How to set up a SOCKS5 proxy via SSH on a Mac

Route browser traffic through a remote server — encrypted, untouchable by hotel networks. Free, no VPN service.

Estimated time: 3 minutes

SSH's `-D` flag turns the connection into a SOCKS5 proxy. Your browser/app sends traffic to `localhost:1080`, SSH forwards it through the encrypted tunnel to the remote server, and the remote server makes the actual outbound request. End result: web traffic appears to come from the remote server's IP, encrypted from your Mac all the way to the SSH endpoint. No paid VPN service needed if you have any SSH-accessible server (your home server, a $5 VPS, even a Raspberry Pi at home).

Step-by-step

1
Pick (or create) the SSH profile you want to proxy through
Any SSH-reachable server works: home server, $5 VPS, even a Raspberry Pi at home. For browsing speed, pick something close to the geography you want to appear from. Make sure `AllowTcpForwarding yes` is set in the remote sshd_config (it usually is by default). In SSHive: Sidebar → + (or right-click an existing profile → Edit) → fill name, host, port, user, auth.
2
Expand "Advanced" → set the SOCKS5 port (one field — Pro only)
In the profile dialog, click **Advanced** at the bottom — the section unfolds. Scroll to **SOCKS5 proxy (-D)**. There is a **single field** "SOCKS port" (placeholder `1080`). Type `1080`, save. On Free, that field is `readOnly`, faded to opacity 50% and tagged with a PRO badge — clicking it opens the upgrade modal (`useLicenseStore.openUpgradeModal('tunnel.create')`). The check is duplicated in the main process (`ssh.handler.ts`): editing `profiles.json` by hand to bypass the UI does not bypass the runtime gate.
3
Connect — the proxy auto-starts on 127.0.0.1:1080
Double-click the profile. The SSH session goes connected and the SOCKS5 listener auto-starts on `127.0.0.1:1080`. The status bar shows the **⇄** pill — click it to see the SOCKS tunnel listed in the Tunnel Status panel with its live state. Verify from a terminal: `lsof -i :1080` shows the SSH process. Tear down? Disconnect the SSH session, the listener closes with it. No manual cleanup.
4
Point your browser/OS at the proxy
Firefox: Preferences → Network Settings → Manual proxy → SOCKS Host `127.0.0.1`, Port `1080`, SOCKS v5, "Proxy DNS when using SOCKS v5" checked. Chrome has no UI; launch with `--proxy-server=socks5://127.0.0.1:1080`. Safari: System Settings → Network → your interface → Proxies → SOCKS Proxy. Visit `whatismyip.com` — your IP should now be the remote server's. Routing is per-app on macOS by default; use Proxifier (paid) if you want a system-wide forced routing for non-browser traffic.

Frequently asked questions

Is SOCKS5 over SSH safe enough on hotel Wi-Fi?+

For browser traffic, yes — the SSH tunnel encrypts everything between your Mac and your remote server. The hotel network sees only one encrypted SSH stream. The remote server's onward traffic still uses HTTPS (or not), so SSH alone doesn't guarantee end-to-end encryption to every web destination. Use HTTPS-only browser settings as well.

How does SOCKS5 over SSH compare to a real VPN?+

SOCKS5 is per-app (browser, IRC client, etc.); a VPN is system-wide. SOCKS5 is free if you have any SSH server; a VPN service has a subscription cost. SOCKS5 doesn't handle UDP traffic well; a VPN does. For browsing, SOCKS5 is enough; for everything-routed (gaming, streaming, app traffic), use WireGuard or Tailscale.