User profile for user: slartybardfast
slartybardfast Author
User level: Level 1
8 points

SOCKS5 Tunnelling from an iPad using an SSH client over a cellular connection while already connected to a VPN. Can this be done in iOS in 2024 or should I just give up?

Ok here goes.


I have an iPad mini 6 with a cell connection running iOS 17.4.1.


From the cellular network/internet, I am connecting to my external firewall via an OpenVPN tunnel.


Now, via the internal virtual IP from the VPN, I am connecting to a host on the inside of my LAN firewall using an SSH tunnel through a bastion host at the 'front door' of my LAN firewall. In an SSH config file this would be considered proxyjump, or -J from an ssh command if that helps make sense of my description.


From that host on the inside of the LAN firewall, I would like to use a SOCKS5 proxy to access web servers on that network. I would also settle for stable port forwards if that's the only solution. I've tested a bunch of SSH clients from the ios app store and narrowed those down by weening out the majority that don't get as far as supporting the proxyjump/bastion host part.


Out of those apps, the ones that also appear to support socks5 tend to provide a .pac file to the apps url and inside of that is localhost and port number. I don't think there is anywhere to input a URL to a .pac for the cellular connection in iOS for some reason/unfortunately. And I'm not certain this would even work on the wifi network to be honest. What a hassle anyhow. What if you want to use that wifi network normally? Then you're writing some brutal .pac files to filter hosts etc etc etc.


I don't have this problem with other civilized posix compliant OS's, or droids (JuiceSSH is king), and I can even get it working in the lands of the savage redmond fisher price no probalo. Don't get me started with those weirdo zuners though.


Anyhow, the SOCKS5 tunnel aside, I have managed to get this working with port forwards but usually those connections don't last more than 15 seconds without timing out. Maybe I'm overthinking all of this and there's something like a keepalive command I can jam into some config file in this chain that will save my port forwards?


Anyhow, any other device/OS I use seems to be able to be connected to a VPN while simultaneously sending traffic through a SOCKS5 tunnel over an ssh connection via a bastion host without even breaking a sweat. Why is this so complicated/inconvenient/unachievable using an ios device?

Posted on May 13, 2024 4:32 PM

Reply
Question marked as Top-ranking reply
User profile for user: slartybardfast
slartybardfast Author
User level: Level 1
8 points

Posted on May 14, 2024 2:59 PM

@LotusPilot, I could still toss up a basic diagram if you're interested or curious or want to offer constructive criticism or turn it into a meme or something, but I think we may have solved it!


TLDR answer: Turn on Location Persistence in Shellfish and allow it in the OS security settings. SOCKS5 is a no go, but port forwarding works awesome.


My essay apparently:


I agree with you regarding the VPN/SOCKS5 proxy part not working under these circumstances. But with the help of the folks from the excellent Shellfish SSH app (I hope it's ok to plug apps in here and that they're ok with me mentioning them :D) I think we've managed to get reliable SSH port forwarding working using a bastion host/proxyjump in the middle of the connection.


That part is great because aside from all this VPN malarchy, I still I need this to work on the local wifi network too. The fact it also works from a VPN connected ipad using the cellular network has me wanting to jump up and start doing karate moves if we're being totally honest here.


Anyhow, Shellfish explained that connections might be dropping when the app is sent to the background (ie when I switch to a browser to tunnel to a web server after establishing the ssh connection) the forwarded port connection it likely dropping.


Once I enabled Location Persistence in their app as they suggested (allowing it in the OS), I have been connected to 3 web servers for hours now without any issues. It's less convenient mapping ports to servers etc compared to a socks proxy, but really not a big deal and pretty easy to work around.


So, I suppose if you're ever in this situation and reading this, I hope it has been helpful! If you have any questions I cannot guarantee I'll ever see the post, but I'll try to keep an eye out.

View in context

Similar questions

4 replies
Question marked as Top-ranking reply
User profile for user: slartybardfast
slartybardfast Author
User level: Level 1
8 points

May 14, 2024 2:59 PM in response to LotusPilot

@LotusPilot, I could still toss up a basic diagram if you're interested or curious or want to offer constructive criticism or turn it into a meme or something, but I think we may have solved it!


TLDR answer: Turn on Location Persistence in Shellfish and allow it in the OS security settings. SOCKS5 is a no go, but port forwarding works awesome.


My essay apparently:


I agree with you regarding the VPN/SOCKS5 proxy part not working under these circumstances. But with the help of the folks from the excellent Shellfish SSH app (I hope it's ok to plug apps in here and that they're ok with me mentioning them :D) I think we've managed to get reliable SSH port forwarding working using a bastion host/proxyjump in the middle of the connection.


That part is great because aside from all this VPN malarchy, I still I need this to work on the local wifi network too. The fact it also works from a VPN connected ipad using the cellular network has me wanting to jump up and start doing karate moves if we're being totally honest here.


Anyhow, Shellfish explained that connections might be dropping when the app is sent to the background (ie when I switch to a browser to tunnel to a web server after establishing the ssh connection) the forwarded port connection it likely dropping.


Once I enabled Location Persistence in their app as they suggested (allowing it in the OS), I have been connected to 3 web servers for hours now without any issues. It's less convenient mapping ports to servers etc compared to a socks proxy, but really not a big deal and pretty easy to work around.


So, I suppose if you're ever in this situation and reading this, I hope it has been helpful! If you have any questions I cannot guarantee I'll ever see the post, but I'll try to keep an eye out.

Reply
User profile for user: LotusPilot
LotusPilot
Community+ 2025
User level: Level 10
301,532 points

May 14, 2024 4:57 AM in response to slartybardfast

A diagram might help - but to upload it here it'll need to be a supported image file (e.g., jpeg or similar). Please don't attempt to provide links to external hosting websites.


Fundamentally, you are attempting to produce a sophisticated connection - albeit using supported network protocols - that is heavily reliant upon the iOS/iPadOS networking stack. As a device "user", you have very little control over the local network stack. Chaining different Apps and tunnelling additional secure network protocols through a VPN tunnel is particularly difficult to control in iOS/iPadOS - unless you are prepared to write a dedicated App that provides the network implementation that you require.


Otherwise, what you are attempting to achieve with iOS/iPadOS is likely to be difficult/unreliable at best, if not impossible.


Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

SOCKS5 Tunnelling from an iPad using an SSH client over a cellular connection while already connected to a VPN. Can this be done in iOS in 2024 or should I just give up?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up