Mac OSX SSH based SOCKS proxy configuration

This post is about setting up and configuring automatically an SSH based SOCKS proxy configuration on Mac OSX. I need it to be configured automatically, since scientific publications are accessible only from an academic institution IP address. Since I spend a lot of time on the console, it is more convenient to have a bash script for that. Also, I have access to plenty of Linux servers at my institution, thus it is very easy to use one of them as SOCKS proxy.

SSH Socks Proxy

Let’s assume there is an SSH server on machine accessible at port 22 and also our username is user. It will really help if you set up SSH key pairs for PubKey authentication, to avoid entering passwords all the time. Let’s put the SSH server information in shell variables to have them handy:


In order to create an SSH SOCKS proxy, issue the following command on the terminal:

 ssh -D 1080 -p ${SSH_PORT} ${SSH_HOST}

In order to use that SOCKS proxy, open Settings, then Network, then Advanced… on the bottom right of the form, go to the tab Proxies, enable the SOCKS proxy item on the “Selected protocols to configure list, and finally set localhost as SOCKS Proxy Server and 1080 as the port, it will show like: localhost : 1080. Now, navigate to a site that reports your IP, you’ll notice that the site thinks your IP is the IP of the SSH server.

Some more tricks are needed, since when we use the proxy we don’t need shell access to the machine, rather we’d like to connect immediately to the proxy and leave it on the background. Also, compression would be nice to have. In order to have an SSH SOCKS proxy, I use the options -C2qTnNf. I am not going to get into details here, the idea is to use SSH2, to use compression, to not start a shell, to return right after the connection and to be quiet. Let’s see our command line now:

 ssh -C2qTnNfD 1080 -p ${SSH_PORT} ${SSH_HOST}

I am not currently aware of a way to stop this, so in the tool I am going to filter the process list and kill the above process.

Configuring Mac OSX Network Settings

It is very annoying to have to go through all these dialogs to enable and disable the use of our SOCKS proxy. Fortunately, OSX has a tool to automatically configure network devices, named networksetup. If you run it without parameters, it will give a short description of it’s capabilities. There are three options related to proxy configuration.
To configure a SOCKS proxy for the wireless connection, when the proxy is running at localhost on port 1080, the command is:

networksetup -setsocksfirewallproxy airport localhost 1080

To enable the use of the configured SOCKS proxy, we need the following command:

networksetup -setsocksfirewallproxystate airport on

You can easily guess that you can disable the use of a SOCKS proxy with:

networksetup -setsocksfirewallproxystate airport off

The following command responds with the current configuration:

networksetup -getsocksfirewallproxy airport

If we want to make the same settings for the wired connection, we exchange airport with Ethernet.

The script

Now that we have all the required info, let’s create a script to control our SOCKS proxy. I intend to put it in my ~/bin directory and start, stop and query status with the following commands:

$ proxy on
$ proxy off
$ proxy status

The script is shown at the end of the post. The first lines allow for easy configuration. In order to stop the ssh connection, I keep the SOCKS proxy creation command in a variable and search that command in the list of running processes. If this process is active, then it gets killed.

Update: As Henc proposes in the comments section, for OSX 10.8 (Mountain Lion), NET_SERVICE for wireless should be  Wi-Fi (script line 19). In order to list the available network service names, use

$ networksetup -listallnetworkservices

Here is the script:

## (C) George Goulas, 2011
## Proxy service configuration script for OSX
## tested on MacOSX Lion 10.6

# user@host
# OSX network service to configure proxy for
# Verbose, if not empty, it prints diagnosing messages


function report {
	if [ -n "${VERBOSE}" ]; then
		echo $MSG

function enableProxy {
	networksetup  -setsocksfirewallproxy ${NET_SERVICE} localhost ${PORT}
	networksetup  -setsocksfirewallproxystate ${NET_SERVICE} on

function disableProxy {
	ps -ax | grep "${SSH_CMD}" | grep -v grep | awk '{print $1}'| xargs kill
	networksetup  -setsocksfirewallproxystate ${NET_SERVICE} off

function showStatus {
	ps -ax | grep "${SSH_CMD}" | grep -v grep > /dev/null
	if [ $? -eq 0 ]; then
		echo SSH SOCKS Proxy status: ON
		echo SSH SOCKS Proxy status: OFF
	networksetup -getsocksfirewallproxy ${NET_SERVICE} | grep Enabled | grep Yes > /dev/null
	if [ $? -eq 0 ]; then
		echo Proxy setting in network setup for ${NET_SERVICE}: ON
		echo Proxy setting in network setup for ${NET_SERVICE}: OFF

case "$1" in

	on)	report "Enabling Proxy"

	off)	report "Disabling Proxy"

	status) echo status
	*) echo Options: on to enable proxy, off to disable, status to see status.

It would be nice to have an icon and switch in the notification area to simplify the process, but for me, an iTerm is always open, so it works easier for me.

About these ads

Posted on December 19, 2011, in Uncategorized and tagged , , . Bookmark the permalink. 5 Comments.

  1. Nice job George. Saved me some time so I didn’t have to dig it up on my own.

  2. On my MacBook Air 2012 running OS X 10.8, I had to change the NET_SERVICE to Wi-Fi, but other than that, everything worked!

  3. Thanks, it inspired me to make few changes:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

%d bloggers like this: