This site is now 100% read-only, and retired.

Tunneling connections securely with SSH

Posted by Anonymous on Tue 2 Nov 2004 at 00:04

There are many situations where you might want to send traffic over a secure link, and this is exactly what SSH allows you to do. Any form of TCP/IP connection can be sent across a tunnel providing you have access to a remote SSH server at the 'far side'.

One common use of SSH tunnels is for gaining access to facilities which are unreachable from your local machine.

For example if you are at work and you have access to an SSH server upon your home machine, and a proxy server running there too, you can surf the web using the secure tunnel. This keeps all records of your site visits out of the company log files.

Another reason to use a tunnel is to send insecure data over a secure, encrypted, link. This can come in handy when you wish to check email in a hostile environment for example.

To use a SSH tunnel you need to have two things:

  • The ability to make outgoing SSH connections.
  • A remote SSH server upon a host which can reach the resource you wish to access - it doesn't matter if you can't reach it, so long as the server can reach it and you in turn can reach that.

The most popular SSH client for Windows PuTTY also allows you to establish tunnels, which is worth remembering.

A tunnel is exactly what its name would suggest, a link between a service running on a remote machine and your own local machine.

You can cause all data sent to a local port upon your local machine to be seamlessly sent to a port on a remote machine with the encryption and compression facilities that OpenSSH supports.

Lets pretend we're stuck at work and we have a remote server which is running a POP3 mail server, and also an SSH server.

If we login with our mail client directly the user name and password we use to login to that mail server will go over the network in plain text, as will the contents of your messages. This could allow a user on your network to read them as they are in transit.

Using SSH we can create a tunnel between the remote POP3 server and the local machine - then when that is up we can point the mail client at the local machine.

Any requests it makes will go out across the tunnel and end up at the mail server on the far side.

We will run the following command:

ssh -C -L 1100:localhost:110 username@host

This will prompt you for a password for the remote machine host, then once you've logged in will create a tunnel. Everything sent to the local machine on port 1100 will be sent to the remote machine localhost on port 110. (Which is the service for POP3)

The '-C' causes all the traffic to be compressed, which is a useful thing to remember :).

Tunneling other ports can be added easily too. If you have access to a remote proxy server from your remote login you can setup a tunnel to that, then point your browser at your local machine.

Assume that you have a login on a gateway machine gateway which can reach a machine called proxy, which is running the Squid proxy server on port 3128.

Run this:

ssh -C -L 8080:proxy:3128 user@gateway

Now you have a tunnel which is listening upon the localhost on port 8080 - so you can setup your browser proxy server to http://localhost:8080/ and enjoy secure browsing.

Using PuTTY for port forwarding on Windows machines is just as simple, this document contains a good example with screen shots.



Re: Tunneling connections securely with SSH
Posted by Anonymous (220.160.xx.xx) on Wed 29 Mar 2006 at 16:54
I don't have a remote ssh server. Is it possible that I setup a local ssh server and tunnel all my connections over it?

so will this work?

ssh -C -L 1100:localhost:110 username@localhost

If I use fetchmail, how do I decide which local port to tunnel? I think many local ly initiated connections use randome ports. How can I decide which port to tunnel?

Perhaps I can tunnel all local ports?

[ Parent ]

Re: Tunneling connections securely with SSH
Posted by Anonymous (58.9.xx.xx) on Wed 26 Apr 2006 at 08:51
You can, but it won't do anything as SSH encrypt the connection from the user to the ssh server and the rest remain unencrypted

[ Parent ]

Re: Tunneling connections securely with SSH
Posted by vahabzadeh (217.219.xx.xx) on Mon 3 Aug 2009 at 09:31
Hi there,
I have a debian server which runs squid on 8080 port on it,
I want to do tunnel in it with other remote server and route all my squid traffic via tunnel, what can I do ?

ssh -C -L 8181:localhost:8080 user@remote

this does not work :-?

I want to set proxy on my server like this : myserver:8080
and route traffic through tunnel.

[ Parent ]