Back to Blog

SSH SOCKS5 Proxy in 2026: macOS, Linux, Windows & sshuttle: Complete Guide

  • Network
  • VPN
  • SSH
  • Security
  • DevOps
  • macOS
  • Linux
  • Proxy
SSH SOCKS5 tunnel as a secure proxy for macOS, Linux, and Windows

Two common scenarios require routing traffic through a remote server: accessing private network resources, or browsing from a different geographic IP. An SSH SOCKS5 tunnel solves both in under a minute, no VPN software required.

How SSH -D Works

The -D flag creates a dynamic port forward: SSH listens on a local port and acts as a SOCKS5 proxy. Traffic exits from the SSH server's network:

Your app -> localhost:1080 (SOCKS5) -> SSH encrypted -> remote server -> internet

macOS & Linux: Quick Start

bash
# Start tunnel in background ssh -D 1080 -f -C -q -N user@your-server.com # Verify it is running pgrep -a ssh # Confirm traffic routes via the server curl --socks5 127.0.0.1:1080 https://ipinfo.io/ip

Flag meanings:

  • -D 1080: SOCKS5 proxy on local port 1080
  • -f: fork to background after auth
  • -C: gzip compression
  • -q: quiet mode
  • -N: tunnel only, no remote command

macOS: Toggle Script

Save as ~/bin/tunnel, chmod +x, then sudo tunnel:

bash
#!/usr/bin/env bash NET_SERVICE="Wi-Fi" # run: networksetup -listallnetworkservices PORT=1080 SERVER="user@your-server.com" if [[ "$EUID" -ne 0 ]]; then echo "Run as root: sudo $0"; exit 1 fi PID=$(pgrep -f "ssh -D ${PORT}") if [[ -n "$PID" ]]; then echo "Disconnecting (PID $PID)..." kill -9 "$PID" networksetup -setsocksfirewallproxystate "${NET_SERVICE}" off echo "Tunnel closed." else echo "Connecting to ${SERVER}..." ssh -D "${PORT}" -f -C -q -N "${SERVER}" networksetup -setsocksfirewallproxy "${NET_SERVICE}" 127.0.0.1 "${PORT}" networksetup -setsocksfirewallproxystate "${NET_SERVICE}" on echo "Connected. System SOCKS proxy active on :${PORT}." fi

networksetup sets the macOS system-wide SOCKS proxy, all apps that respect it route through the tunnel.

Linux: Route CLI Tools with Proxychains4

bash
# Install sudo apt install proxychains4 # Debian/Ubuntu sudo dnf install proxychains-ng # Fedora # Edit /etc/proxychains4.conf: # comment out: socks4 127.0.0.1 9050 # add: socks5 127.0.0.1 1080 # Start the SSH tunnel ssh -D 1080 -f -C -q -N user@your-server.com # Route any CLI tool proxychains4 curl https://ipinfo.io/ip proxychains4 git clone https://github.com/someorg/private-repo

sshuttle: Transparent Full-System Proxy (No Config Required)

sshuttle routes all TCP traffic via OS-level interception:

bash
brew install sshuttle # macOS sudo apt install sshuttle # Ubuntu # Route everything, exclude the SSH server to avoid a loop sshuttle -r user@your-server.com 0.0.0.0/0 --exclude your-server.com # Route only a private subnet behind the server sshuttle -r user@your-server.com 10.0.0.0/8 # Stop with Ctrl+C

No browser config. Every TCP connection is intercepted transparently.

Windows: Bitvise + Proxifier

  1. Install Bitvise SSH Client
  2. Under Services > SOCKS/HTTP Proxy Forwarding, enable SOCKS5 on 127.0.0.1:1080. Log in.
  3. Install Proxifier:
    • Add proxy: 127.0.0.1:1080, SOCKS5
    • Add rule targeting the apps you want to route (e.g., chrome.exe)

SSH Config for Reliability

Add to ~/.ssh/config to keep the tunnel alive through network idle timeouts:

Host tunnel-server
  HostName your-server.com
  User youruser
  IdentityFile ~/.ssh/id_ed25519
  ServerAliveInterval 60
  ServerAliveCountMax 3
  Compression yes

Start with: ssh -D 1080 -f -C -q -N tunnel-server

SSH -D vs sshuttle vs WireGuard

FeatureSSH -DsshuttleWireGuard
Setup complexityLowLowMedium
Routes all trafficNo (per-app SOCKS)Yes (all TCP)Yes (all protocols)
UDP supportNoNoYes
Server prerequisitesSSH onlySSH onlywireguard-tools
SpeedGoodGoodExcellent
Best forSingle-app routingFull TCP proxyPermanent VPN

Security Best Practices

  • Key-based auth only: ssh-keygen -t ed25519
  • Restrict server to your user: AllowUsers youruser in /etc/ssh/sshd_config
  • Use a non-standard port to reduce automated brute-force: Port 2222 in sshd_config
  • Rotate SSH keys annually
X / Twitter
LinkedIn
Facebook
WhatsApp
Telegram
AI Engineering for B2B

Building an AI feature your team can't finish?

Most AI projects stall because nobody on the team knows how to design agents, manage token budgets, or wire production evals. I build that layer for B2B companies so the feature actually ships and keeps shipping.

12+ years shipping production systems

Senior engineer turned AI specialist. React, Next.js, AWS, agent orchestration.

Dubai-based, working with B2B teams worldwide

Direct collaboration across UAE, Europe, and US time zones.

AI agent teams that ship, not demos that stall

Discovery, role design, MCP integration, evals, and production deployment.

About Pooya Golchian

Common questions about Pooya's work, AI services, and how to start a project together.

Get practical AI and engineering playbooks

Weekly field notes on private AI, automation, and high-performance Next.js builds. Each edition is concise, implementation-ready, and tested in production work.

Open full subscription page

Get the latest insights on AI and full-stack development.