by Alexandre Alapetite on 2012-07-01; updated 2012-07-06

SSH tunnel for HTTP(S)

How to set up an SSH tunnel for HTTP(S) instead of a VPN or proxy, in order to change IP, to get IPv6, to secure a Web connection, or to compress data


No VPN available

I have migrated my personal Linux server (mainly Web) on a virtual machine based on OpenVZ, which VPN functions have been disabled by my hosting company (OVH Virtual KS).
Furthemore, I did not succeed in getting satisfying IPv6 via VPN with my previous server. VPN is thus not an option.
Classical HTTP proxys are not an option either because they do not handle DNS requests, and not always HTTPS.

A need to change IP for Web browsing

As I am in Denmark while writing these lines, a country currently without any IPv6 possibility for private houses, I need a kind of tunnel when in need of IPv6, as well as a French IP as required by some non-neutral online services. It also allows circumventing some filters, and to ensure a better confidentiality in some circumstances.

Solution with SSH

The solution presented in this article has a goal of being as simple as possible, while relying solely on mainstream free software. This is based on standards such as SSH, and SOCKS version 5 (in order to support UDP for DNS requests, and IPv6). This requires:

  1. A (Linux) server with SSH access
  2. An SSH client to establish a tunnel (available for Linux, Windows, Android…)
  3. A Web browser supporting SOCKS 5, like Firefox


Setting up the SSH server

Everything starts with a physical or virtual machine, to which you have an administrator or at least SSH access. This machine must have an Internet access that is more desirable than at the other side of the tunnel (for instance in terms of confidentiality, of geographical location of the IPv4 or IPv6 address, or access to some private networks).

Note your username as well as the address of the server, in order to provide this information during the following steps at the format you@your-server.example.

SSH server on Linux with OpenSSH

A majority of affordable Web servers for rent run Linux, and the majority of Linux distributions (Debian, Ubuntu, Gentoo, Red Hat, Mandriva…) include an OpenSSH server out-of-the-box, in which case everything is ready, and no or little configuration is necessary:


# This is also the default value
AllowTcpForwarding	yes

Tested on Ubuntu 12.04.


Setting up the SSH client

It is then necessary to establish an SSH tunnel from your client. I present below a simple approch for 3 different platforms (Linux, Windows, Android), and it suffices to follow the one matching your case.
I use the local port 8081, but you can change it and pick any value between 1024 and 65535, while avoiding the most used ports.

To close an SSH session from the client, type [Ctrl]+[D], or:


SSH client for Linux with OpenSSH

For those on Linux, use OpenSSH (which is pre-installed in the majority of cases) with the following command:

ssh -D 8081 you@your-server.example

Appropriate for slow connections, it is possible to activate data compression:

ssh -D 8081 -C you@your-server.example

Some other options can tune the use of the tunnel (f, n, N, q, T). Refer to the documentation:

man ssh

Tested on Ubuntu 12.04.


SSH client for Windows with PuTTY

For those on Microsoft Windows, PuTTY is the software to choose.

In the tab “Session”, type the address of the server. Then in the area “Connection / SSH / Tunnels”, add the port 8081 in dynamic mode.
Appropriate for slow connections, it is possible to activate data compression in “Connection / SSH”.

[PuTTY session] [PuTTY tunnel] [PuTTY compression]

Then connect by clicking on the “Open” button.
Tested with PuTTY 0.62 on Windows 7 and Windows 8.


Client SSH for Android with ConnectBot

For those on Google Android, ConnectBot – which is available on Android Market / Google Play – is the needed application.

At start-up, add a server at the format you@your-server.example, and then disconnect. With a long click on the new line representing your server, select “Edit port forwards”, and then the menu button, then “Add port forward”.

Fill-in the form as visible on the screenshot below, with whatever name in “Nickname”, “Type” Dynamic (SOCKS), “Source port” 8081, and empty “Destination”.

[ConnectBot forward port]

It is possible to enable data compression with a prolonged click on the line representing your server, then “Edit host / Compression”.

Then connect again, and let ConnectBot run in the background by pressing the Android home button.
Remember to close your connection and quit ConnectBot when you do not need it anymore.

Tested with ConnectBot 1.7.1 on Android 4.0.3.


Setting up the Web browser

I picked up Mozilla Firefox as the Web browser in this setup, as it is the only one to support SOCKS 5 with the needed settings by default, without any extension necessary. Furthermore, this approach works the same on Firefox for desktop (Windows, Linux), and Firefox Mobile (Android).

Browse to the advanced parameters via about:config, search network.proxy, and put the following values:

network.proxy.socks (Local address of the tunnel)
network.proxy.socks_port (Local port of the tunnel)
network.proxy.socks_remote_dns (Use the tunnel also for DNS requests)
network.proxy.type (Manual configuration. Set to 0 to go back to automatic and disable the proxy)

Example for Firefox Mobile on Android:
[Firefox Proxy Android]

In order to avoid having to change these settings manually and to keep coherent cookies, I use a Web browser dedicated to this configuration with a tunnel, and another Web browser for normal surf. On Android, I use Firefox Mobile beta to play this role.



Et voilà !
You can now access the Web with your server’s IP, and with a secured link between your client and your server.

For Web browsing (HTTP), SSH tunnels are a light, easy, and efficient alternative to VPN (heavier and not always possible) and HTTP proxys (which do not include DNS and not always HTTPS), in particular as a temporary solution for a single user.
This solution may be used without administrative rights on the client machine, and the needed software can be found in USB version if necessary.



If you expect an answer or to report a problem, favour contacting me by e-mail.

object: View comments