Using SSH tunnels

May 10, 2014 Networking Security System

SSH provides a secure login for Windows and Unix clients and servers. SSH replaces telnet, ftp and other remote login utilities with an encrypted alternative. An SSH tunnel is simply a literal tunnel created by logging into another ssh server, and at the same time configuring a local listen port and a remote output IP & port. This tunnel runs through the current ssh connection, providing a secure transport layer for the data being transferred to and from the ssh server, and can even provide us with data compression (over the network).

Requirements

Of course to be able to use ssh-tunneling you need an ssh server running somewhere and a working login. Also you will need a client to connect with. On Linux this is probably already installed and called ssh. Windows has no native ssh client, however there is an open source one called PuTTY. This tutorial isn’t intended for PuTTY, but all the examples I give here can quite easily be specified in the GUI used for connecting with PuTTY.

Linux usage

ssh <user>@</host> -L <local_listen_port>:localhost:<port_number>

… where the <local_listen_port> is the port we will connect to locally (to come out on the other side on localhost:<port_number>). Of course in this example we are connecting to “localhost” on the other side, thus the server itself. We could of course also connect to another PC in that network, replacing localhost with the ip/hostname of that other PC.

Examples

Connecting to SMTP

Let’s say we would like to use a SSH tunnel to connect to another server to use that server’s SMTP server (port 25). From outside you are not allowed to use it (or can’t use it because of a firewall). What we will do is create a tunnel to that server, listening locally to port 2500 (as any port below 1024 requires root privileges), and on that server we will need to of course use port 25 on that server itself, thus also localhost.

ssh [email protected] -L 2500:localhost:25

Now locally we configure in our email program to use our local “SMTP” port … localhost:2500. Sending mail will now be securely tunneled to server.com and sent from there, as if it was sent from that server itself.

Connecting to VNC

I sometimes use VNC to connect from work to my own desktop at home. I do not like to forward ports on my firewall as standard VNC ports are prone to hackers. VNC in itself does not use encryption, so use across the internet isn’t the best of ideas… that is unless you use an SSH tunnel ;-) Personally I use TightVNC as both client and server. TightVNC uses by default port 5901. To keep things a little simple we use the default port locally too. In this example however I do not want to connect to the server for VNC, but to another PC in the internal network on the other side of the server.

ssh [email protected] -L 5901:192.168.0.10:5901

What this translates to is that all incoming connections (locally) on port 5901 get routed to the server I connected to with ssh, and are outputted to 192.168.0.10:5901 (being the IP of the other machine, with the correct port number).

Now to connect to the VNC server I direct my client to localhost:5901:1 (the last :1 meaning screen #1 ~ read the TightVNC for an explanation).

Connecting with compression

A SSH tunnel does not only have the advantage that nobody can listen in on your transfers, but also another neat feature of SSH…. compression. To add compression to your connection just add a -C to the command which you use to connect with.

ssh -C [email protected] -L 5901:192.168.0.10:5901

More than one port at a time

If you require more then one port to be tunneled, then just add another instance of -L …., like to combine both the previous commands to use both features from the same session:

ssh -C [email protected] -L 2500:localhost:25 -L 5901:192.168.0.10:5901

This one session now should allow us to use the server’s SMTP server, and the other computer’s (in that network) VNC port via a secure connection with compression.

Comments