Remote Home Server: Using SSH and Clash to Set Up Traffic Proxy

Recently, I encountered a small issue. Before, it was very convenient to access the server directly using the internal network IP at home, but sometimes when I go out, I only have SSH access. However, after thinking about it, using SSH to set up a Socks5 proxy and using Clash to manage the traffic seems like a good solution.

Solution Design

I decided to set up a Socks5 proxy via SSH to provide a channel for the client to access the home server. Then, I use Clash to intelligently manage traffic, detecting whether the Socks5 proxy is effective to decide whether to route traffic through the proxy. The steps are actually not complicated—let's take a look.

1. Using SSH to Set Up a Socks5 Proxy

First, I connect to the remote server via SSH and set up a Socks5 proxy.

BASH

ssh -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o TCPKeepAlive=yes -o ForwardAgent=no -o ForwardX11=no -N -D 127.0.0.1:8080 -p 221 root@*******.cn

Let me explain the parameters of this command:

-D 127.0.0.1:8080: Starts a dynamic port forwarding on local port 8080, acting as a Socks5 proxy.
-o ServerAliveInterval=60: Sends a keepalive packet every 60 seconds to maintain the connection.
-o ServerAliveCountMax=3: If the connection does not respond, retries up to 3 times.
-o TCPKeepAlive=yes: Enables TCP keepalive mechanism.
-N: Only performs port forwarding, does not execute remote commands.
-p 221: Specifies the SSH connection port (if your server is not using the default port 22, you need to specify it).

In this way, all traffic through the local port 127.0.0.1:8080 will be forwarded to the remote server.

2. Configuring Clash for Traffic Management

Next, I set up proxy rules in Clash to determine whether to use this Socks5 proxy. Clash's fallback feature can help us achieve automatic traffic switching.

Nodes:

YAML

append:
  - name: 'SSH Tunnel'
    type: 'socks5'
    server: '127.0.0.1'
    port: 8080
    username: ''
    password: ''

Rules:

YAML

prepend:
  - 'IP-CIDR,192.168.10.0/24,Proxy-local,no-resolve'

Proxy Group:

YAML

prepend:
  - type: 'fallback'
    name: 'Proxy-local'
    interval: 5
    timeout: 5000
    max-failed-times: 1
    lazy: false
    proxies:
      - 'SSH Tunnel'
      - 'DIRECT'

This configuration means:

Defines a Socks5 proxy in Clash, pointing to 127.0.0.1:8080.
Uses the fallback proxy group: when the Socks5 proxy is detected as available, traffic automatically goes through this proxy; otherwise, it connects directly.
Be sure to disable lazy! As the name suggests, it's lazy—it won't automatically detect if the proxy is available.

You want to use the SSH tunnel as the preferred proxy, and when the SSH tunnel is unavailable, traffic automatically switches to direct connection (DIRECT). By configuring interval and timeout, you can control the detection frequency and timeout tolerance.

Whisper

The advantage of this solution is that when I'm away from home, as long as I keep the SSH connection, all other traffic automatically goes through the proxy, which is convenient and doesn't hinder work. Moreover, Clash's auto-switch feature ensures that when the proxy is unavailable, traffic automatically falls back to direct connection, preventing lag or connection failures.

For someone like me who enjoys tinkering with technology, this 'remote work' approach undoubtedly makes life and work more flexible and efficient. If you have similar needs, why not give this method a try?