SOCKS5 Proxy Demystified

A SOCKS5 proxy is a nice flexible tool for routing a certain application's (or system's) traffic through a different machine. This can be desireable for a number of reasons, one of which includes obscuring your actual IP address from various applications, websites, and services. For instance if you must have a Google Email / G Suite / Google Workspace account for work but you don't want Google collecting your IP address and location tied to your account, you can use a SOCKS5 to hide your IP address. For example if you are using Thunderbird, you can give Thunderbird your SOCKS5 proxy settings which will force all Thunderbird traffic over the proxy, and Google will only ever see your email account related requests coming from the proxy machine IP address instead of your own.

There are two nice things about a SOCKS5 proxy:

  1. It just uses SSH (it's just an SSH tunnel essentially over which an application's traffic may be routed) - no need to install separate programs
  2. It routes all protocols (as opposed to just routing HTTP/HTTPS traffic in the case of an HTTP proxy)

Digital Ocean has a great guide for setting up a SOCKS5 proxy.

Here's the example from the guide:

ssh -i ~/.ssh/id_rsa -D 1337 -f -C -q -N user@ -p 22

Where the arguments mean the following:

  • -i: The path to the SSH key (on the local machine) used to connect to the host
  • -D: Indicate we want a SOCKS tunnel on the given port (between 1025 and 65536)
  • -f: Run process to the background
  • -C: Enable compression
  • -q: Quiet mode
  • -N: Indicate that no command will be sent when tunnel is up

Since this is just SSH you can make use of any entries defined in ~/.ssh/config to simplify the command, and while you are getting the proxy setup it's nice to omit the background and quiet arguments, and add verbosity (-vvv) so you can watch the terminal output to ensure traffic is routed over the proxy as expected. For instance:

ssh -D 1337 -C -N -vvv proxy-nickname

This will use your ~/.ssh/config entry for 'proxy-nickname', and setup the SOCKS5 proxy to be accessible on the local machine on port 1337 (so you'll generally just be adding '' as your SOCKS5 proxy in whatever applications you want to use the proxy).

SOCKS5 in Chromium Based Browsers

Chromium based browsers (Chrome, Brave, etc) only seem to have the option to use the system wide proxy, which is undesirable in many use cases. There is a workaround however that entails passing a couple of parameters when starting the browser:

--host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE"

More details in this Chromium doc:


 socks5 proxy  proxies  privacy  SSH