Synology usage series 6 – Securing Squid and Socks5 connection over SSH, using Bitvise Tunnelier


From the previous articles, I’ve setup Squid Http Proxy and Socks 5 server on my DS207+ box. However, squid and nylon socks server are just a proxy and do not encrypt the data transmit during the connection. My data is subjected to be inspected by network administrator if I connect the proxy from external network.

So I decided to use Tunnelier to setup SSH tunnel to encrypt the Squid/nylon connection.

Before setup Tunnelier, here is the things that I needed for the setup

– A copy of Tunnelier

– Private key of the ssh user account. The private key is the one generated by sshkey-gen from the DS207+, not the one generated by putty. (Tunnelier can read the private keys generated by linux, it cannot read the keys generated by putty though). To setup private/public key pairs for the account, refer to the procedures here.

Setup Tunnelier

1. Download and install tunnelier from here.

Import private key to Tunnelier

1. Run Keypair Manager
2. Click import button.
3. Select the private key. You’ll be asked for the passphrase, if any.
4. Click Import button.

A slot number will be assigned to the private key. Write down the slot number.

Tunnelier keypair manager

Tunnelier keypair manager


Setup a profile

1. Run Tunnelier
2. Setup profile as below

[Login Tab]
– Server host: [your ds207+ ip address or host name]
– Server port: [your ssh server port number]
– Authentication username: [the username of the private key imported above]
– Authentication Initial meth: [publickey – slot ?] (select the slot that your just created)
– Passphrase: [passphrase of your private key, if any]

Tunnelier Profile Setup Screen

Tunnelier Profile Setup Screen

[Option Tab]
– Reconnection: Select ‘Always reconnect automatically’

[C2S Forwarding Tab]
– Status: Enabled
– Listen Interface: 127.0.0.1
– List. Port: 8080
– Destination Host: [your ds207+ server IP address/domain name]
– Destination Port: [For encrypting squid, input squid’s port number here. For encrypting socks5, input nylon’s port number here.
– Comment: whatever you like, for squid config, input ‘squid’, for nylon, input ‘nylon’.

Leave the rest of the configuration as default.

Now clicked the ‘Save Profile’ from the left hand-side menu bar.

** Instead of create two different two profiles, I setup two different C2S forwarding rules in the same profile, just assign different listening port, 9090 for Squid and 8080 for nylon (socks5).

Tunnelier Client-to-Server Setup Screen

Tunnelier Client-to-Server Setup Screen





Leave a Reply

Your email address will not be published. Required fields are marked *