Say you’re working from home on your tiny years-old laptop right next to this nice and powerful desktop machine plugged in to a monitor, your good old keyboard, etc… However, a bunch of services you need to access live on the corp network and only that work laptop has the right certs and such to VPN to said corp network.
What to do? Luckily, setting up a SOCKS proxy tunnel over SSH is super simple. Simply make sure that the laptop is connected to the VPN, SSH to the machine, bind the SOCKS tunnel to a local port, configure the proxy config and you’re off to the races.
In theory, you could set up the proxy on a per-app basis but doing so globally on MacOS works too. MacOS also ships with a small command line utility to tweak the proxy settings so it’s just a small script away.
PORT=45623 NETWORK_SERVICE="Wi-Fi" SERVER="my-machine" echo "Enabling SOCKS proxy on" $NETWORK_SERVICE "with port" $PORT networksetup -setsocksfirewallproxy $NETWORK_SERVICE localhost $PORT networksetup -setsocksfirewallproxystate $NETWORK_SERVICE on echo "SSH connecting to" $SERVER echo "SSH binding to port" $PORT ssh -D $PORT -N $SERVER echo "Disabling SOCKS proxy" networksetup -setsocksfirewallproxystate $NETWORK_SERVICE off
networksetup is used to setup a global SOCKS proxy client listening on the given port on
localhost, in my case for the Wi-Fi network interface.
-D flag can be use to setup port forwarding so that SSH can act as the SOCKS server, as described in the man page:
Specifies a local “dynamic” application-level port forwarding. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file.
-N flag tells SSH to not execute any command and block until the connection is interrupted. Once it exits, we set the proxy settings back to their original state.
And that’s it, just run this and all your traffic will now be routed through the laptop and onto the corp network via VPN.