How to Set Up a SOCKS5 Proxy with SSH Tunneling
A SOCKS5 proxy over SSH creates an encrypted tunnel between your local machine and your Breeze instance, routing your internet traffic securely through the server. This is useful for encrypting traffic on untrusted networks, bypassing network restrictions, and accessing resources that are only available from your server's network.
How SSH SOCKS5 Proxy Works
When you create an SSH SOCKS5 tunnel, your local machine opens a listening port that accepts SOCKS5 connections. Any application configured to use this proxy sends its traffic through the SSH connection to your Breeze instance, which then forwards it to the destination. The traffic between your local machine and the Breeze is fully encrypted.
Creating a Basic SOCKS5 Tunnel
Open a SOCKS5 proxy on local port 1080:
ssh -D 1080 -f -C -q -N user@your-breeze-ipFlag breakdown:
-D 1080— opens a SOCKS5 proxy on local port 1080-f— sends SSH to the background after authentication-C— enables compression for better performance-q— quiet mode, suppresses warnings-N— no remote command, only tunnel
Binding to a Specific Interface
By default, the proxy listens only on localhost. To share the proxy with other devices on your network:
# Listen on all interfaces
ssh -D 0.0.0.0:1080 -f -C -q -N user@your-breeze-ip
# Listen on a specific interface
ssh -D 192.168.1.100:1080 -f -C -q -N user@your-breeze-ipConfiguring Applications to Use the Proxy
Configure your browser or application to use the SOCKS5 proxy:
Firefox
Navigate to Settings > Network Settings > Manual Proxy Configuration:
- SOCKS Host:
127.0.0.1 - Port:
1080 - Select SOCKS v5
- Check Proxy DNS when using SOCKS v5 (important for privacy)
Command-Line Tools
Use proxychains to route any command-line tool through the proxy:
sudo apt install -y proxychains4
# Edit /etc/proxychains4.conf
# Add at the bottom:
# socks5 127.0.0.1 1080
# Use proxychains with any command
proxychains4 curl https://api.ipify.org
proxychains4 wget https://example.com/file.tar.gzPersistent Tunnel with autossh
Use autossh to maintain the tunnel automatically, reconnecting if it drops:
sudo apt install -y autossh
# Create a persistent SOCKS5 tunnel
autossh -M 0 -D 1080 -f -C -q -N \
-o "ServerAliveInterval 30" \
-o "ServerAliveCountMax 3" \
user@your-breeze-ipCreating a systemd Service
For a tunnel that starts on boot and restarts automatically:
# /etc/systemd/system/socks-tunnel.service
[Unit]
Description=SSH SOCKS5 Proxy Tunnel
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=tunnel-user
ExecStart=/usr/bin/autossh -M 0 -D 1080 -C -q -N -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -i /home/tunnel-user/.ssh/id_ed25519 user@your-breeze-ip
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.targetsudo systemctl daemon-reload
sudo systemctl enable --now socks-tunnelServer-Side Hardening
Configure the Breeze instance to allow tunneling while maintaining security:
# /etc/ssh/sshd_config on the Breeze instance
AllowTcpForwarding yes
GatewayPorts no
PermitTunnel no
# Optionally create a dedicated tunnel user with restricted shell
sudo useradd -m -s /usr/sbin/nologin tunnel-user
sudo mkdir -p /home/tunnel-user/.ssh
sudo cp /path/to/authorized_key /home/tunnel-user/.ssh/authorized_keys
sudo chown -R tunnel-user:tunnel-user /home/tunnel-user/.sshTesting the Proxy
# Verify the tunnel is running
ss -tlnp | grep 1080
# Test with curl
curl --socks5-hostname 127.0.0.1:1080 https://api.ipify.org
# The output should show your Breeze instance's IP, not your local IPBest Practices
- Always proxy DNS — use SOCKS5 (not SOCKS4) and enable remote DNS to prevent DNS leaks
- Use key-based authentication — avoid passwords for automated tunnel connections
- Limit binding — bind to localhost only unless you specifically need to share the proxy
- Monitor tunnel health — use autossh or a systemd service with automatic restarts
- Restrict the tunnel user — use a dedicated user with no shell access for proxy-only connections
An SSH SOCKS5 proxy is one of the simplest and most effective ways to encrypt your traffic through your Breeze instance without installing additional VPN software.