System Servicesproxytunnelhttpssshfirewalltcp

proxytunnel

Proxytunnel creates tunnels through HTTP(S) proxies for any TCP-based protocol. It helps SSH and other protocols bypass firewalls that only allow HTTP(S) traffic.

Description

Proxytunnel is designed to tunnel connections through standard HTTP or HTTPS proxies to reach origin servers behind restrictive firewalls. It connects stdin and stdout to a destination server via the proxy, making it particularly useful for SSH access to remote boxes when direct connections are blocked.

Originally developed as an SSH extension, proxytunnel supports broader use cases by integrating with other applications. It can run from inetd or as a standalone daemon listening on a local port, forwarding traffic through the tunnel for various TCP protocols.

The tool is lightweight with an installed size of 102 KB and depends on libc6 and libssl3t64. It handles HTTP authentication and supports advanced proxy chaining.

How It Works

Proxytunnel establishes a tunnel by issuing HTTP CONNECT requests through an HTTP(S) proxy to connect to a destination host:port. It supports SSL encryption between the client and proxy or proxy and destination, and can chain multiple proxies. When run in standalone mode or from inetd, it listens locally and forwards traffic bidirectionally through the proxy connection using standard TCP streams.

Installation

bash

sudo apt install proxytunnel

Flags

-i, --inetdRun from inetd (default: off)

-a, --standalone=STRINGRun as standalone daemon on specified port or address:port combination

-p, --proxy=STRINGLocal proxy host:port combination

-r, --remproxy=STRINGRemote proxy host:port combination (using 2 proxies)

-d, --dest=STRINGDestination host:port combination

-e, --encryptSSL encrypt data between local proxy and destination

-E, --encrypt-proxySSL encrypt data between client and local proxy

-W, --wa-bug-29744Workaround ASF Bugzilla 29744: if SSL is active stop using it after CONNECT (might not work on all setups)

-B, --buggy-encrypt-proxyEquivalent to -E -W, provided for backwards compatibility

-z, --no-check-certificateDon't verify server SSL certificate

-C, --cacert=STRINGPath to trusted CA certificate or directory

-4, --ipv4Enforce IPv4 connection to local proxy

-v, --verboseTurn on verbosity

-q, --quietSuppress messages

-h, --helpPrint help and exit

-V, --versionPrint version and exit

Examples

Print help and exit, showing all available options

proxytunnel -h

Tunnel SSH connection through local proxy to destination SSH server

proxytunnel -p proxy.example.com:8080 -d ssh.example.com:22

Tunnel HTTPS to destination with SSL encryption between proxy and destination

proxytunnel -p proxy.example.com:8080 -d target.com:443 -e

Use two chained proxies to reach destination host

proxytunnel -p proxy1:8080 -r proxy2:8080 -d target:80

Run as standalone daemon on local port 1080 forwarding through proxy

proxytunnel -a :1080 -p proxy.example.com:8080 -d ssh.home:22

Run from inetd with SSL encryption to local proxy

proxytunnel -i -p proxy.example.com:8080 -d target:22 -E

Tunnel without verifying server SSL certificate

proxytunnel -p proxy.example.com:8080 -d target.com:443 -z

Updated 2026-04-16kali.org ↗