Browsing the Internet Through an SSH Tunnel on MacOS

VPNs are powerful tools and can help keep your network traffic secure. If you have a VPS or dedicated server, you could even run a VPN service from your server. The issue is that setting up and configuring a VPN can be time consuming and complicated. For some uses, there may be an easier way to securely route your traffic through a remote server (like your VPS or dedicated server).

An SSH tunnel is another method of rerouting some or all traffic from one location (like your local computer) through another (your remote server). All of this rerouted traffic is securely encrypted as it travels between your local machine and the remote server thanks to SSH. With a tunnel active and traffic proxied through the tunnel, that traffic will appear to be coming from your remote server instead of your local machine. This can be useful to bypass remote network issues or restrictive firewalls.

This article will explain how you can set up an SSH tunnel from your local MacOS (née OS X) machine.

If you are looking for an article explaining how to set up an SSH tunnel on your Windows machine, see our article here.


The Mac already ships with all of the tools needed to set up an SSH tunnel, but you'll also need a remote server to SSH your connection through. Here’s the full list of requirements:

  1. A remote server running SSH and the ability to make other outbound connections to the internet.
  2. A user account on the remote server that is able to log in via SSH.
  3. Access to the Terminal application in /Applications/Utilities/Terminal(.app) on your Mac.
  4. Access to the Network section in System Preferences so you can set up the system-wide proxy.
  5. Alternately, access to Firefox or another browser that can accept locally configured proxy connections.

Setting up an SSH Tunnel

To set up the tunnel, you need to execute a command in the Mac's Terminal application.

  1. Open the Applicationfolder on your Mac (if you don't know where this is. open your hard drive and the folder will be found there.
  2. Scroll down to the Utilities folder and open that as well.
  3. Locate the Terminal or file in the Utilities folder and double click on the icon for the terminal.
  4. This will open a new window where you will be able to type some text.
  5. Type the following into the terminal window:

    Type this into the Terminal window:
    ssh -f -N -M -S /tmp/sshtunnel -D 1080 -p22

    Replace USER above with the username of the user on the remote server you are logging in as, this could be "root" but it is generally safer to use an unprivileged user instead.
    Replace with the hostname or IP address of your remote server.
    Replace 22 at the end of the line above with whatever port your remote server accepts SSH connections on (22 is the default).

    If you want to understand what this command is doing, read on, otherwise skip to step 6.

    -f: This forks the process into the background so you don't have to keep the terminal window open to maintain the SSH tunnel.
    -N: This tells the SSH process to not execute any commands on the remote server (we are only forwarding traffic through the remote server).
    -M: Put the SSH client into master mode. We're doing this so we can easily enter a command later to gracefully end the SSH tunnel without having to kill the connection.
    -S: This is used in conjunction with the -M command. This sets up a special kind of file (called a socket) that will allow us to enter a command later to gracefully end the SSH tunnel without having to kill the connection. /tmp/sshtunnel is the full path to the socket file this command is creating.
    -D: This sets up a dynamic application level forwarding service and 1080 is the port it will listen on. This command creates the SOCKS proxy we'll use later.
    -p: Specify the port on which the remote server is listening for SSH connections.

  6. You will be asked to log into your remote SSH server.

    If you have to enter a password, the terminal will not show you bullets for your key strokes. You won't see anything at all. Just type your password and hit Return on your keyboard.

  7. Once you are connected to your remote server, you can quit the Terminal application.

Configure the Proxy Service

Now you need to set up the SOCKS proxy so that your Mac routes traffic through your remote server instead.

Until you complete this step, your traffic is not secure.

MacOS Firefox Only

Disabling the SSH Tunnel and Proxy Service

To disconnect from the SSH tunnel, follow these steps:

  1. Disable SOCKS proxy use either by unchecking the SOCKS Proxy from the Advanced... section of the Network preference pane or by switching to System Proxy or No Proxy in the Preferences of Firefox, depending on which set of directions you followed.
  2. Disconnect the SSH tunnel and close the connection to your remote server.

    1. Launch the Terminal application from your Utilities folder in the Applications folder.
    2. In the terminal window, enter the following command (editing it as needed):

      ssh -S /tmp/sshtunnel -O exit -p22

      Replace with the IP address or server hostname of your remote server.
      Replace 22 with the port number that your remote server accepts SSH connections on. 22 is the default.

      If you have problems for any reason disconnecting from your remote server this way, you can always restart your Mac and that will automatically kill the connection.

    3. Quit the the Terminal application.
  3. Test your connection to and make sure the IP that gets reported is no longer the IP address of your remote server.