VPNs are powerful tools and can help keep your network traffic secure. If you have a VPS or dedicated server, you could even run a VPN service from your server. The issue is that setting up and configuring a VPN can be time consuming and complicated. For some uses, there may be an easier way to securely route your traffic through a remote server (like your VPS or dedicated server).
An SSH tunnel is another method of rerouting some or all traffic from one location (like your local computer) through another (your remote server). All of this rerouted traffic is securely encrypted as it travels between your local machine and the remote server thanks to SSH. With a tunnel active and traffic proxied through the tunnel, that traffic will appear to be coming from your remote server instead of your local machine. This can be useful to bypass remote network issues or restrictive firewalls.
This article will explain how you can set up an SSH tunnel from your local MacOS (née OS X) machine.
If you are looking for an article explaining how to set up an SSH tunnel on your Windows machine, see our article here.
The Mac already ships with all of the tools needed to set up an SSH tunnel, but you'll also need a remote server to SSH your connection through. Here’s the full list of requirements:
- A remote server running SSH and the ability to make other outbound connections to the internet.
- A user account on the remote server that is able to log in via SSH.
- Access to the Terminal application in /Applications/Utilities/Terminal(.app) on your Mac.
- Access to the Network section in System Preferences so you can set up the system-wide proxy.
- Alternately, access to Firefox or another browser that can accept locally configured proxy connections.
Setting up an SSH Tunnel
To set up the tunnel, you need to execute a command in the Mac's Terminal application.
- Open the Applications folder on your Mac (if you don't know where this is. open your hard drive and the folder will be found there.
- Scroll down to the Utilities folder and open that as well.
- Locate the Terminal or Terminal.app file in the Utilities folder and double click on the icon for the terminal.
- This will open a new window where you will be able to type some text.
Type the following into the terminal window:
Replace USER above with the username of the user on the remote server you are logging in as, this could be "root" but it is generally safer to use an unprivileged user instead.
Replace server.domain.com with the hostname or IP address of your remote server.
Replace 22 at the end of the line above with whatever port your remote server accepts SSH connections on (22 is the default).
If you want to understand what this command is doing, read on, otherwise skip to step 6.
-f: This forks the process into the background so you don't have to keep the terminal window open to maintain the SSH tunnel.
-N: This tells the SSH process to not execute any commands on the remote server (we are only forwarding traffic through the remote server).
-M: Put the SSH client into master mode. We're doing this so we can easily enter a command later to gracefully end the SSH tunnel without having to kill the connection.
-S: This is used in conjunction with the -M command. This sets up a special kind of file (called a socket) that will allow us to enter a command later to gracefully end the SSH tunnel without having to kill the connection. /tmp/sshtunnel is the full path to the socket file this command is creating.
-D: This sets up a dynamic application level forwarding service and 1080 is the port it will listen on. This command creates the SOCKS proxy we'll use later.
-p: Specify the port on which the remote server is listening for SSH connections.
You will be asked to log into your remote SSH server.
If you have to enter a password, the terminal will not show you bullets for your key strokes. You won't see anything at all. Just type your password and hit Return on your keyboard.
- Once you are connected to your remote server, you can quit the Terminal application.
Configure the Proxy Service
Now you need to set up the SOCKS proxy so that your Mac routes traffic through your remote server instead.
Until you complete this step, your traffic is not secure.
The best way to use the SSH tunnel is to configure MacOS to send most/all traffic through it. Follow these steps to configure your system. While the screenshots may look different, these directions should work on any version of MacOS back to at least Snow Leopard 10.6 (which is as far back as we can test).
- Under the Apple () menu, select System Preferences...
- Select Network.
- Look for the network connection providing your internet/networking access. This is probably Ethernet or Wifi. Click on that connection in the sidebar.
- In the main part of the Network window, look for an Advanced... button towards the bottom right and click it.
- In the new window that appears, select the Proxies tab near the top.
- Check the box next to SOCKS Proxy.
- In the first text field under the SOCKS Proxy Server, enter 127.0.0.1.
- In the smaller field next to that (after the colon), enter the port number, which was 1080 If you used the directions above.
- Click the OK button at the bottom right of this window.
- Click the Apply button to apply your network changes.
- You can close the System Preferences window now if you want.
- Test to make sure your new connection is working by opening Safari or any browser that is configured to use your Mac's network proxy settings. Go to https://hostdime.com/ip to see if your IP address has changed. It should now show the IP address of your remote server.
You are now done until you want to turn off the SSH tunnel (skip to the final section below).
If you cannot make changes to your Mac's network settings, you can still use Firefox to secure your web browsing traffic. With this method, only traffic in Firefox is routed through the proxy service, all other traffic is routed normally.
- From the hamburger menu (the menu item that looks like 3 parallel lines), select Preferences.
- You will be in the General section of the options, scroll down to the bottom and click on the Settings... button in the Network Settings section.
- Now you need to fill in the proxy details based on the proxy you set up earlier.
- Select the radio button next to Manual proxy configuration
- In the SOCKS Host section, enter 127.0.0.1.
- Enter 1080 as the Port (or whatever local port you selected when you set up the SOCKS proxy earlier),
- Click the radio button to select SOCKS v5.
- There are a few more options to consider before finalizing setup.
- Neither of the SSH tunnel options we set up require a password or authentication to use, so the first option, Do not prompt for authentication if password is saved is not going to affect anything.
- The important item is Proxy DNS when using SOCKS v5. You should check the box next to this option, otherwise your DNS requests will be made locally and someone will be able to see what sites you visited even if they can't see what you did when you went there.
- Enable DNS over HTTPS This will provide an additional layer of security at the risk of slowing down access to websites even more (at least on the first access).
- Click the OK button to apply these changes.
Test the proxy by revisiting https://hostdime.com/ip and make sure your reported IP address has changed. If you don't see a change in the IP address, try forcing the page to refresh or quit and restart your browser and try again.
Disabling the SSH Tunnel and Proxy Service
To disconnect from the SSH tunnel, follow these steps:
- Disable SOCKS proxy use either by unchecking the SOCKS Proxy from the Advanced... section of the Network preference pane or by switching to System Proxy or No Proxy in the Preferences of Firefox, depending on which set of directions you followed.
Disconnect the SSH tunnel and close the connection to your remote server.
- Launch the Terminal application from your Utilities folder in the Applications folder.
In the terminal window, enter the following command (editing it as needed):
Replace server.domain.com with the IP address or server hostname of your remote server.
Replace 22 with the port number that your remote server accepts SSH connections on. 22 is the default.
If you have problems for any reason disconnecting from your remote server this way, you can always restart your Mac and that will automatically kill the connection.
- Quit the the Terminal application.
- Test your connection to https://hostdime.com/ip and make sure the IP that gets reported is no longer the IP address of your remote server.