I need to be able to use winbox with a SOCKSv5 proxy I create with an SSH session.
As far as I’ve seen neither v2 nor the v3beta allow it.
Is this a missing feature or am I missing something?
TIA.
what have winbox to do with SOCKSv5 proxy?? Winbox is only for conneccion to RouterOS devices.
Current RouterOS v is v6.xx (there are some that uses v5.xx)
I’m pretty sure you are missing a lot.
You don’t know what a SOCKSv5 proxy is for, do you?
Have you ever used a “-D” option in OpenSSH?
For example I open an SSH session to the Mikrotik along with a SOCKSv5 proxy. So I can use WebFig with SSH encryption.
If winbox supported SOCKSv5 proxies, then I’d be able to use it securely over the internet.
It looks lilke Winbox is still a v3RC.
I fear I am not alone, after all.
So, back to the original point, I think that there’s none. Isn’t there?
- SOCKSv5 is ancient history - RFC is from 1996. I do not see any need for it in modern networking.
- you can use SSH to configure router from command line directly.
- winbox connection is secure enough already.
Please, next time describe your feature request in more details, like.
“Is it possible to add SOCKSv5 proxy support for winbox?”
Your first post is impossible to understand.
What is the purpose of your request? Is the router in some private LAN, accessible only over SOCKS proxy? Otherwise, use direct connection.
Really? A lot of people like me finds that feature really useful so OpenSSH is STILL supporting and maintaining it since looong time now.
Latest proposals for FTP (supported by RouterOS) are from 1997 (RFC2228) and 1998 (RFC2428). But this is another story.
My qustion was about winbox, not SSH.
I didn’t find any reference to the encryption used. I’ll check with wireshark.
“I need to be able to use winbox with a SOCKSv5 proxy I create with an SSH session.”
My bad: I tried to be as terse and clear as possible. Please forgive me.
Winbox uses TLS, it is in the manual.
I am sorry for not having been clear enough.
My purpose is to always connect to the MikroTik with known security levels.
This is mandatory in my environment so, for example, I am already using (with a product other than MikroTik) a main SSH connection to the box with SSH key authentication to “tunnel” (with SOCKSv5 proxy, aka “-D option”) both the webUI and the “native” GUI. The firewall is thus only exposing a single SSH TCP port to both the LANs and the WANs.
With MikroTik I can already use SOCKSv5 proxy with webfig, ftp and telnet as all common clients can use it.
My question was about winbox: I need to access the MikroTiks (they’re 7) with winbox through a SOCKSv5 proxy created with SSH. Or leave winbox out of the management altogether.
From the earlier answers I understand that this is not possible as there is no perceived need for supporting a SOCKSv5 proxy.
Any question on why I do need to do it is off-topic here. Nonetheless I gave some background info.
P.S.
Does the same question apply to The Dude as well?
Yes.
Same applies to Dude. To be honest, this is the first time I have heard a similar request.
OK. I saw it, though it’s optional.
It’s TLS 1.2, right?
The use of SSH TCP Port forwarding and SOCKSv5 proxy is very popular among system and network administrators, AFAIK.
Especially when “standard” SSH implementations are available.
It’s not a high performance solution, but it’s rather easy to provide and revoke access grants while staying within a reasonably secure channel.
Moreover, if you’re using OpenSSH client, you can reuse the same SSH encrypted channel for the subsequent uses (port forwarding and proxying) with no need for an extra connection and an extra authentication step.
You can have multiple forwards and proxies …
You see, I open an SSH connection through which I access the HTTP webfig and ftp.
But this is just my experience.
Thanks anyway for the infos.
SOCKS5 is too new for MikroTik, look at SOCKS server in RouterOS, still limited to SOCKS4 only. 
It would be nice to see it upgraded one day too. But that’s OT here.
But seriously, even though SOCKS is old and not much used today, it can be useful. Why else would e.g. all current web browsers still support it? It’s simple and extremely easy to implement for TCP client. I admit, I did not miss it in WinBox so far. But it’s one of those nice little things to have, an extra option, just in case.
Are you saying you have already got this working, or you wish to do it?
Modern browsers still have a field to enter “Gopher proxy” address, but that was not so much popular after 1993 
Yes: my browser and my ftp client support SOCSKv5 proxy.
The SSH server running into RouterOS v6.32 already supports it. Connect to it with a “dynamic forwarder” (a nickname for SOCKS proxy) and you’ll see.
And this is the one I currently use to securely connect to webfig!!
It happens I need to connect from the Internet and, while I can use destination port TCP:22, I cannot use TCP:8291 because of restriction policies.
The real question is: why not?
My mikrotiks crrently only have port TCP:22 exposed on their WAN.
Which browser are you using? 
None of the “big ones”. I though it was not so long ago when I saw it there, but apparently, if Wikipedia does not lie, Gopher support is gone from major browsers for several years now. But clearly, we all know that Gopher is long dead, no one cares about it anymore (nostalgic interest excluded).
SOCKS on the other hand, even though it’s not ever going to win any “protocol of the year” popularity contest, is not dead. Not overly popular as a standalone server, but definitely interesting as a feature of SSH clients. There are some paranoid environments, where you can only get to SSH from outside. While you can use standard manual SSH port forwarding to get to internal hosts, dynamic one (which creates local SOCKS server) is more pleasant to use.
I’m not gonna fight to death for SOCKS support in WinBox, but I think it would be a nice feature. An extra flexibility can’t hurt anything. And again, it’s very easy to implement.
For what it’s worth, I’ve used redsocks to socksifie winbox’s traffic. 
(LD_PRELOAD based, i.e. tsocks/proxychain did not work out-of-the-box with wine)
For anyone who stumbles upon this as I do for the third time: it is possible to use WinBox via SSH tunnel.
If you use PuTTY, go to Connection, SSH, Tunnels and add a tunnel:
- Source port: your-local-port (say, 8090)
- Destination: mikrotik.local:8291 (i.e, 10.0.0.1:8291)
- Local
- Auto
OpenSSH is more straightforward:
- ssh -L local-address:local-port:target-address:target-port
- given same example addresses: ssh -L 127.0.0.1:8090:10.0.0.1:8291
Then connect WinBox to 127.0.0.1:your-local-port (127.0.0.1:8090) and it will connect you to mikrotik.local:8291 (10.0.0.1:8291).