see when you try to open your browser to http://192.168.1.110:1080?
Dinesh · January 7, 2015 at 6:42 pm
There is no browser running on that univ device its a headless server
godlikemouse · January 13, 2015 at 9:49 am
Right, but your are trying to browse through port forwarding on that device, correct? If so, what error are you getting when you try to browse through it?
Dinesh · January 13, 2015 at 9:55 am
I’m not trying to browse I can’t it a headless device., in short I wanted to run the torrent client to use ssh tunneling using only one device.
godlikemouse · January 13, 2015 at 9:59 am
Ah, that’s where the confusion came from. This article was originally written to describe how to browse the web through an ssh tunnel. I’m not quite sure what it is you’re trying to do. If you have a single device, you should be able to directly ssh into the device and perform whatever manipulations or commands you need directly.
Dinesh · January 13, 2015 at 9:57 am
I just want the torrent client to run using tunneling but use the same device for tormenting and tunneling
godlikemouse · January 13, 2015 at 10:01 am
You might want to try setting up a GUI-less torrent client and run in on your remote server. Or if you’re just trying to protect your IP and remain anonymous while torrenting, it will take a quite a bit more effort. I’m sure you can find something online if that’s the case, but it will be a bit more than just ssh port forwarding.
Dinesh · January 13, 2015 at 10:06 am
I’m already running a gui less client rtorrent but I guess it’s not easy to do so
peter · November 10, 2015 at 6:04 pm
i try shh connection with putty, but i have an error message from putty. the message look like this ” network Error:Connection Timed out ” you can tell me what is the problem???? thanx be 4
godlikemouse · November 10, 2015 at 8:23 pm
Hi Peter,
Looks like you have a problem with your connection credentials. Make sure you can establish a connection using putty and that you can issue a few terminal commands before trying to use a browser.
peter · November 10, 2015 at 8:51 pm
i just only can access one website. i want to access more….. can you give a something that i can do it.
godlikemouse · November 10, 2015 at 9:04 pm
Sorry, I’m not sure there is anything I can do to help. You’ll need to figure out the connection part before you can proceed. Unfortunately that’s completely custom to your infrastructure.
from 4world · November 12, 2015 at 1:35 am
Hello,
your tutorial is great but I have one question about SSH. I am using putty and I am connecting to 192.168.3.99 IP and that tunnel have two IP’s. One is my mention 192.168.3.99 and second is 192.168.1.43. How to make thay my firefox will be using not 192.168.3.99 but 192.168.1.43
godlikemouse · November 12, 2015 at 6:59 am
Hi from 4world,
I’m not sure I understand your question. If your tunnel has two IPs then I’m assuming the IPs you’ve listed are the head and tail of the tunnel itself (ie. the entry node and exit node of your tunnel). If this is the case then you don’t need to worry about it, your exit node will drop you off (if the tunnel is configured correctly) in the target network. However, if you’re trying to say that the end point of your tunnel is allowing access to a machine with 2 interfaces on it (192.168.3.99 and 192.168.1.43), then once again it shouldn’t matter as long as you’ve specified the correct interface to connect to. Lastly, if you’re connecting through a tunnel that has a single head and multiple end nodes (ie, let’s say your tunnel starts at 192.168.1.50 and has two exit nodes 192.168.3.99 and 192.168.1.43) then you should be able to specify which exit node to use somehow. Which of these scenarios is yours?
from 4world · November 12, 2015 at 9:00 am
thanks for fast answer. My scenarios will be that my tunnel starts at 192.168.3.99 and has two exit nodes 192.168.3.99 and 192.168.1.43 and by default firefox is using 192.168.3.99 so I want that firefox will be using 192.168.1.43.
The problem is that my friends can only reach 192.168.3.99 . They can ping 192.168.3.99 and cant ping 192.168.1.43
godlikemouse · November 12, 2015 at 9:13 am
Hi from 4world,
It sounds like you may have a configuration problem. If your start and exit tunnel nodes have the same IP address then the router may not be forwarding the requests to the correct adjacency. You may want to try changing the IP address of the tunnel exit node to something other than 192.168.3.99 and see if that resolves the issue. If that proves to not be the issue, then you may want to try verifying the routing tables of the start and end nodes to make sure that your gateways are configured correctly and that 192.168.1.43 is reachable from the 192.168.3.99 network. Trace routing may also help diagnose what’s going on.
4world · November 12, 2015 at 10:52 am
yes, I want to change IP address of the tunnel exit node to something other than 192.168.3.99. I want that exit will be 192.168.1.43
So how to do this?
godlikemouse · November 12, 2015 at 12:35 pm
Hi from 4world,
To do this, you’ll need to change the IP configuration of the exit router. I don’t think it’s a putty configuration issue, I think it’s a network configuration issue. You can verify this by checking the routing tables of the tunnel’s head router and see where it’s routing packets destined for the 192.168.1.43 network.
from 4world · November 12, 2015 at 11:37 pm
I think that is impossible. So tunnel start from computer and that computer has two network accesses, accesses are from different routers even from differents gateway. First network is 192.168.3.99 and this IP can see all my colleague because it is inside office IP, another IP 192.168.1.43 is outside IP and only I can use this network source. In that computer I am using ForceBindIP program and Firefox using 3.99 IP and 1.43 IP using chrome.
So, maybe are some ways that in the end of tunnel my colleague will be using ForecBindIP and they can select IP’s from SSH? 🙂
godlikemouse · November 13, 2015 at 1:37 pm
Hi from 4world,
Perhaps, but unfortunately I don’t really have any experience with ForceBindIP and I’m unfamiliar with your network layout. I’m sure though that if you start tracing the packets you’ll find out what’s going on and will hopefully find a fix for it.
Vikram Shekhar · November 16, 2015 at 2:04 am
Thanks much, you made my life one step easy 🙂
godlikemouse · November 16, 2015 at 7:08 am
Sure thing.
Mohammad · November 27, 2016 at 2:35 pm
I’ve been trying to find a solution for this for over a month. Your way is very simple and effective. Thank you a million!
godlikemouse · December 2, 2016 at 1:31 pm
Great! I’m glad it helped 🙂
Sajjad dehghani · March 1, 2017 at 12:57 am
It’s very nice,
You saved my time.
Thanks man.
godlikemouse · March 1, 2017 at 5:41 am
Glad it helped 🙂
JAN · May 14, 2017 at 5:20 am
THANK YOUUUUUUUUU! VERY NICE ARTICLE
godlikemouse · May 14, 2017 at 6:37 am
You’re welcome.
DonChino · August 8, 2017 at 4:41 pm
Make sure you check the box next to:
Proxy DNS when using SOCKS v5
Otherwise, all your URL requests will be known, so although they might not see the content they will know where you were going and this might be a problem at work or elsewhere… 🙂
Paul Atreides · March 23, 2020 at 5:05 pm
Incredible, simple to the point and it works, thanks!!!!!!!!!!!!!!!!!
Ilix Root · May 19, 2022 at 10:10 am
What I have to do, if I want to use port 2222 instead of 22 for SSH connection?
My enviroment:
remote ssh server on 22 behind firewall NAT from 2222 to 22 (I could work on SSH from remote on 2222).
When I try to tunnel my browser with proxy setting on that ssh (2222) using dynamic port on 17222 it does’nt work. It works if I use 22 on remote system.
godlikemouse · May 19, 2022 at 12:57 pm
Hi Ilix,
Have you confirmed that you can ssh directly to your NAT endpoint of 2222 and that it routes correctly to port 22 on the destination machine? If that doesn’t work, then the configuration issues is probably with the NAT. If that does work, then make sure your browser SOCKS configuration and local environment match the correct ports. Hope this helps.
IlixRoot · May 21, 2022 at 3:12 am
Yes, I can ssh directly to my NAT endpoint of 2222 and it routes correctly to port 22 on the destination machine, as I said. I ssh on the server often. I only cannot use that connection as proxy (tunnel 80 and 443 on ssh). I don’t understand why.
My config:
SSH/TUnnel: D17222
On my browser i set localhost:17222 as proxy (the same I do with other SSH server but on port 22)
it is so easy, I couldn’t avoiding sharing it: Browsing The Web Through An SSH Tunnel (Putty / Firefox / Opera) | Do not reboot · November 12, 2012 at 3:29 pm
[…] http://www.godlikemouse.com/2011/08/03/browsing-the-web-through-an-ssh-tunnel-putty-firefox/ "I needed a way to get inside my work firewall from home. There was a DMZ linux machine that I […]
Browsing The Web Through An SSH Tunnel (Putty / Firefox) | Daniel Cenáculo's Blog · July 31, 2017 at 6:45 am
[…] Browsing The Web Through An SSH Tunnel (Putty / Firefox) […]