Google Chrome + Socks5 proxy

$ ssh -vND localhost:2222 [email protected]
$ /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --user-data-dir=/tmp/chrome --proxy-server=socks5://localhost:2222

Let's break down each command:

  • ssh -vND 2222 [email protected]
    • -v: Be verbose -- prints SSH information to stdout.
    • -N: Do not execute remote program, only forward ports.
    • -D localhost:2222: Local socket through which traffic is proxied.
    • [email protected]: Standard SSH semantics
  • .../Google\ Chrome --user-data-dir=/tmp/chrome --proxy-server=socks5://localhost:2222
    • --user-data-dir: Where user data should be stored. More subtly, this must be set and must not be the default user data directory since this is the mechanism that signals to the operating system that this should be a new Chrome process and not another Chrome tab. (Roughly.)
    • /tmp/chrome: Where that user data is stored. I tend not to care about this data for long periods of time, so /tmp is a good place.
    • --proxy-server: Signifies that only this new Chrome process should use a proxy. Otherwise, Chrome defaults to system-wide proxy settings.
    • socks5://: The protocol which is being used to proxy traffic is socks5
    • localhost:2222: This is the socket that the previous SSH command created -- it's the proxying, encrypted tunnel to proxyinghost.tld

I was able to use my non-work Windows machine to access internal pages via this proxying mechanism.

# On VPN-connected work MacBook
$ ssh -vND fbbk.kingdom:2222 localhost
  • fbbk.kingdom:2222 makes the dynamic SSH tunnel bind to the LAN IP of my work machine so it is accessible to LAN-connected devices
  • SSH'ing to localhost means proxied web requests will look like they're being issued by my work laptop
# On Windows 10 desktop
> "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ignore-certificate-errors --user-data-dir=C:\chrome_temp --proxy-server=socks5://fbbk.kingdom:2222
  • --ignore-certificate-errors is required because my Windows machine isn't managed, and therefore won't have the proper CAs installed used at work

Next step is to figure out how to put credentials around the proxy so a username and password is required before being able to use it.