SOCKS over SSH on Opalstack (with Windows & macOS steps)

Posted On August 21, 2025

Did you know you can route your browser traffic with a secure tunnel to any web hosting company which supports SOCKS over SSH? That might be useful! Want per-app, encrypted routing through your Opalstack server without installing a VPN? Do this:

0) Create your Shell (OS) user on Opalstack

  1. In the dashboard go to Applications → Create Shell User.
  2. Pick the server, choose a username, click Create.
  3. Your new user’s initial password appears in the Notice Log. (You can change it later.)

Shell users are used for SSH/SFTP access and to run your apps. (docs.opalstack.com)

1) Add your SSH key (recommended)

  • macOS / Linux (and Windows if you have ssh-copy-id): ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa ssh-copy-id myuser@opal1.opalstack.com Now you can log in without a password.
  • Windows (PuTTY): generate a key with PuTTYgen, then paste the public key into ~/.ssh/authorized_keys, and configure PuTTY to use the private key for that host.

2) Start a local SOCKS5 proxy (“SOCKS over SSH”)

macOS (built-in OpenSSH)

ssh -N -D 127.0.0.1:1080 myuser@opal1.opalstack.com
  • -D 127.0.0.1:1080 creates a local SOCKS5 proxy on port 1080.
  • -N tells SSH not to run a remote command—just forward.
    macOS includes the ssh client out of the box; Opalstack shows the login pattern ssh myuser@opal1.opalstack.com.

Windows Option A: PowerShell (OpenSSH client)

ssh -N -D 127.0.0.1:1080 myuser@opal1.opalstack.com

Microsoft Windows 10/11 include (or can add) the OpenSSH Client: Settings → Apps → Optional FeaturesOpenSSH Client.

Windows — Option B: PuTTY (GUI)

  1. Open PuTTY → Session → Host Name: opal1.opalstack.com.
  2. Go to Connection → SSH → Tunnels.
  3. Source port: 1080 → choose DynamicAdd.
  4. Back to Session, Save, then Open and log in. (Leave the window open to keep the tunnel running.)

3) Point your browser/app at the proxy (and avoid DNS leaks)

Firefox (Windows & macOS)

  • Settings → Network → Manual proxy
    SOCKS Host: 127.0.0.1 Port: 1080 Version: SOCKS v5
  • Turn on “Proxy DNS when using SOCKS v5” (or set about:confignetwork.proxy.socks_remote_dns=true).

Chrome / Edge (Windows & macOS)

Launch with flags that force proxy use and remote DNS:

# macOS example
"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" \
  --proxy-server="socks5://127.0.0.1:1080" \
  --host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost"

On Windows, edit the shortcut and append the same flags to the Target. These flags stop Chrome from doing local DNS lookups while using a SOCKS proxy.

CLI sanity check (either OS)

curl --socks5-hostname 127.0.0.1:1080 https://ifconfig.me

You should see your Opalstack server’s IP, proving traffic is routing through the tunnel (the --socks5-hostname bit forces remote DNS).

4) What you just built (and what it isn’t)

  • Yes: Routes web traffic for apps you configure (HTTP/HTTPS ride over TCP via SOCKS5 → SSH → your server).
  • No: Not a full VPN (no device-wide tunnel, no UDP/WebRTC/QUIC). Use a real VPN if you need OS-wide routing.
  • Security: The hop from you → Opalstack is encrypted by SSH. From the server → websites is normal internet—keep using HTTPS end-to-end.

5) Keep it alive (optional)

  • macOS: brew install autossh autossh -M 0 -N -D 127.0.0.1:1080 myuser@opal1.opalstack.com (If you want login-start, we can drop a small launchd plist.)
  • Windows:
    Create a shortcut that runs the ssh -N -D ... command at login, or use Task Scheduler to start it on sign-in.

6) Troubleshooting on Opalstack

  • Which host do I SSH to? Use the server hostname shown in your dashboard (examples use opal1.opalstack.com).
  • Password isn’t working? Check the Notice Log for the initial shell-user password (or reset it).
  • Lots of failed logins? Your source IP can be auto-banned for ~1 hour; try again later or contact support.

7) Quick copy/paste checklist

# In Opalstack dashboard:
#   Applications → Create Shell User → pick server & username
#   Check Notice Log for the initial password

# On your computer (macOS/Windows with OpenSSH):
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa           # if needed
ssh-copy-id myuser@opal1.opalstack.com               # macOS/Linux (or add key via PuTTY/Server Access docs)

# Start the SOCKS proxy:
ssh -N -D 127.0.0.1:1080 myuser@opal1.opalstack.com

# Browser:
#   Firefox: set SOCKS5 127.0.0.1:1080 + "Proxy DNS when using SOCKS v5"
#   Chrome/Edge: launch with --proxy-server + --host-resolver-rules flags

# Verify:
curl --socks5-hostname 127.0.0.1:1080 https://ifconfig.me
Signup for Opalstack