Tunnel traffic through another machine over ssh

I want to be able to route a portion of my traffic through another machine over SSH. For example, is it possible to browse the web through the ssh tunnel and also browse the web through your LAN connection without much effort? (i.e. I want a seamless transition from using tunnel to using LAN)

Thus it is not a simple how do I tunnel ALL web traffic through ssh tunnel, but moreso how can I setup a tunnel that I can use at my discretion but not impeded my normal traffic flow. (Kind of on an as-needed basis)

I would like the filtered traffic to be encrypted when leaving the LAN and it could be ftp, ssh, web, mail whatever traffic.

Some questions I think I need to answer/address:

  • Does this require multiple nics?
  • Does this require setting up a proxy?
  • Can I even do this the way I want it to function?

Are there other options aside from a tunnel to achieve the result of having some traffic (user decides) encrypted through another machine (outside the LAN) and have other traffic use the normal flow through the LAN and out into the internet world?

Edit: If some of the answers depend on specific traffic types I can be more specific and say that web traffic is a primary focus of this. However, other traffic such as IM/Email traffic would be desirable.

Asked By: Chris


I don’t know if that’s what you’re looking for, but you can use ssh -D4545 domain.com to open a socks proxy tunnel at port 4545 to the desired machine from your computer.

You can then set up that proxy in your application (say Firefox) and use a plugin to quickly engage and disengage the proxy settings (something like TorButton).

There is one drawback though: when your target host has more than one network device, you cannot control which one will your data take to leave the machine you’re tunneling to.

This can be circumvented by installing a normal proxy server on that machine, routing the traffic from, say, localhost:3128 to the desired network interface, and then doing a ssh -L4545:localhost:3128 and pointing all applications to 4545 that ought to use the proxy.

This gives you greater control on the proxy side, as the integrated proxy of SSH is not really configurable.

Answered By: polemon
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.