How to Create a Personal 'VPN' for Your Web Browser

This tutorial guides you through setting up a lightweight, secure proxy using SSH dynamic port forwarding. This effectively tunnels your web browser's traffic through a remote Virtual Private Server (VPS), masking your IP address and encrypting your browsing activity. This method is an excellent, low-cost alternative to a commercial VPN for securing your web browsing.
Instructions are provided for Windows and macOS clients, assuming the remote VPS is running a modern Linux distribution like Ubuntu.
How It Works (and Its Limitations)
What it does: It creates an encrypted tunnel between your computer and your VPS. All traffic from a configured web browser will go through this tunnel, appearing to originate from your VPS's IP address.
What it doesn't do: This is not a system-wide VPN. It only proxies traffic for applications you specifically configure (in this case, your browser). Other applications and services on your computer will use your regular internet connection. It also primarily handles TCP traffic (like web browsing), not UDP traffic (used by some games or streaming protocols).
Prerequisites
A VPS: A cloud server from a provider like Hetzner, DigitalOcean, Linode, Vultr, or AWS, running a recent Linux distribution (e.g., Ubuntu 22.04 or later).
Command-Line Familiarity: Basic comfort with using a terminal (Linux/macOS) or PowerShell/Windows Terminal (Windows).
An SSH Client: Modern versions of Windows, macOS, and Linux all have this pre-installed.
A Web Browser: Firefox is recommended due to its straightforward proxy and DNS settings.
Step 1: Configure the Remote VPS
First, we'll prepare the VPS to accept and forward our SSH connection securely.
1.1. Connect to Your VPS
Log in to your newly created VPS using its IP address.
ssh root@your-vps-ip
(It's common to log in as root initially. We'll create a separate user for better security.)
1.2. Create a User and Harden SSH Access
Create a New User (replace myuser with a username of your choice):
adduser myuser usermod -aG sudo myuser
Copy SSH Keys for Passwordless Login: From your local machine (Windows or macOS), generate a modern ed25519 SSH key. This is more secure and performant than older RSA keys.
# This command is run on your local computer ssh-keygen -t ed25519
Press Enter to accept the default file location and optionally enter a strong passphrase (recommended for security).
Copy the Public Key to the VPS: Run this command from your local machine, replacing myuser and your-vps-ip.
# This command is run on your local computer ssh-copy-id myuser@your-vps-ip
This automatically appends your key to the correct file on the server.
Log in as Your New User to confirm it works:
ssh myuser@your-vps-ip
Harden the SSH Server: Now, on the VPS, let's disable password logins to enhance security.
# These commands are run on the VPS sudo nano /etc/ssh/sshd_config
Find and change the following lines to no:
PasswordAuthentication no PermitRootLogin no
Ensure this line is present and set to yes (it usually is by default):
AllowTcpForwarding yes
Save the file (Ctrl+O, Enter) and exit (Ctrl+X). Then, restart the SSH service to apply the changes:
sudo systemctl restart sshd
1.3. Configure the Firewall
We need to ensure the firewall allows SSH connections. We'll use ufw (Uncomplicated Firewall), which is standard on Ubuntu.
# These commands are run on the VPS
sudo ufw allow OpenSSH # Allows connections on the standard SSH port (22)
sudo ufw enable # This will enable the firewall
Your SSH connection will not be interrupted, as ufw automatically adds a rule for the current session.
Step 2: Configure Your Client and Start the Tunnel
Now we'll connect from your local computer and create the forwarding tunnel.
Best Practice: Use an SSH Config File
This is the recommended way to manage SSH connections. It simplifies the command and makes it easy to remember.
On your local machine (Windows or macOS), create or edit the file ~/.ssh/config.
macOS/Linux: /Users/yourusername/.ssh/config
Windows: C:\Users\YourUser\.ssh\config
Add the following entry:
Host vps-proxy
HostName your-vps-ip
User myuser
DynamicForward 8081
ServerAliveInterval 60
ServerAliveCountMax 3
DynamicForward 8081: This tells SSH to create a SOCKS proxy on your local port 8081.
ServerAliveInterval: This keeps the connection alive by sending a "heartbeat" every 60 seconds, preventing dropouts.
2.1. Start the Tunnel
With the config file saved, open a terminal (PowerShell/Windows Terminal on Windows, Terminal on macOS) and run:
# This command is run on your local computer
ssh -N -C vps-proxy
-N: Tells SSH not to execute any remote commands—we only want to forward ports.
-C: Compresses data to save bandwidth.
The tunnel is now active! Keep this terminal window open. Closing it will terminate the proxy connection.
Step 3: Configure Your Browser
This is the final step. You need to tell your browser to send its traffic to the local SOCKS proxy you just created.
Firefox (Recommended)
Firefox has the best built-in proxy settings for this purpose.
Go to Settings > General > Network Settings > Settings...
Select Manual proxy configuration.
In the SOCKS Host field, enter localhost and set the Port to 8081.
Select SOCKS v5.
Crucially, enable "Proxy DNS when using SOCKS v5". This prevents your computer from leaking your location via DNS requests.
Leave all other proxy fields (HTTP, HTTPS) blank.
Click OK.
Chrome, Edge, or other Chromium-based browsers
These browsers typically rely on system-wide proxy settings, which can be cumbersome to toggle. It is highly recommended to use an extension to manage the proxy settings easily.
Install a proxy manager extension like "Proxy Switcher and Manager" or "FoxyProxy" from the Chrome Web Store.
In the extension's options, create a new proxy profile.
Set the configuration to:
Protocol: SOCKS5
Host: localhost
Port: 8081
Save the profile and enable it in the extension to route your traffic through the tunnel.
Step 4: Verify Your Connection
Make sure your SSH tunnel is still running in its terminal window.
Open your configured browser and visit a site like https://www.whatismyip.com. You should see the IP address of your VPS, not your home IP.
To be extra sure, visit https://www.dnsleaktest.com. Run the "Standard Test." The results should show DNS servers associated with your VPS provider, not your local ISP.
Optional: Further Security Hardening
If you want to make your VPS even more secure:
Install Fail2ban: This tool automatically blocks IP addresses that show malicious signs, such as too many password failures.
# Run on the VPS sudo apt update sudo apt install fail2ban sudo systemctl enable --now fail2ban
fail2ban works out-of-the-box with default settings and requires no further configuration for basic SSH protection.
Change SSH Port (Security through obscurity):
Pick a custom port number (e.g., 2222).
On the VPS, allow it through the firewall: sudo ufw allow 2222/tcp
Edit /etc/ssh/sshd_config and change the Port 22 line to Port 2222.
Restart SSH: sudo systemctl restart sshd
Update the Port line in your local ~/.ssh/config file to match.
Subscribe to my newsletter
Read articles from Harish Garg directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Harish Garg
Harish Garg
I build systems that blend AI and automation to solve real-world problems