Offline
Online
Viewers

Browsing The Web Through An SSH Tunnel (Putty / Firefox)

Foreword

I needed a way to get inside my work firewall from home.  There was a DMZ linux machine that I could SSH to, but no VPN available.  What I really needed was a way to configure the router/firewall, but the only way to do that was to be on the internal network and browse to it using a browser.  Trying text based browsers didn’t work, the only way to access and administer the router was to use a full featured browser from behind the firewall itself.  To make a long story short, I figured out how to do it using Putty and Firefox, and this is how you do it.

Getting Started

First things first, make sure you have Putty and Firefox installed.  Next you’ll want to be able to establish an SSH connection to a remote server using Putty.  For example, launch putty, enter the host name or IP and make sure you can connect and login.  Once you have that, you’re ready to setup the SSH tunnel and browse through it.

Configuring The SSH Tunnel

Now open Putty and Enter the hostname or IP of the machine you want to establish a remote connection to.  Next under Connection->SSH->Tunnels find the radio boxes under the Destination field and make sure Dynamic is selected.  Next under where it reads Add new forwarded port: enter a source port.  For this example lets use 1024, enter this in the source port field and click the Add button.  You should see a value in the Forworded ports: list that reads D1024.  That’s all there is to the Putty side of things.  Next go back to the session area and save the current configuration as a saved session if you’d like, then Open the SSH connection.

 

Configure Putty
Configure Putty

 

 

Configuring Firefox

Now, launch Firefox, select Tools->Options and click the Advanced tab. Within the Advanced tab, click on the Network tab and click the Settings button.

 

Network Options
Network Options

 

Within the Network Settings dialog, select the Manual proxy configuration radio button and enter the following for the SOCKS Host: and Port:

SOCKS Host: localhost

SOCKS Port: 1024

 

Connection Settings
Connection Settings

 

Click OK on the Settings dialog, then Click OK on the Options dialog. Now you should be good to go.  Enter a new URL in the Firefox address bar and you’ll be browsing from the remote end of the SSH connection.

53 Comments

  1. What I have to do, if I want to use port 2222 instead of 22 for SSH connection?
    My enviroment:
    remote ssh server on 22 behind firewall NAT from 2222 to 22 (I could work on SSH from remote on 2222).

    When I try to tunnel my browser with proxy setting on that ssh (2222) using dynamic port on 17222 it does’nt work. It works if I use 22 on remote system.

    1. Hi Ilix,

      Have you confirmed that you can ssh directly to your NAT endpoint of 2222 and that it routes correctly to port 22 on the destination machine? If that doesn’t work, then the configuration issues is probably with the NAT. If that does work, then make sure your browser SOCKS configuration and local environment match the correct ports. Hope this helps.

  2. Make sure you check the box next to:
    Proxy DNS when using SOCKS v5

    Otherwise, all your URL requests will be known, so although they might not see the content they will know where you were going and this might be a problem at work or elsewhere… 🙂

  3. I’ve been trying to find a solution for this for over a month. Your way is very simple and effective. Thank you a million!

  4. i try shh connection with putty, but i have an error message from putty. the message look like this ” network Error:Connection Timed out ” you can tell me what is the problem???? thanx be 4

    1. Hi Peter,

      Looks like you have a problem with your connection credentials. Make sure you can establish a connection using putty and that you can issue a few terminal commands before trying to use a browser.

        1. Sorry, I’m not sure there is anything I can do to help. You’ll need to figure out the connection part before you can proceed. Unfortunately that’s completely custom to your infrastructure.

    2. Hello,

      your tutorial is great but I have one question about SSH. I am using putty and I am connecting to 192.168.3.99 IP and that tunnel have two IP’s. One is my mention 192.168.3.99 and second is 192.168.1.43. How to make thay my firefox will be using not 192.168.3.99 but 192.168.1.43

      1. Hi from 4world,

        I’m not sure I understand your question. If your tunnel has two IPs then I’m assuming the IPs you’ve listed are the head and tail of the tunnel itself (ie. the entry node and exit node of your tunnel). If this is the case then you don’t need to worry about it, your exit node will drop you off (if the tunnel is configured correctly) in the target network. However, if you’re trying to say that the end point of your tunnel is allowing access to a machine with 2 interfaces on it (192.168.3.99 and 192.168.1.43), then once again it shouldn’t matter as long as you’ve specified the correct interface to connect to. Lastly, if you’re connecting through a tunnel that has a single head and multiple end nodes (ie, let’s say your tunnel starts at 192.168.1.50 and has two exit nodes 192.168.3.99 and 192.168.1.43) then you should be able to specify which exit node to use somehow. Which of these scenarios is yours?

        1. thanks for fast answer. My scenarios will be that my tunnel starts at 192.168.3.99 and has two exit nodes 192.168.3.99 and 192.168.1.43 and by default firefox is using 192.168.3.99 so I want that firefox will be using 192.168.1.43.

          The problem is that my friends can only reach 192.168.3.99 . They can ping 192.168.3.99 and cant ping 192.168.1.43

          1. Hi from 4world,

            It sounds like you may have a configuration problem. If your start and exit tunnel nodes have the same IP address then the router may not be forwarding the requests to the correct adjacency. You may want to try changing the IP address of the tunnel exit node to something other than 192.168.3.99 and see if that resolves the issue. If that proves to not be the issue, then you may want to try verifying the routing tables of the start and end nodes to make sure that your gateways are configured correctly and that 192.168.1.43 is reachable from the 192.168.3.99 network. Trace routing may also help diagnose what’s going on.

          2. yes, I want to change IP address of the tunnel exit node to something other than 192.168.3.99. I want that exit will be 192.168.1.43

            So how to do this?

          3. Hi from 4world,

            To do this, you’ll need to change the IP configuration of the exit router. I don’t think it’s a putty configuration issue, I think it’s a network configuration issue. You can verify this by checking the routing tables of the tunnel’s head router and see where it’s routing packets destined for the 192.168.1.43 network.

          4. I think that is impossible. So tunnel start from computer and that computer has two network accesses, accesses are from different routers even from differents gateway. First network is 192.168.3.99 and this IP can see all my colleague because it is inside office IP, another IP 192.168.1.43 is outside IP and only I can use this network source. In that computer I am using ForceBindIP program and Firefox using 3.99 IP and 1.43 IP using chrome.

            So, maybe are some ways that in the end of tunnel my colleague will be using ForecBindIP and they can select IP’s from SSH? 🙂

          5. Hi from 4world,

            Perhaps, but unfortunately I don’t really have any experience with ForceBindIP and I’m unfamiliar with your network layout. I’m sure though that if you start tracing the packets you’ll find out what’s going on and will hopefully find a fix for it.

    1. You might want to try setting up a GUI-less torrent client and run in on your remote server. Or if you’re just trying to protect your IP and remain anonymous while torrenting, it will take a quite a bit more effort. I’m sure you can find something online if that’s the case, but it will be a bit more than just ssh port forwarding.

  5. Do you whats the equivalent command line for it ?

    I tried below , i want to use tunelling on 192.168.1.110 is the below command correct ?

    ssh -C -D 1080 192.168.1.110

    And what should go to my proxy setting of my client ?

      1. I believe you can do something like the following: ssh -L [port:host:hostport]

        For example: ssh -L 1080:192.168.1.110:80

          1. Right, but your are trying to browse through port forwarding on that device, correct? If so, what error are you getting when you try to browse through it?

          2. I’m not trying to browse I can’t it a headless device., in short I wanted to run the torrent client to use ssh tunneling using only one device.

          3. Ah, that’s where the confusion came from. This article was originally written to describe how to browse the web through an ssh tunnel. I’m not quite sure what it is you’re trying to do. If you have a single device, you should be able to directly ssh into the device and perform whatever manipulations or commands you need directly.

  6. Excellent article!! I have spent all day working with a hosting environment and they could not answer this. Great Job!!

  7. Great article! Additionally, if you are running a local server on the ssh machine, you should clear the “No proxy for: localhost, 127.0.0.1”. This way I was to develop with flask on a remote machine but browse the results from my local machine with firefox! Awesome stuff..

  8. Hey I wanted to thank the OP for this post. It really helped me. I needed a cheap VPS to login to paypal and youtube. I found one but since it was un-managed with no remote desktop access, I wasn’t sure what to do. This helped tremendously. Also there is a youtube video to help with the profiles setup real fast, it’s [youtube.com/watch?v=pA1Q5a43QB8]. Thanks again for the awesome, detailed post.

  9. Brilliant! It works like a charm! Seems a lot less messy than VPN for accessing device GUIs on the remote LAN. Thanks for your posting!!!

  10. to quickly check if your tunnel is successful, just go to one of the many “what is my ip” websites. you should see the IP of your tunnel far side endpoint.

    probably good to test before you surf porn at work.

  11. Excellent article.
    It worked perfectly !

    For those who wnt to smetimes proxy and sometimes not, one solution is to configure the SOCKS proxy on only one browser. I have configured my Internet explorer with Proxy and my Firefox without, it makes the switch easy.

    NOTE: This is not said in the article, because it is pretty obvious, but PUTTY needs to be launched, and THE LOGIN ON THE REMOTE MACHINE MUST BE MADE AND SUCCESSFUL, before the tunnel will work

Leave a Reply to Charles Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Affiliates