A coder can’t live without Google but things get difficulty in China… Google, Facebook, Instagram etc. I don’t know how our dear computing students search for exceptions, documents but personally, I am spoiled by Google and StackOverflow. So I gotta find a way to access these when I come back home for holidays. In the past decades, VPN was the first choice before the GFW gets smarter, it is able to detect VPN traffic(it has special ‘signature/fingerprint’ as I read somewhere else) and block it periodically. So Shadowsocks come into place, it uses SOCK5 to proxy network traffic to servers which have unrestricted internet access and send back the response. Sounds great right? It is good enough for ordinary usage like browsing web or watching youtube. But we developers need more than that. Due to the characteristics of SOCK5 proxy, only TCP and UDP(needs configuration) can be transmitted through the proxy. (I’m not really sure about this please correct me if I’m wrong) And not all apps are using system proxy, some of them don’t even have a setting to configure this. The problem is more serious among CLI tools. Think
ssh… Ok enough bs…
proxychains Github here
- Homebrew install (if you don’t know this, google it and thank me)
- Set your proxy to run on a local port
- Edit this
/Users/yourUserName/.proxychains/proxychains.confNote that you should change your port accordingly.
strict_chain proxy_dns remote_dns_subnet 224 tcp_read_time_out 15000 tcp_connect_time_out 8000 localnet 127.0.0.0/255.0.0.0 quiet_mode [ProxyList] socks5 127.0.0.1 1086
First try fails 🙁
The basic syntax is
proxychains ssh host but you will soon notice this does not change a thing, the ssh is still going direct connection. The bad(good?) guy behind this is System Integrity Protection(SIP). This feature in modern macOS is preventing proxychains to inject into processes. One way is to disable SIP but I don’t think it is a good idea to put the system in this risk.
Giving our CLI candy
As we can’t inject into the system built in ssh, we don’t want to disable SIP, what can we do? Getting another copy of ssh! Again use homebrew to install ssh and this copy of ssh is not protected by SIP(selfish isn’t it). So now we do this:
proxychains4 /usr/local/Cellar/openssh/7.6p1/bin/ssh [email protected]
Problem solved 🙂