Skip to content
ZestSSH Docs

SOCKS5 Proxy

Dynamic forwarding creates a local SOCKS5 proxy server on your device that routes all traffic through the SSH connection. Instead of forwarding a single port to a single destination, the proxy handles any destination on the fly — each connecting application tells the proxy where it wants to go, and the proxy tunnels that request through SSH.

Equivalent SSH command: ssh -D [bind_address:]port user@server

When to use dynamic forwarding

Section titled “When to use dynamic forwarding”
  • Browsing a private network. Your SSH server sits on a corporate or home LAN. You want to access multiple web UIs, admin panels, and internal services without setting up a separate local forward for each one. Configure your browser to use the SOCKS5 proxy and browse private IPs directly.
  • Privacy on untrusted Wi-Fi. You are on a coffee shop or hotel network and want all your browser traffic encrypted through a trusted server. The SOCKS5 proxy encrypts traffic between your device and the SSH server.
  • Bypassing network restrictions. Your current network blocks certain ports or protocols. Routing traffic through the SSH tunnel sidesteps those restrictions.
  • Testing geolocation. Your SSH server is in a different region. Routing traffic through it lets you see how services respond to traffic from that location.

How it works in ZestSSH

Section titled “How it works in ZestSSH”

ZestSSH’s SOCKS5 proxy implements RFC 1928 (SOCKS Protocol Version 5). When you start a dynamic forward:

  1. A local TCP server binds to the address and port you specify (default: 127.0.0.1:1080).
  2. Applications connect to this port and perform the SOCKS5 handshake.
  3. The proxy negotiates no-authentication mode (safe because it only listens on localhost).
  4. The application sends a CONNECT request with the destination address and port.
  5. ZestSSH opens a direct-tcpip SSH channel to that destination through the SSH connection.
  6. Data is relayed bidirectionally between the application and the SSH channel.

The proxy supports three address types:

  • IPv4 addresses
  • Domain names (resolved by the SSH server, not your device)
  • IPv6 addresses

Domain name resolution happening on the server side is a useful privacy property — DNS queries do not leak on your local network.

Configuring in ZestSSH

Section titled “Configuring in ZestSSH”
  1. Connect to your server and open the port forwarding screen.
  2. Tap Add Forward (or use the SOCKS preset chip, which fills in the defaults).
  3. Select the SOCKS5 type.
  4. Set the SOCKS5 Port (default: 1080). This is the port your applications will connect to.
  5. The Bind Address defaults to 127.0.0.1. Only change this if you need other devices on your LAN to use the proxy.
  6. Tap Add and start the forward.

The port forwarding list shows active SOCKS5 proxies with live statistics: the number of active connections and total kilobytes transferred.

Browser configuration

Section titled “Browser configuration”

Firefox

Section titled “Firefox”
  1. Open Settings and search for “proxy.”
  2. Click Settings under Network Settings.
  3. Select Manual proxy configuration.
  4. Leave HTTP and HTTPS proxy fields empty.
  5. Set SOCKS Host to 127.0.0.1 and Port to 1080 (or whatever port you chose).
  6. Select SOCKS v5.
  7. Check Proxy DNS when using SOCKS v5 so that DNS queries go through the tunnel too.
  8. Click OK.

Chrome / Edge (system proxy)

Section titled “Chrome / Edge (system proxy)”

Chrome and Edge use the system proxy settings. On desktop platforms:

  • Windows: Open Settings, search “proxy”, set Manual proxy to SOCKS5 at 127.0.0.1:1080.
  • macOS: System Settings, Network, Advanced, Proxies, enable SOCKS Proxy at 127.0.0.1:1080.
  • Linux: Set environment variables or configure through GNOME/KDE network settings.

Alternatively, use a browser extension like SwitchyOmega to set a per-profile SOCKS5 proxy without changing system settings.

Other applications

Section titled “Other applications”

Any application that supports SOCKS5 proxies can use the tunnel. Common examples:

  • curl: curl --socks5-hostname 127.0.0.1:1080 http://internal-server/
  • Git: git config http.proxy socks5://127.0.0.1:1080
  • Python requests: proxies = {'http': 'socks5h://127.0.0.1:1080', 'https': 'socks5h://127.0.0.1:1080'}

Use socks5h:// (with the h) to have the proxy resolve hostnames on the server side.

Performance considerations

Section titled “Performance considerations”
  • Latency: Every request adds a round trip through the SSH connection. For interactive browsing this is usually imperceptible, but high-latency satellite or intercontinental links will be noticeable.
  • Throughput: SSH encryption adds CPU overhead. On modern devices this is negligible for browsing, but large downloads may be somewhat slower than a direct connection.
  • Connection count: Each proxied connection opens an SSH channel. Hundreds of concurrent connections (as browsers sometimes make) are handled fine, but the SSH server has finite resources. ZestSSH tracks active connections and bytes transferred so you can monitor usage.
  • DNS: With SOCKS5 and domain-name resolution on the server, DNS is private but may resolve differently than it would on your local network. This is usually desirable but worth knowing about.

Limitations

Section titled “Limitations”
  • SOCKS5 only supports TCP traffic. UDP-based protocols (most VoIP, some games, DNS over UDP) are not tunneled.
  • The proxy only handles the CONNECT command. BIND and UDP ASSOCIATE are not implemented.
  • On iOS, the proxy is subject to the same backgrounding limitations as other port forwards. It stops when ZestSSH is not in the foreground.
Section titled “Related”