[Howto] Dynamic port-forwarding (SOCKS proxy/SSH tunnel)

Report your issues here

[Howto] Dynamic port-forwarding (SOCKS proxy/SSH tunnel)

Postby pacco » Mon Apr 14, 2014 5:58 pm

So I just noticed that the latest release of Remoter 4.6.01 adds support for the SSH module to do dynamic port-forwarding. What this adds is the ability to open an ssh tunnel to a remote server and have have it act as a SOCKS proxy -- in effect, giving you a pseudo-VPN.

What can you do with this?

Say you have an OpenSSH server (with tcpfowarding enabled), you can now use Remoter's SSH module to open a tunnel using 'D:127.0.0.1:8080' and have it act as a SOCKS proxy. You could then, for example, use a web-browser and set it to point to the SOCKS proxy and access internal resources that lies behind the OpenSSH server.

This is a fairly well-known and not-very-new trick in the desktop world. (Google 'putty firefox socks' for more info). However, for some time I've been looking for a way to do this on my iPad. Not many SSH iPad clients supports this dynamic port-forwarding/SOCK feature -- in fact, to Remoter is only the second iOS app I've found that does so.

The next tricky part is finding an iOS browser that has SOCKS proxy support. I've only found one that works:

https://itunes.apple.com/us/app/proxy-b ... 27SBX5E8WU

[This is a non-free app and I have no connection with the developer(s). Found it by chance in the App Store]

Configure this browser's proxy to match the remote tunnel's IP and port (e.g., 127.0.0.1:8080) and you can now browse sites behind your OpenSSH server.

Other notes:

- iCab is another browser that offers SOCKS proxy support, unfortunately it doesn't work with the aforementioned SSH tunnel/proxy setup. (If you know of any others browsers that do, please post your results)
- Will only pass TCP traffic (as that is what OpenSSH tunnels supports)
- The amount of time that Apple will allow a server-process to remain in the background is severely constrained to only a few minutes before having to return to the SSH app (even more so with iOS7, I've heard). As such, this method is likely not as useful as a full-blown VPN, but it still is a nice technique if you need to remote administer systems with a browser and only have SSH access.
- Not sure if this is the appropriate place for a product request but one I wonder if it would be possible to add a builtin web-browser to Remoter that specifically supports the SSH-based SOCKS proxy it creates? That would solve the background timeout issue.

Hope this is useful to someone. Thanks again to Raf for adding this feature.
-Pacco
pacco
 
Posts: 9
Joined: Wed Mar 16, 2011 2:58 pm

Re: [Howto] Dynamic port-forwarding (SOCKS proxy/SSH tunnel)

Postby pacco » Thu Jun 26, 2014 3:13 am

Hi,

Apologies -- I don't frequent this forum all that often and didn't see your post until now. Pls read my closing comments at the end as to why I'm not so keen on this method after using it for a while now.

The method I described is based on OpenSSH's ability to emulate a SOCKS proxy through an SSH tunnel, giving it pseudo-VPN capability. This is a fairly well-documented procedure on other platforms (pls google 'dynamic port foward ssh socks' for many references/tutorials). However, to do so on iOS using Remoter requires three things:

- A SSH server that supports this dynamic-forwarding/SOCKS proxy feature, which probably means OpenSSH, configured so that the 'TcpForwarding' feature is enabled in the sshd_config file (Sorry, I really am not that familiar with running an SSH server on a Windows platform, so I don't know if other SSH server implementations readily supports the SOCKS proxy feature). I do know I've gotten it to work with the cygwin version of OpenSSH.

- Enabling a dynamic tunnel in Remoter by creating an SSH session. (This is a relatively new feature for Remoter, but has been in the Putty codebase for a while). Simply put 'D:127.0.0.1:8080' in one of the available SSH tunnel fields.

- A iOS browser that supports the use of a SOCKS5 proxy. This was actually the hardest piece to find and to date, the only browser I've found that works is the one mentioned in my original post. The thing is -- it's not really that great of a browser, particularly for a paid app. Anyway, in the proxy setup of the browser, set the server to 127.0.0.1 and the port to 8080 and enable SOCKS5. [The browser must support SOCKS5 so that DNS queries are also sent through the tunnel besides the web traffic itself]

After that, with the SSH tunnel running, you should be able to browse anything that your OpenSSH server on the other end can access.

Updated view: After using this setup for a while now, I don't know if I could honestly recommend it to anyone largely due to Apple's limit on how long background network connections can be maintained. (Again, this is in no way the Remoter app's fault). Also, there really aren't any decent browsers on iOS that support the use of a SOCKS proxy in this way. The one mentioned does work, but I used it reluctantly as there were no other options.

[Edited to remove statements that were redundant to my first post]
pacco
 
Posts: 9
Joined: Wed Mar 16, 2011 2:58 pm

Re: [Howto] Dynamic port-forwarding (SOCKS proxy/SSH tunnel)

Postby customer-72319 » Thu Dec 04, 2014 10:22 am

pacco wrote:Also, there really aren't any decent browsers on iOS that support the use of a SOCKS proxy in this way. The one mentioned does work, but I used it reluctantly as there were no other options.

I'm sorry, but that is plain BS.
ANY iOS app uses a SOCKS proxy, if told so, at least in iOS 5.1.1 (blame Apple if they removed that).
I do that since ages, all it takes is a web server where you put a proxy.pac file to be downloaded/read and put that URL into auto config.


P.S. Maybe different in higher iOSes or /w 3/4G but as you generalized I did so too :p
customer-72319
 
Posts: 5
Joined: Thu Dec 04, 2014 7:54 am


Return to Support

Who is online

Users browsing this forum: No registered users and 17 guests

cron
cron