$ ssh -vND localhost:2222 firstname.lastname@example.org $ /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --user-data-dir=/tmp/chrome --proxy-server=socks5://localhost:2222
Let's break down each command:
ssh -vND 2222 email@example.com
-v: Be verbose -- prints SSH information to
-N: Do not execute remote program, only forward ports.
-D localhost:2222: Local socket through which traffic is proxied.
firstname.lastname@example.org: Standard SSH semantics
.../Google\ Chrome --user-data-dir=/tmp/chrome --proxy-server=socks5://localhost:2222
--user-data-dir: Where user data should be stored. More subtly, this must be set and must not be the default user data directory since this is the mechanism that signals to the operating system that this should be a new Chrome process and not another Chrome tab. (Roughly.)
/tmp/chrome: Where that user data is stored. I tend not to care about this data for long periods of time, so
/tmpis a good place.
--proxy-server: Signifies that only this new Chrome process should use a proxy. Otherwise, Chrome defaults to system-wide proxy settings.
socks5://: The protocol which is being used to proxy traffic is
localhost:2222: This is the socket that the previous SSH command created -- it's the proxying, encrypted tunnel to
I was able to use my non-work Windows machine to access internal pages via this proxying mechanism.
# On VPN-connected work MacBook $ ssh -vND fbbk.kingdom:2222 localhost
fbbk.kingdom:2222makes the dynamic SSH tunnel bind to the LAN IP of my work machine so it is accessible to LAN-connected devices
- SSH'ing to
localhostmeans proxied web requests will look like they're being issued by my work laptop
# On Windows 10 desktop > "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ignore-certificate-errors --user-data-dir=C:\chrome_temp --proxy-server=socks5://fbbk.kingdom:2222
--ignore-certificate-errorsis required because my Windows machine isn't managed, and therefore won't have the proper CAs installed used at work
Next step is to figure out how to put credentials around the proxy so a username and password is required before being able to use it.