# System proxy for traffic forwarding



## free-and-bsd (Jan 6, 2016)

Hi everyone,

I'm using my laptop as wifi Access Point for my tablet. On that laptop I run a SSH tunnel to a remote host far away and use it as a Socks proxy at 127.0.0.1:1080. Sort of SSH-type VPN:

```
ssh -f -N -D 127.0.0.1:1080 -p $remote_ssh_port $user@ssh_host.com
```

But how can I make the wireless clients connected to that laptop send and receive all Internet traffic via that tunnel at 127.0.0.1:1080 and not the normal way (the laptop's default route)?

I've tried this PF configuration:

```
pass quick on wlan0 proto udp from any to any port 67
pass quick on wlan0 proto udp from any to any port 647
(don't want to divert DHCP)
...
pass in quick on wlan0 inet proto { tcp,udp,icmp } from $my_wifi_network to any \
divert-to 127.0.0.1 port 1080
pass out quick on wlan0 from any to any
...
```
But this doesn't seem to work. What other ways are there, or maybe PF configuration should be a bit different?


----------



## free-and-bsd (Jan 6, 2016)

Ok, here's one thing I've found out: to allow other hosts to connect to SSH tunnel one needs add this to /etc/sshd_config:

```
GatewayPorts yes (it's "no" by default)
```
Because essentially I'm trying to let wifi hosts use SSH tunnel on my laptop working as AP. So, theoretically it's possible, then.
Still, this doesn't work for some reason... Maybe this setup is incomplete and I need somehow make sure it works _both_ ways?


----------



## SirDice (Jan 6, 2016)

Not sure if it's going to work but instead of binding the tunnel endpoint to 127.0.0.1 you could try binding it to the address of the laptop. Then you wouldn't need to forward anything with PF.


----------



## free-and-bsd (Jan 6, 2016)

SirDice said:


> Not sure if it's going to work but instead of binding the tunnel endpoint to 127.0.0.1 you could try binding it to the address of the laptop. Then you wouldn't need to forward anything with PF.


Ah, but it says in the manual only localhost connections are allowed by default, unless this GatewayPorts option is enabled in the (remote) server config.  
But... if it _was_ possible to bind the tunnel to my wlan0 IP without specifying a port, that would be nice. 
Because with Android devices it is impossible to do things like specifying ports etc. That's the problem. There is that SSHTunnel app, it creates a tunnel all right, but Google Play and browser don't care to use this tunnel. The app brags of being able to make it a system-wide proxy, but it can't accomplish this even on my rooted tablet, let alone average vanilla fresh unrooted devices.


----------



## free-and-bsd (Jan 6, 2016)

free-and-bsd said:


> Ah, but it says in the manual only localhost connections are allowed by default, unless this GatewayPorts option is enabled in the (remote) server config.


Yes, that's what it's not working for me: it must be enabled on the remote server, which I cannot manage...
But what if I use my locahost's sshd with GatewayPorts enabled to connect the tunnel end at localhost:1080 to, for example, localhost:22389, but this time other hosts will be able to connect to port 22389 because this tunnel will be created by my own sshd, which will do whatever I want it to do? Looks weird but may work.


----------



## free-and-bsd (Jan 6, 2016)

Here, this guide seems to propose a solution. A multi-hop SSH tunnel, like what I'm thinking about. Well, of course, I can ask the manager of the remote ssh server, good friend of mine, to enable GatewayPorts on his machine, but... would be interesting to try to do without it.


----------

