Say you’re working from home on your tiny years-old laptop right next to this nice and powerful desktop machine plugged in to a monitor, your good old keyboard, etc… However, a bunch of services you need to access live on the corp network and only that work laptop has the right certs and such to VPN to said corp network.

What to do? Luckily, setting up a SOCKS proxy tunnel over SSH is super simple. Simply make sure that the laptop is connected to the VPN, SSH to the machine, bind the SOCKS tunnel to a local port, configure the proxy config and you’re off to the races.

In theory, you could set up the proxy on a per-app basis but doing so globally on MacOS works too. MacOS also ships with a small command line utility to tweak the proxy settings so it’s just a small script away.


echo "Enabling SOCKS proxy on" $NETWORK_SERVICE "with port" $PORT
networksetup -setsocksfirewallproxy $NETWORK_SERVICE localhost $PORT
networksetup -setsocksfirewallproxystate $NETWORK_SERVICE on

echo "SSH connecting to" $SERVER
echo "SSH binding to port" $PORT

echo "Disabling SOCKS proxy"
networksetup -setsocksfirewallproxystate $NETWORK_SERVICE off

networksetup is used to setup a global SOCKS proxy client listening on the given port on localhost, in my case for the Wi-Fi network interface. The -D flag can be use to setup port forwarding so that SSH can act as the SOCKS server, as described in the man page:

Specifies a local “dynamic” application-level port forwarding.  This works by allocating a socket to
listen to port on the local side, optionally bound to the specified bind_address.  Whenever a connection
is made to this port, the connection is forwarded over the secure channel, and the application protocol
is then used to determine where to connect to from the remote machine.  Currently the SOCKS4 and SOCKS5
protocols are supported, and ssh will act as a SOCKS server.  Only root can forward privileged ports.
Dynamic port forwardings can also be specified in the configuration file.

The -N flag tells SSH to not execute any command and block until the connection is interrupted. Once it exits, we set the proxy settings back to their original state.

And that’s it, just run this and all your traffic will now be routed through the laptop and onto the corp network via VPN.