Desktop app to forward remote TCP port to a SOCKS proxy via SSH

View on GitHub


TL;DR follow these instructions to start building a flexible residential back-connect proxy network on any platform running Electron.


This Electron desktop app forwards socksPort and squidPort to proxyRemote IP on the remote server over SSH and in reverse, forwards a random port on a remote Linux box to a SOCKS proxy running locally.

Clients connecting to squidPort or socksPort on the machine running the app, will be tunneled to proxyRemote on remote server. Similarly, remote SOCKS connections will be proxied out the local WAN interface of the machine running the app. It is up to you to handle incoming client connections on the remote server using HAProxy, Squid, etc.


client config

cat << EOF > ~/.proxy-socks/config.json
    "username": "tunnel",
    "host": "{proxy-concentrator}",
    "port": 22,
    "privateKey": "${HOME}/.proxy-socks/id_rsa",
    "squidPort": 3128,
    "socksPort": 1080,
    "proxyRemote": ""

server config

cat << EOF > /home/tunnel/
echo '+--------------------------+'
echo '|                          |'
echo '|  Nothing to see here...  |'
echo '|                          |'
echo '+--------------------------+'

chmod +x /home/tunnel/
chown tunnel:tunnel -hR /home/tunnel
cat << EOF >> /etc/ssh/sshd_config

Match User tunnel
  ForceCommand /home/tunnel/

service ssh restart


The Windows binary is not signed and modern Chrome/Windows will try to prevent it from running. If this is important to you, you can get a signing certificate from one of the vendors and build a signed release.

OS release
Windows latest, 1.0.4, 1.0.3, 1.0.2, 1.0.1, 1.0.0
Linux (AppImage) latest, 1.0.4, 1.0.3, 1.0.2, 1.0.1, 1.0.0
Linux (Snap) latest, 1.0.4, 1.0.3, 1.0.2, 1.0.1, 1.0.0
Mac OS X latest, 1.0.4, 1.0.3, 1.0.2, 1.0.1, 1.0.0

The app will attempt to insert itself into the appropriate start-up chain to start automatically with the operating system and appear minimised to tray.

you should see a random TCP port and two different public IPs if everything is working correctly


the server is listening on both AF_INET and AF_INET6 sockets

    # netstat -a -n -p | grep LISTEN | grep ::1
    tcp6       0      0 ::1:{zzz}               :::* ...

    root@ubuntu:# curl -6

    root@ubuntu:# curl -6 --socks5 localhost:{zzz}

next steps

Every new installation of the app, will attempt to make a connection to the remote server and forward a random port to the local proxy. These proxies can then be exposed on the public interface of the server using HAProxy, OpenVPN or a combination of tools.

An example shell script can be used to automatically generate HAProxy configuration for all connected proxies.

Once the ports are exposed, ensure appropriate ACLs are set.

© 2018 belodetek