SOCKS5 via SSH on Windows for a specific user
Tunnel Internet traffic via any machine via SSH connection.
Choose direct or proxy connection by launching apps as different users.
Principles
- SSH supports SOCKS5 proxy (and port forwarding both ways).
- Windows allows to configure proxy settings on the per-user basis.
1. ssh alice@example.com -D 127.0.0.1:1080 to open SOCKS5 proxy
Optionally add -N to disable shell and wait for Ctrl+C.
Optionally add -v to show something. Otherwise there is no output.
ssh alice@example.com -v -N -D 127.0.0.1:1080
2. Prepare a .pac file - a simple JavaScipt script
Use proxy for all connections:
function FindProxyForURL(url, host) {
return "SOCKS5 127.0.0.1:1080;";
}
Although, very sophisticated configurations are possible.
See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file
See: https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/connectivity-navigation/optimize-pac-performance
Authentication with passowrd is not supported.
3. Serve .pac locally via HTTP with IIS
- Open Turn Windows features on or off, select and install:
- Internet Information Services
- Web Management Tools
- World Wide Web services
- Common HTTP features
- Internet Information Services
- Create a folder for serving static files via HTTP.
- Grant Read and Execute to
IUSRandIIS_IUSRS. (401 if not done.) - Locate the
.pacfile in this folder.
- Grant Read and Execute to
- Open Internet Information Services (IIS) Manager:
- Create a website:
- In Bindings…, configure only
127.0.0.2. (Or anyone from Internet can connect.) - Add MIME type
application/x-ns-proxy-autoconfigfor.pac. (404 if not done.) - Optionally, enable Directory Browsing. (403 on index page if not done.)
- In Bindings…, configure only
- Disable stop the Default Web Site or configure similar bindings. (For security too.)
- Open http://127.0.0.2/ (configured in Bindings…) in browser.
- Click the
.pacfile. It should be downloaded. - Copy the link address of the
.pacfile via context menu.
- Click the
- Create a website:
4. Configure proxy in the system for another user
Run as Administrator:
reg add "HKU\S-1-5-21-1938875136-3881193919-344594422-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL /t REG_SZ /d "http://127.0.0.2/proxy.pac" /f
Where:
S-1-5-21-1938875136-3881193919-344594422-1002is user’s SID.HKU\S-1-5-21-1938875136-3881193919-344594422-1002is user’s registry hive. (Each user sees their hive asHKCU.)
5. Open a browser as this user
Tested with Google Chrome and Firefox.
- Search for
ChromeorFirefoxin Start menu. - Right click and
Open file location. - Hold Ctrl+Shift and right lick.
- Choose
Run as different user. Type username and password of the user. - Check you IP address.
6. Block browser connections in firewall
Block the browser completely in firewall. Connections to 127.0.0.0/8 bypass Windows Firewall anyway.
Windows Firewall supports rules based on application and user (local principal).
Consider blocking all outbound traffic by default and allowing only specific applications and users (local principals).