by Gina Trapani

You're at an open wireless hotspot, but you don't want to send your web browsing data over it in plain text. Or you want to visit a non-work-approved web page from the office computer without the IT team finding out.

Using a simple SSH command, you can encrypt all your web browsing traffic and redirect it through a trusted computer when you're on someone else's network. Today we'll set up a local proxy server that encrypts your online activity from your Mac, PC or Linux desktop. Here's how.

SS-wha? you ask. Proxy server? Huh? Don't let the intimidating words and acronyms scare you off. This IS an advanced technique, but I've got my pom-poms out, because you can totally do it.


Let's get crackin'.

What you'll need

An SSH server to act as your proxy.



"SSH server" sounds frightening, but it's just another computer off-site that allows you to login into it via SSH. Most web hosts allow SSH access to the server; or you can set one up at home

"SSH server" sounds frightening, but it's just another computer off-site that allows you to login into it via SSH. Most web hosts allow SSH access to the server; or you can An SSH client on the computer you're using.



Mac and *nix machines have SSH built right in at the command line Cygwin. installing the free OpenSSH with Cygwin


How proxies work

In a nutshell, what you're doing with a proxy is setting up a middle-person between you and the internet. Using the proxy, your browser hands off web page requests to the proxy server, which handles the request and fetches the page for you from the internet. The web site actually thinks the request is coming from the proxy server, not your computer, which is a good way to obscure your originating IP address.


Additionally, the connection between your computer and the proxy happens over SSH, an encrypted protocol. This prevents wifi sniffers at the coffee shop from seeing what you're doing online.

For the more visual readers in the house, a (quick and dirty) diagram:


Now let's get down to the nitty-gritty.

Start your SSH tunnel

You've got access to an SSH server and you want to start using it as your proxy. To do so, you're going to set up a "tunnel" which passes web traffic from your local machine to the proxy over SSH. The command to do so is:

ssh -ND 9999 you@example.com

Of course, you're going to replace the you with your username and example.com with your server domain name or IP address. What that command does is hand off requests to localhost, port 9999, to your server at example.com to handle.


When you execute that command, UPDATE: you'll get prompted to enter your password. Once you authenticate, nothing will happen. The -N tells ssh not to open an interactive prompt, so it will just hang there, waiting. That's exactly what you want.

Set Firefox to use SOCKS proxy

Once your proxy's up and running, configure Firefox to use it. From Firefox's Tools menu, choose Options, and from the Advanced section choose the Network tab. Next to "Configure how Firefox connects to the Internet" hit the "Settings" button and enter the SOCKS information, which is the server name (localhost) and the port you used (in the example above, 9999.)


Save those settings and hit up a web page. When it loads, it's actually coming from the proxy server over an encrypted connection. You're golden!


More tips on using a secure proxy

To quickly start your proxy, set up a shortcut to a batch script that launches the SSH connection in a click. If there are only certain (NSFW) web sites you'd like to use your proxy for, the Foxy Proxy Firefox extension lets you switch between your proxy and direction connection on a per-site basis. [via Ubuntu blog] Alternately, you can set up a separate Firefox profile that uses your proxy for all web requests. Set your proxy server to resolve DNS requests instead of your computer; in Firefox's about:config area, set network.proxy.socks_remote_dns = true. [via codeblog] Will at Security.engine says:

For those with slower connections, you can use the -C command line option to use SSH's compression (gzip).


This technique is as old as the hills and there are dozens of different ways and tools to get it set up. In fact, tons of Lifehacker readers have mentioned it in the comments of past posts already. What's your preferred method? Do share your proxy secrets in the comments.


Gina Trapani, the editor of Lifehacker, tunnels through a proxy whenever she thinks she's on a dodgy network. Her semi-weekly feature, Geek to Live, appears every Wednesday and Friday on Lifehacker. Subscribe to the Geek to Live feed to get new installments in your newsreader.