From Basics to Mastery: Implementing SSH VPN Tunneling on Windows with ProxiFyre

By | June 3, 2023
0 Comment

In conditions of constantly increasing state control over the internet, manifested, among other things, in the blocking of VPN protocols, the problem of developing alternative methods of connection is becoming increasingly relevant. This issue is not only theoretical but also quite practical. Having moved from Russia about a year ago, I continue to actively use the home infrastructure built over many years. Until recently, it was enough for me to use a VPN based on Wireguard for access to home networks, however, certain anomalies are periodically observed – an increase in the loss of UDP packets, and it seems that there are attempts to block the protocol itself. Although in some cases it is possible to bypass these problems by changing the parameters of a homemade Wireguard client, the overall picture causes some concern. That’s why today, it becomes extremely important to seek and develop alternative ways of accessing home networks in case of mass blocking of popular VPN protocols.

One of the time-tested and reliable methods, which does not require complex specialized infrastructure, is tunneling TCP connections using SSH. This protocol is critically important for the stable operation of the internet, and the likelihood of its mass blocking seems minimal. Probably, the greatest difficulties we may encounter are restrictions on the speed of the connection. However, even in this case, access to home networks will be maintained, leaving time to search for and study other possible solutions. A unique feature of SSH is the built-in SOCKS5 proxy server, which provides functionality similar to a VPN with the possibility of implementing split tunneling at the level of individual applications. This is where we come to the main topic of our discussion.

ProxiFyre is an Open Source tool that functions as a ‘socksifier’ for applications that do not have built-in support for working through SOCKS proxy servers. The program is an improved version of one of the demonstration examples for Windows Packet Filter. Unlike the base version, ProxiFyre provides support for the UDP protocol and offers the function of simultaneous use of multiple instances of SOCKS5 proxies, significantly expanding its functional capabilities. The application in a similar form has existed for a couple of years, but I only published it a couple of weeks ago after a small review. The reason for publication were several consecutive requests for additional functional capabilities (in particular UDP support), as well as a modest hope that those who ask for these improvements will take a feasible part in the further development of the project.

To simplify working with ProxiFyre, I have added the possibility of configuring it through the app-config.json file. This JSON file includes an array of configurations for various applications, which provides a high degree of flexibility and allows detailed control over the internet connection settings of each individual application.

{
    "logLevel": "None",
    "proxies": [
        {
            "appNames": ["chrome", "chrome_canary"],
            "socks5ProxyEndpoint": "158.101.205.51:1080",
            "username": "username1",
            "password": "password1",
            "supportedProtocols": ["TCP", "UDP"]
        },
        {
            "appNames": ["firefox", "firefox_dev"],
            "socks5ProxyEndpoint": "159.101.205.52:1080",
            "username": "username2",
            "password": "password2",
            "supportedProtocols": ["TCP"]
        }
    ]
}

Combining Proxifier with SSH could give you a secure method for managing your traffic and ensuring your online activity is private and secure. SSH can create an encrypted tunnel that can carry your traffic, while Proxifier can be used to direct your network traffic through that tunnel.

Here’s a step-by-step guide to achieve that:

  1. Install SSH Client: On a Windows machine, you can install an SSH client like PuTTY, which is a popular, open-source SSH client. Alternatively, if you’re using Windows 10 version 1803 or later, it comes with a built-in SSH client that you can enable and use.
  2. Create an SSH Tunnel: To do this with PuTTY, open the program and fill in the following details:
    • In the ‘Host Name (or IP address)’ field, input your server’s IP address. Ensure the Port is set to 22 (the default for SSH). In the ‘Connection type’ section, select SSH.
    Then, on the left-hand side menu, navigate to Connection > SSH > Tunnels. Here, you’ll create your SOCKS tunnel:
    • In the ‘Source port’ field, input a port number (make sure it’s a free port on your local machine, something like 8080). In the ‘Destination’ field, select the ‘Dynamic’ option (this sets up a SOCKS5 tunnel). Click ‘Add’ to add the tunnel.
    Go back to the main ‘Session’ tab, and click ‘Open’ to open the connection and create the tunnel.
  3. Create ProxiFyre configuration file: The subsequent ProxiFyre configuration file is engineered to reroute network traffic exclusively from Google Chrome and the Remote Desktop Protocol (RDP) client, also known as ‘mstsc’, through the secure confines of the SSH tunnel.
{
    "logLevel": "None",
    "proxies": [
        {
            "appNames": ["chrome", "mstsc"],
            "socks5ProxyEndpoint": "127.0.0.1:8080",
            "supportedProtocols": ["TCP"]
        }
    ]
}

In this JSON object:

  • appNames: This is an array that contains the names of the applications you want to direct through the SSH tunnel. In your case, this is Google Chrome (“chrome”) and the RDP client (“mstsc”).
  • socks5ProxyEndpoint: This is the local address and port number of your SSH tunnel. In your case, this is 127.0.0.1:8080, which corresponds to the local loopback address and the port number you’ve chosen.

Once your configuration file is correctly set up and located, ProxiFyre should automatically direct the traffic of Google Chrome and your RDP client through the SSH tunnel, providing you with a secure, encrypted tunnel for these applications.

Remember, while this setup provides security and privacy, it does not guarantee full anonymity. Your SSH server can still see your traffic, so make sure it’s a server you trust.

The example with Google Chrome may not fully reflect all the advantages of ProxiFyre, as most web browsers already have built-in support for explicit proxy settings. At the same time, many other applications lack this functionality. This is where ProxiFyre shows its effectiveness, providing the ability to configure a proxy for all applications, thereby ensuring expanded control over internet connection settings.

Architecturally, ProxiFyre consists of three main projects:

  • ndisapi.lib: An adapted project of the Windows Packet Filter static library.
  • socksify: A .NET C++/CLI class library implementing the functionality of a local SOCKS5 router.
  • ProxiFyre: A simple console .NET application for Windows that uses the functionality provided by the .NET C++/CLI class library socksify.

Detailed usage instructions, including build requirements, can be found in the repository README.

I hope this application will be useful to someone in the current challenging circumstances.

Leave a Reply

Your email address will not be published. Required fields are marked *