How to tunnel Internet traffic over SSH in Windows

using free software

This is a basic guide to SSH dynamic port forwarding. It is intended as an introduction to this technology for intermediate to advanced computer users in the hopes that it will be useful. It is not intended to be the best nor most comprehensive guide on the subject. I found a similar document here.

SSH is a protocol for secure (encrypted) communications, most commonly used for remote login sessions to the command line on various Unix-like environments (Linux, Solaris, BSDs, Darwin, etc.). Many academic and other institutions offer accounts on Unix clusters or other machines with a Unix-like operating system. Often these accounts allow login using SSH. If you do not already have one of these accounts, you may be able to get one at one of the sites listed here. [Note: I do not endorse any of the services.]

Most other Internet traffic can also be transmitted through this secure channel through several options called "tunneling" or "port forwarding". Here I will introduce one of these methods, called "dynamic port forwarding", which I find particularly useful. It emulates a SOCKS proxy on the local computer, which Internet applications can then use to tunnel their traffic. [Note: If you are using a corporate computer, restrictions may prohibit this from being done.]

Note that this specific method only works for outgoing TCP connections. UDP connections and incoming connections cannot take advantage of this method. If you need to listen to incoming connections from specific ports (and those ports are not already reserved on the SSH server computer), you can use remote port forwarding; it is pretty straightforward, but outside the scope of this tutorial.

A similar but more versatile method that is often used to solve many of the same problems is a secure virtual private network (VPN). However, VPN services may not always be available in many institutions, or may cost additional money.


Why would one want to tunnel Internet traffic through SSH? Here are some of the reasons:

Part 1: setting up the SSH connection

Part 2: using the SOCKS proxy

Method 1: SOCKS-supporting applications

Many applications support using SOCKS proxies to connect.

Warning: Many SOCKS-supporting applications "leak" DNS requests; i.e. even though the data is transmitted through the proxy, they look up domain names through the regular outside connection. If this occurs, it is bad for many reasons:
If you use an application which uses hostnames (rather than just IPs), such as a browser, and you care about DNS request leaks (and you probably should), you should either use an application which specifically supports remote DNS lookups through the proxy (SOCKS 4a protocol); or use Method 2 below.

Example: Mozilla Firefox browser

Example: Internet Explorer browser

Method 2: SOCKSify any application

Last updated: 2011
Questions and suggestions are welcome.
xuanluo at ucla dot edu