OpenWrt router as a SOCKS5 proxy for someone at a particular public IP address

My setup:

  • Router is a TP-Link C7 v5 running on an OpenWrt 19.07.8 custom image.
  • An openssh server runs in it.


Could I turn my router into a Web browsing proxy for someone at public I.P. address by the following steps.

Step 1. SSH into the router and run (where me is a user account):

ssh -D 1080 me@localhost

Step 2. Put the following redirect rule in /etc/config/firewall.

config redirect
	option name 'WAN11080_LAN1080'
	option target 'DNAT'
	option src 'wan'
	option src_ip ''
	option src_dport '11080'
	list proto 'tcp udp'
	option dest 'lan'
	option dest_ip ''
	option dest_port '1080'

Step 3. Have the person set his SOCKS5 proxy setting to (where represents my router's public IP address).

I have never filtered a redirect rule by source IP, but notice the following discrepancy.

  • While option src_ip '' refers to someone out there trying to use my router for a proxy, option src_dport '11080' refers to a port on the router. Thus the meaning of src in src_ip and src_dport are different. If this is right, we apparently don't have a filter by the source port used by the person out there on his own machine.
  • Notice that on the destination side we have no similar discrepancy. The meaning of dest in dest_ip and dest_port are the same (i.e. my router in our example).

This post is a follow up this other post:

Thanks very much.

You probably don't need the firewall dnat, just open a port for, and make sure sshd listens to all interfaces, and the port.

Another option.
Never done it in Linux, only in putty, but I'd make the tunnel listen to a local port, then set the socks proxy to localhost at that port, in the browser.

Which is enough to get it to work.

Note this doesn't require any actual proxy on the router, it's handled by the ssh.

1 Like

Thank you. But I do not want anyone but to have access to the facility set up by the SSH forward. "It should work anyway" would mean just anybody could?


Anyone would be whoever got the ssh access, but you can always limit the ability to connect in the fw, by IP, or range.

Another option would be to require socks5 authentication.

Most browsers don't support it ootb, but the feature can be added by installing an add on.
Then you could skip the ssh, and restrict access by auth and source IP.
It would however require a socks5 proxy capable of RFC1929.

1 Like

Thank you again. But the whole motivation is to give Web proxy access to someone that does not have SSH. In a typical setup, a SSH client (e.g. PuTTY) and the Web browser would reside in the same machine (so from your "computer" you start a PuTTY tunnel and set your browser to use it). But my idea (in the post) was to place the SSH client in the router (i.e. so it co-resides with the SSH server in the same router) and leave the Web browser in someone's "computer", i.e. the person at The redirect rule then gives him (i.e. the Web browser in his "computer") access to the SSH client in the router.

Then I don't see the point of the ssh?

Haven't read your 1st thread though...

1 Like

I believe the correct way to implement my "idea" is to use a proxy server, e.g. one from this list:

But I'd still like to know whether my "idea" would work, just as matter of understanding how SSH forwards and redirects work.

I know I could experiment and find out, but thought somebody might point out whatever was crazy in the idea, some risk I was overlooking, etc.

I had it running a few months ago with socksd (danted) server but i had to open the port for the whole internet as my brother was connecting from a dynamic ip so used the authentication so restrict access

1 Like

It works (haven't checked ssh syntax though) , but I still don't see the need for the ssh?

Or are you putting the ssh on router?
That, I would understand.

1 Like

Maybe I'll just describe the whole situation.

Sometimes I have to check into an American institution's Web site from outside the U.S. You may know that e.g. many U.S. banks reject non-U.S. I.P. addresses and also VPN I.P. addresses. That is, you can't sign up for e.g. NordVPN, choose a U.S. exit point, and log into your state whatever agency or Citibank.

That's why I have an OpenWrt router in the U.S. with an I.P. address from good old AT&T (or whatever ISP) with an OpenSSH server running in it.

Yes, for my own usage I just use PuTTY or OpenSSH (client) with something like

ssh -D 1080 me@[my AT&T I.P. address in the U.S.]

I then set my Web browser to use No problem so far.

But suppose somebody ( said, "Hey, let me use your AT&T to get into my bank." When this happens, I don't want to give him an SSH logon into my router and while I'm at it sign over my life as well.

The proper thing to do at this stage would be for me to learn some proxy server (Squid, dante, etc.). But I am not a computer person. When I learn something like SSH, I just want to get by on it. A proxy server will be hours and hours of learning, setting up, experimenting, etc.

So I think to myself, "Why not just set up an SSH forward from the SSH client in the router to the SSH server in the router and give this person a way to get to the SSH client."

The whole road would then be: This persons Web browser > his router > Internet > my router's WAN > (by the redirect rule) my router's LAN > OpenSSH client in my router acting as SOCKS proxy > OpenSSH server in my router > Internet > some bank > etc., etc.

To make the long story short, the "need for SSH" is that SSH is the only proxy facility I know and I am trying to get by on it.

I wouldn't leave redirect filtered by open on an indefinite basis. I realize that someone from could explore my LAN I.P. too. It'd be like, "You can get to your bank in the next hour."

I am writing this out because you expressed an interest (thank you) and because I want somebody to jump in and say, "Your scheme is insane. Do you realize--," and something I haven't thought of.

Run a Wireguard or OpenVPN VPN server at your house. Your friend would be the only one with credentials to use the VPN. You can also configure the firewall to only allow access to the VPN port from certain IPs.

The banks block IP addresses known to be commercial VPN services. They don't block the use of VPN technology somewhere in the path. That would be very difficult to impossible for a site to detect.

1 Like

Thank you. Wireguard is slated to be the next "big thing" in my IT life. I have big plans for it.

The plain road-warrior setup for wireguard is rather straight forward, certainly much easier to work with than socks over ssh.

1 Like