Intro
Port forwarding using SSH is quite useful and also easy. You can have a SSH client listen on a local port and use it to connect to a remote machine that might be inside of an Intranet.
All the traffic between the connecting machine and the destination host will be encrypted.
It can work on both ways, you can also have a ssh server listen in a port on the remote machine and forward connections made to that port to the host you're connecting from (or to another host reachable from the machine that initiates the connection).
With ssh and port forwarding you can set up a poor man's VPN. You can use it to connect to a machine that's inside of an Intranet or allow a program outside your Intranet to connect to a machine inside of your Intranet. In both cases, you need a remote machine machine you can ssh to.
You might want to use autossh, This program starts an instance of ssh and monitors it, restarting it as necessary should it die or stop passing traffic. It can run in the background.
You might want to use ssh without password.
This tip was written by Nelson Castillo.
Poor Man's VPN
Let's say we want to connect to a pop3 machine that's behind an Intranet without sending our password in clear text over the insecure Internet. This is the poor man's VPN solution. We would need access to a server that would act as our gateway to that Intranet. We will describe how to do it from PuTTY and how to do it from the Command Line using the OpenSSH client.
Poor man's VPN using PuTTY
It you find yourself restricted to a Windows Machine, you can use PuTTY.
- Install putty. Download it here if you are using Windows. Debian users can do an apt-get install putty.
- Configure a basic connection (host and port).
- Go to Connections→SSH→Tunnels
- Add the configuration of the pop3 service.
- In source port, put a 110. This is the local port. You might want to use another one.
- On destination, use the remote IP and the remote port. Let's suppose there is a pop3 server within the Intranet with IP 192.168.0.12. If port 110 is used for pop3 in that server, then you would type 1192.168.0.12:110 in destination.
- Push the Add button.
- You can add more host:port entries if you wish.
- Save your changes.
- Connect to the server using PuTTY. You don't need to be the root user on the remote server in this case.
- Now use your Mail User Agent (Outlook, fetchmail, etc) to download email using 127.0.0.1 as your servername and port 110.
- Check your mail. It should work.
Poor man's VPN using the OpenSSH client
From "man ssh":
-L port:host:hostport specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine.
So, to connect using example.com as the gateway to a pop3 server with IP 192.168.0.12 inside of the Intranet of Example Inc, you would write:
$ ssh example.com -L 1100:192.168.0.12:110
Enter your password (if you need to) and then you can connect to the local port 1100 to check your mail. We used an unprivileged port (> 1024). You can have OpenSSH listen on a privileged port if You're the root user on the local machine.
You can forward more ports:
$ ssh example.com -L 1100:192.168.0.12:110 -L 1101:192.168.0.12:25
Forward a remote port to the local machine
This time we will suppose you're inside of an Intranet, you want to show a webpage to a friend who can give you an unprivileged ssh account in his PC. So you will use your machine to ssh to your friend's computer and allow her to connect to your web server.
From "man ssh":
-R port:host:hostport specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine. Port forwarding can also be specified in the configuration file.
Remote host: friend.example.com Remote port: 8080 Web server in your Intranet: 192.168.0.2 port 80.
$ ssh friend.example.com -R 8080:192.168.0.2:80
You can use 127.0.0.1 as the local IP if you want to allow your friend to connect to your local machine.
A Portable Solution
The above works great if you own/administer the computer you are on, but what if you're at school or work? In these situations, you won't have administrative access to the machine, so you can't install programs (PuTTY), nor would you want to (PuTTY keeps its history in the registry, so anyone with the any registry editing knowledge can see where you've been, and seeing as how the above suggests password-less SSH, this is a bad thing). The steps below will allow you to accomplish the same as above, except remotely and without leaving any traces behind.
What you will need:
- USB Stick
- portaPuTTY (http://socialistsushi.com/portaputty)
- A remote server running sshd
- You will also need to open your router/firewall ports to allow SSH in. I would NOT run sshd on the default port 22, pick something arbitrary and high, as most schools/businesses block lower ports. 443 is also a good option, as encrypted traffic over that port does not look suspicious.
- Having a permanent IP is also a good thing, so you won't have to remember what it is every time you connect. Services like DynDNS are free and allow you to associate your dynamic IP address with a permanent hostname.
First, download portaPuTTY (get the binary zip), extract the files onto the USB zip. Find putty.exe and open it. For the purpose of demonstration, our remote host (your computer running sshd) will be remote.host.com, and the SSH service will be running on port 12345.
Now, the directions for connecting to your mail client will be shown (same as above).
- Put remote.host.com in the Host name (or IP Address) box, and 12345 in the Port box.
- Go to Connections→SSH→Tunnels
- Add the configuration of the pop3 service.
- In source port, put a 110. This is the local port. You might want to use another one.
- On destination, use the remote IP and the remote port. Let's suppose there is a pop3 server within the Intranet with IP 192.168.0.12. If port 110 is used for pop3 in that server, then you would type 1192.168.0.12:110 in destination.
- Push the Add button.
- You can add more host:port entries if you wish.
- Save your changes.
- Connect to the server using PuTTY. You don't need to be the root user on the remote server in this case.
- Now use your Mail User Agent (Outlook, fetchmail, etc) to download email using 127.0.0.1 as your servername and port 110.
- Check your mail. It should work.
This solution will allow you to connect to your remote computer from (almost) any location, securely. These are some guidelines to make your session even more secure:
- Do NOT use password-less authentication UNLESS you use Public Key authentication.
- Use Public Key authentication, much more secure than password auth.
- Don't pick a crappy password for your private key. If someone finds/steals you USB key and you have NO PASSWORD, they have full access to your machine. In short, don't be an idiot.
- Use random port numbers for your SSH server. Something high or 53 (DNS), as this will always be open for businesses and schools that connect to the Internet. Also, 80 or 443 are good choices if you don't run a webserver at home.
- You can forward anything through SSH. Web browsing, ftp, VNC, whatever. If you are working remotely, use a secure tunnel to connect to your home machine. Protocols like FPT, TELNET, HTTP all send information (including passwords) in clear text. Anyone sniffing your connection can gain access to this information.
- Another secure solution to web browsing is Tor and its portable partner, Torpark.
Last update: 2007-02-25 (Rev 10674)