Skip to content

Instantly share code, notes, and snippets.

@itpcc

itpcc/README-socks5-docker-ssh.md

Last active March 2, 2025 13:15
Show Gist options
  • Save itpcc/1e2661e87b3af0aae2cd316f5fe8c4f8 to your computer and use it in GitHub Desktop.
Save itpcc/1e2661e87b3af0aae2cd316f5fe8c4f8 to your computer and use it in GitHub Desktop.
Download ZIP
How I setup SOCKS5 server for SSH server connecting
Raw
README-socks5-docker-ssh.md

How do I setup SOCKS5 server for SSH server connecting

Why?

Well, SSH use port 22 which is vulnerable to attack misconfiguration can result in severe security issues. Moreover, since I would like to access clients or servers in my VPN networks using SOCKS proxy server, instead of creating a Jumpbox server, why not use existing services?

Setup SOCKS5 server

In my case, I use Koblas on Docker because it's written in Rust lighweight, and quite easy to setup.

  1. Install Docker (duh)

  2. In /etc/koblas/docker-compose.yaml, create Docker compose: (Note that I use network_mode: "host" because I'm lazy to be able to access VPN network on the server)

    services:
    koblas:
        image: ynuwenhof/koblas:latest
        container_name: koblas
        restart: unless-stopped
        network_mode: "host"
        environment:
            RUST_LOG: info
            KOBLAS_LIMIT: 256
            KOBLAS_NO_AUTHENTICATION: false
            KOBLAS_ANONYMIZATION: false
            KOBLAS_PORT: <target port>
        volumes:
            - /etc/koblas/config.toml:/etc/koblas/config.toml

  3. To generate a password hash, run the following command and copy the result:

    docker run -it --rm ynuwenhof/koblas:latest hash "<password">

  4. In /etc/koblas/config.toml, create the configuration file:

    [users]
<username> = "<password hash>"

  5. Run the proxy:

    docker compose -f /etc/koblas/docker-compose.yaml up -d

  6. Allow outside access to port <target port>, then test (from another computer):

    curl -vvv --socks5 "<username>:<password (with encodeURIComponent>@<public IP/Domain>:<target port>" --location --request GET 'https://google.com'

Usage

SSH config

In my case, since nc don't accept username and password authentication for SOCKS5 server, I use connect-proxy.

  • For Linux mint's Nemo, in ~/.ssh/config, set as following:

     Host <alias>
   SetEnv SOCKS5_PASSWORD=<password>
   ProxyCommand "connect-proxy -5 -H '<username>@<public IP/Domain>:<target port>' %h %p"
   HostName <Server IP>
   User <SSH username>
   IdentityFile <SSH private key file path>

    to access, in Nemo, go to File > Connect to server..., and in the Server field, fill with <alias>:

    Nemo Connect to server dialog

  • For access SSH via command line:

     SOCKS5_PASSWORD="<password>" ssh <SSH username>@<Server IP> -o "ProxyCommand connect-proxy -5 -H '<username>@<public IP/Domain>:<target port>' <Server IP> <Server SSH port>" -o "IdentitiesOnly=yes" -i <SSH private key file path>

  • For Uptime Kuma's proxy setting: (note that we use SOCKS v5 (+DNS) so we can do hostname resolving on Proxy side)

    Uptime Kuma's proxy setting

    If you use Uptime kuma on the save server as the proxy server which is running Linux, don't forget to add --add-host "host.docker.internal:host-gateway" and, in proxy setting dialog, set Proxy Server to host.docker.internal.

Ref.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment