Homepage | Computing/Work | Essays and stories | Life | This Site | Links | Sitemap | Private

SSH-Tunnels

The idea behind SSH tunnels is to encrypt otherwise unencrypted traffic. You can tunnel any TCP connection through SSH: VNC, POP3, …

Concept

The procedure is very simple: Open an SSH connection to a host and enable portforwarding through it.

Prerequisites

[illustration of SSH tunnel] The image illustrates what happens: The forwarded connection is protected from client to host. On host, the connection becomes unwrapped and makes its (unencrypted) way to the destination.

This is a good way of manoeuvering through hostile networks: I am using SSH tunnels to connect to databases via internet. Therefore I log in at the remote gateway and forward the connection to the database server.

HOWTO… with PuTTY

You should know a little bit about Secure Shell (at least how to establish normal SSH sessions where you end up using a console). I won't describe that here.

Let's assume, we want to connect to a webserver (destination; listening on port 80) behind a gateway (host). I know, that there is HTTPS but this should just serve as example.

For the sake of this example, host's name is gateway.mydomain.bogus and the destination's name is beeblebrox. Start up putty as normal but before connecting to gateway.mydomain.bogus go to PuTTY's Tunnels option:
[PuTTY config: add forwarding of LOCAL port '8888' to 'beeblebrox:80']

You can see, that the local port 8888 is being forwarded to beeblebrox' port 80. That means, any conect to port 8888 on your local computer is actually being sent to beeblebrox' webserver.

You just have to add (klick the ADD-button) this portforwarding and then connect to the server and log in as usual. The tunnel should now be available.

Hints: The name beeblebrox is resolved at the server you are connecting to (in this case gateway.mydomain.bogus). Otherwise you could never connect to computers with private IP addresses (192.168.1.3, for instance).
The checkbox local ports accept connections from other hosts indicates, if another computer can connect to your forwarded port (and thus access the tunnel).

If you have a commandline SSH2 client, you can enter ssh -L 8888:beeblebrox:80 gateway.mydomain.bogus to create a tunnel from your client to the gateway and forward the local port 8888 to beeblebrox' port 80.

Now fire up your favourite browser and enter http://localhost:8888/. You should see beeblebrox' webserver answering.

That's it. It is not too hard, once you know how to create the tunnel. And as I mentioned before: You can tunnel any TCP connection through SSH.

Addenda

Remote forwarding

Remote port forwarding from computer A to computer B is the same as if you sat on computer B and did a local forward to computer A. This is only important, if you cannot open an SSH tunnel directly from computer B (for instance you have no SSH client there but a server).

Batch files

PuTTY can also be used from the command line (and thus within scripts) to establish an SSH tunnel. You need to prepare a session:

  1. Prepare publickey authentication (the server must support it, though). Take a look at the PuTTY documentation about public keys.
  2. configure the ports you want to forward
  3. use the prepared private/public key pair with this connection
  4. save the session

Now you can use plink.exe available from the PuTTY downloadpage to establish the session by its name: plink <sessionname>

DNS pitfall

When I first tried tunnelling I noticed some problems with connections to localhost on the remote computer. I just could not establish a tunnel. After some hacking around I found, that the name resolution of localhost didn't work properly on the remote machine. There was no localhost entry in the zone file.
So if you need to connect to localhost, then either edit the zone files — if you are allowed to — or connect to localhost. (note the dot!) or 127.0.0.1.

[ top ]

Contact & ImprintKontakt & Impressum
Created: 2001-06-30 — last modified: 2003-10-01 — last update of web site: 2009-09-29