What is a SOCKS proxy? How is it gonna help?

All what you’re gonna need is a machine that is reachable to you through SSH. Today, there are plenty of those! From Amazon AWS to Google Cloud, Microsoft Azure, and Digital Ocean, in addition to many other cloud providers, you can always have an offshore machine where you can host a web application, or use a SOCKS proxy. In this article, we are interested in the second option. Let’s define the term first. Wikipedia defines SOCKS as an Internet protocol used for proxying connections. A proxy server, in case you are not aware of it, is a machine/service that sits between the client and the web URI that he/she wants to connect to. The main function of a proxy server is to establish the request on behalf of the client, and relay whatever data it receives back to the requester (the client). It is mainly used in large enterprises for various reasons like caching and restricting certain websites from being accessed. Now, where does SOCKS fit in the above? SOCKS is a proxy protocol that uses SSH to authenticate users and encrypt data passing to and from it inside an SSH tunnel. Notice that the encryption occurs only between the user and the machine serving SOCKS, but no necessarily past this point unless the connection uses https. The sweet part of all of this is that you can build a SOCKS proxy for yourself on any machine that you are able to SSH into. Yes, this means that once you establish the tunnel, you can use this remote machine as a proxy and browse the net as if you are in the exact same georaphic area as the remote host.

The setup

As mentioned, you will have to have a remote machine with OpenSSH running, this machine should be reachable to you over the network, and you should have some form of an SSH client. Any client will do the job whether you were on Windows, Linux, UNIX, or macOS.

Dynamic port forwarding

The method that we are about to use is called “dynamic port forwarding”. It is dynamic because, unlike local and remote port forwarding methods, you do not supply the destination port for the connection. Instead, you select a port on your localhost or a specific machine, and any traffic arriving at this port will automatically be forwarded to the remote host, where it is going to be relayed to the Internet. The response data will be redirected back to the requesting client, which is typically a web browser.

The setup

As mentioned, all what you need for this scenario is a remote machine that is reachable to you through SSH, needless to say that it should be geographically located outside your internet-restricted region! You’ll also need an SSH client. Most SSH clients support tunneling, so wether you are using PuTTY or MobaXterm on Windows, the native Linux/UNIX/macOS SSH client, you’ve got yourself covered.

The command (macOS/Linux/UNIX clients)

Now that you understand what dynamic port forwarding is, how it is going to help you bypass regional Internet restrictions and what is needed to setup the lab, let’s see the command that will do the magic:

ssh -D localaddress:localport remote-host

So, you basically need a machine that will act as a client and another that will act as a host. In most cases, people use their local machines the SSH client. So, in this case you can ommit the localaddress part and SSH will automatically bind itself to So, if I am to establish a dynamic SSH port forwarding with my Amazon EC2 isntance, which happens to have an IP address of, and I’m using my local machine as a client, the command should be as follows:

ssh -D 9090

Now, in order to test settings and start browsing, we need to change how our browser connects to the Internet. In Firefox, that would be by opening the settings (preferences if you are on a mac), going to Network settings, and choosing manual proxy settings. In the SOCKS proxy, add localhost as the host and 9090 as the port. This is illustraed below:

On Google Chrome or Microsoft Edge, the procedure is the same. Just search for the proxy settings and make sure you edit the SOCKS5 proxy type. Now, try testing the configuration by navigating to

The command (Microsoft Windows)

On Windows, there are many SSH clients. I’ve chosen to demonstrate how this setup will work on the most well-known SSH client: PuTTY. To enable dynamic forwarding on PuTTY, go to settings, then Connections => SSH => Auth => Tunnels. Then add the settings as shown in the screenshot: To test the configuration, go to one of the websites that display your IP addres like https://whatismyipaddress.com/ and ensure that it is showing you the IP address of the remote host rather than your local one. Now, you can navigtate to any restricted website; as you are now - technically - in the same geopgraphic location as your remote host.

Best practices

If you are going to use this setup a lot, the perhaps you may want to tweak it a little so that it best serves your needs. So, for example, you may not want to actually login to the remote host, all what you need to do it establish the tunnel. Also, you may want to put the connectino to the background so that you can continue using your terminal. Both of those options can be acticated by modifying the SSH command to be as follows:

ssh -fND 9090 &

The N option instructs SSH not to execute any commands on successful connection, that also means opening a shell. The f option makes the SSH connection execute in the background.