What is SSH tunnelling?
In order to create a secure channel between two computers, SSH (or Secure Shell), is used. Common applications of SSH include secure access to terminals and secure file transfers, but it can also be used to forward unencrypted network connections between computers. Using SSH tunnels, external users can access internal resources.
SSH tunnelling is a way to send any data over a secure SSH connection, including encrypted data. SSH tunnels let connections to local ports (or ports on your desktop) be routed via a secure channel to a remote machine. The ENCS network services are not all directly accessible from outside the network for security reasons. The easiest way to reach this protected resource from offsite is to tunnel through a resource that is accessible.
The following components are required for creating an SSH tunnel:
Target server: it’s a client facing server that offers network services to the clients. The example of network services are http, vnc etc.
SSH server: Connections from clients are being accepted by the SSH server
SSH client: Through the SSH server, traffic from a local listening port is forwarded to the target server via an SSH client
You can run the SSH server on the same machine or a separate machine, depending on your requirements. SSH tunnels don’t encrypt network traffic between the SSH server and the target server. As a result, the servers should ideally be on the safe network if they are located on separate machines.
How does reverse SSH tunnelling works? Or is it true that SSH tunnels are bidirectional?
We will explain how SSH tunnelling works with the help of creating a hypothetical example/scenario.
First assumption: let’s imagine that your SSH connections are a kind of big tubes. Note that they are tubes of great size! It is typical to connect to remote computers using these tubes. TTY (virtual terminal) is where the shell runs.
Second assumption: think of SSH tunnel also as tube but of smaller size. Picturize your SSH tunnel as a small tube inside bigger tube ( SSH connections).
The bigger tube that is your SSH connections start with SSH clients and end up at the server basically the connected server which is also a SSH server. As smaller tubes (SSH tunnels) are placed inside these big tubes (SSH connections), it makes sense that smaller tubes will also have the same end point. However, the role of “start” or “end” depends upon whether they were created with -L or -R (respectively).
Tunnels are created by specifying an address and port on which they will respond, and an address and port to which they will be delivered.
There are several ways to create SSH tunnels depending on the type of port forwarding used:
Port forwarding can be divided into three types:
- Using local port forwarding
- Forwarding ports remotely
- Dynamic/Adaptive port forwarding
Local:To forward the port on the local host (client) to the remote host and port, use -L.
Syntax:
SSH -L sourcePort:forwardToHost:onPort connectToHost
example:
SSH -L 123:localhost:433 remotehost
Explanation: here the above commands show SSH connect to remotehost and all the connections are forwarded from local port 123 to the port 433. This port 433 is present on the localhost machine. Due to SSH connection this localhost machine can be reached from remotehost machine.
Remote: -R specifies that the port on the remote (server) machine should be routed to the port on the local machine.
Syntax:
SSH -R sourcePort:forwardToHost:onPort connectToHost
example:
SSH -R 123:localhost:433 remotehost
Explanation: here the above commands show SSH connect to remotehost and all the connections are forwarded from remote port 123 to the port 433. This port 433 is present on the localhost machine. Due to SSH connection this localhost machine can be reached from remotehost machine.
There are also the following options:
- SSH with -f will background itself once it authenticates, so you do not need to sit around waiting for the tunnel to stay open.
- The SSH with -N option specifies that you want an SSH connection, but you don’t actually wish to run any remote commands. When a tunnel is all you create, this option saves resources.
- Because you are not looking to create an interactive shell, the -T option disables pseudo-tty allocation.
Let’s look at some real-life scenarios which will give us better and deeper understanding of SSH tunnelling / SSH post forwarding.
Consider that your college uses a proxy filter to block instagram.com. To get around this restriction, SSH tunnels are available. Suppose my college computer is “college-pc” and my home computer is “home-pc” (my home computer should run SSH). Use the following command to create an SSH tunnel to be used by “college-pc”:
SSH -L 9090:instagram.com:80 <user>@home-pc
Local port forwarding is indicated by -L
There is now a connection from “college-pc” to “home-pc” running a SSH server. Additionally, port 9090 of college-pc is bound to listen to all local requests, creating an SSH tunnel between “college-pc” and “home-pc”. A connection to instagram.com will be established through a home computer at port 80. Instead of connecting to yahoo from the college computer, the home computer will use Instagram.
With localhost:9090, we can browse to instagram at work. As a gateway, the home computer will be used.
Forwarding ports to remote tunnels via reverse tunnelling
As an example, you might want to connect to an internal university website from your home computer. Its incoming traffic will be blocked by the university firewall. The reverse tunneling method needs to be used here.
SSH -R 9090:unilms-site.com:80 <user>@home-pc (Executed from college-pc)
Reverse tunneling will be performed using the -R option.
At this point, the SSH client on college-pc will connect to the SSH server on home-pc. As a consequence, incoming requests will be routed to the server via port 9090 on the home-pc. When the college-pc is visited at localhost:9090, the college-pc will establish a connection with the internal site and reply to the home-pc over a SSH channel. In this way reverse tunnelling is used to access an internal university resource at the comfort of your home.