ssh tunnel 上网-阿里云开发者社区

开发者社区> 开发与运维> 正文

ssh tunnel 上网






(2)在tk的注册机构里,设置abc123.tk的NS服务器为你自己的主机(最好是Linux VPS),例如:     IN  NS  IN  A

(3)在74.81.81.81上,以root身份运行一个Perl脚本(这个脚本来自Dan Kaminsky的OzymanDNS包):

./ -i

上述脚本会侦听在UDP 53端口,接受DNS请求,并且只解析abc123.tk域。


ssh -ND 7070 -o ProxyCommand=”./” user@localhost

上述ssh命令,-ND 7070表示在本机打开7070的socks 5代理端口。droute.pl是DNS隧道的客户端工具,同样来自于OzymanDNS包。sshdns是固定的主机名,加在域名abc123.tk前面。user是你在74.81.81.81上的登录名字,@localhost是固定的,不需要改(因为隧道过去后,就是74.81.81.81本机)。

运行上述ssh命令后,会提示输入密码。输入正确密码后,就和远程主机建立了ssh连接,获取到一个SSH终端。并且,在本机打开了7070的socks 5代理端口。配置浏览器使用这个代理端口,开始享受免费冲浪吧!




Tunnel Everything through SSH

This site remains here for legacy reasons and will not be updated! All the other articles are probably still available but not linked any more. Start page.

In this Tutorial I'll cover how you can tunnel any TCP traffic through an encrypted SSH connection or a SOCKS server, even if a certain program doesn't support proxying of connections natively.

The only requirement for SSH tunneling to work is a shell account on a machine connected to the internet (and, optionally, a HTTP Proxy server). I will refer to this account as your server (it doesn't matter if you may not become root).

Tunneling HTTP

In case you just want to tunnel HTTP traffic (to surf safely, to let the request appear to originate from a different IP and/or to not disclose HTTP clear text passwords to your LAN) best practise is to set up Privoxy on your server. By default, Privoxy binds to (thus only allowing connections from localhost), which is good for us. No configuration must be done for this.

The next step is to establish a tunnel from your computer to your server's Privoxy. That is done with the following SSH command:

ssh -NL 8118:localhost:8118 user@server

This command opens a tunnel on your computer: All connections to port 8118 will be forwarded (encrypted, of course) over the SSH connection and come out at your server's port 8118 (where Privoxy is running).

Once you have established the connection you will want to edit your browser's proxy settings accordingly. Just set the HTTP (and, with some browsers, the HTTPS) proxy to localhost, port 8118.


The great advantage over SOCKS tunneling (see below) is, that even the DNS requests are made from your server. No-one on your LAN can gather information on what kind of site you're surfing. Another advantage is that Privoxy already filters out some advertisements and removes sensitive headers from your requests.

Tunneling Arbitrary Protocols (Dynamic Forward/SOCKS)

If you want to tunnel not just HTTP traffic but arbitrary other TCP protocols as well, a HTTP Proxy isn't adequate any more. Instead, you'll have to set up a SOCKS proxy. That also is possible with SSH:

Setting up the SSH proxy

Setting up the SSH SOCKS proxy is really easy. On your computer, just enter the following command:

ssh -ND 3333 user@server

That command establishes a connection to your server, logs in as user user (you'll have to enter your password though, of course) and then starts a little SOCKS proxy on your server.

On your computer, all connections to port 3333 will be forwarded over the secure SSH channel and will then be forwarded by the proxy to their destination.

Now you'll have to configure the program you want to connect through that tunnel to use localhost, port 3333 as it's SOCKS server (if you have the choice, select SOCKS version 5).

Not many programs support SOCKS proxy forwarding natively (hardly any CLI programs). But there is a workaround for that: tsocks. It enables arbitrary programs which don't support the SOCKS protocol natively to establish connections via a SOCKS server.

How tsocks works

On your computer, install the tsocks program.

I won't go into detail about how this program works, but it basically does the following:

  • Before the actual program is loaded tsocks loads its own shared library.
  • This library overwrites the kernel's connect() function and replaces it with its own.
  • Whenever the program tries to send a request the request is forwarded through your proxy server (and then over the secure tunnel).

All this is done through setting the environment variable LD_PRELOAD to /usr/lib/

The tsocks program itself is just a simple shell wrapper script. All the actual redirecting stuff is done via the library.

Editing the /etc/tsocks.conf

Now you'll have to edit the file /etc/tsocks.conf to relay all connections through your proxy. Open the file and delete all lines. Then enter just the following two lines:

server =
server_port = 3333

If you may not become root ...

... just enter the two lines from above into a file called .tsocks.conf and place it in your home directory. Then, write a little shell script:


exec tsocks "$@"

I call this script viaservername. Place this script in a directory contained in your $PATH and make it executable.

Tunneling Connections

For programs who natively support proxying connections (e.g. Mozilla Firefox) you can now set the proxy address to localhost port 3333. I don't recommend to do that for browsers; instead, use HTTP tunneling (see above).

All other programs which's connections you want to tunnel through your server are prefixed with tsocks. This would look like some of the following program calls (if you wrote a shell script, use that instead of tsocks):

tsocks dog
tsocks netcat 80
tsocks irssi -c -p 6667

If you call tsocks without parameters it executes a shell witht the LD_PRELOAD environment variable already set and exported. That means that every program called from this shell will be redirected through the external server and every subsehll started from this shell will also have the LD_PRELOAD variable set. So if you started tsocksdirectly after logging in all your traffic would be redirected through your external server.


$ cat =myip
lynx -dump

$ ssh -fND 3333 xxx@feh  # -f: goes to background after prompting for password's password:

$ IP=`myip`; host $IP
Address: 84.143.XXX.XXX

$ IP=`tsocks myip`; host $IP
16:15:23 libtsocks(26802): Call to connect received on completed request 3

Have fun!



+ 订阅