The Complete Geek

This is another one of those old school tools that can make your administration life much easier.

What is it:
It is easiest to think of an SSH tunnel as software VPN from your computer (Client) To the server serving SSH. You can then forward any traffic to or from your PC through this tunnel. While not like a full VPN in operations it allows you to forward traffic securely through the tunnel like you are on the network.

Why this instead of a true VPN you ask?

Because it is free, does not require specific network equipment, often pre configured to be ON already on most linux distro's, and setup is easy.

How I have used it:
I have used this tool in many scenarios from my home network, where I want to be secure or access resources that are either impractical to share out individually or were of a type you do not normally publish to the internet (Like Windows File sharing, or NFS)

Also have used it when I need access to resources in networks where there are either overly concerned network guys or where it was impractical because of design to publish out needed resources to the public internet.

Example:
Here is an example of the data flow when it is configured, this example encompasses tunneling a VNC session of the SSH server back through the tunnel and tunneling data (Windows file share port 139 from server 2 back to the ssh server then through the tunnel

Figure 1


Configuration:

Linux:
Using standard open SSH simply use the following line

ssh -L localport:remotemachine:remoteport Targetaddress

So for our example of VNC in Figure 1

ssh -L 5900:localhost:5900 SSHserversaddress

In plain English this tunnels local port 5900 through the tunnel and loops it back to the local host of the SSH server also on port 5900

Following Figure 1 if we wanted to then configure port 139 (windows file share)

ssh -L 139:Server2Address:139 SSHserversaddress

What this says is listen on local port 139, forward it through the tunnel to server2's address also on port 139 at the far side of that tunnel

Windows:


Advanced Usages:


There are a couple of advanced cases that you can use this for, once you have the concept down it is easy

1) Forwarding different local ports to the same port different destinations on the remote side

Linux:
ssh -L 5900:localhost:5900 -L 5901:Server2Address:5900 SSHserversaddress


What this does is forwards port 5900 to the localhost address of the ssh server also port 5900, it also forwards local port 5901 to server 2 port 5900

In this way you can have a whole bunch of the same traffic to different machines on the far side of the wire without having to change VNC configuration on the far side to listen to a non standard port.


In addition the -N flag can be useful it launches the tunnel without starting a remote session so you can use a 2nd session to communicate through the tunnel
Windows:


Figure 3




What this does is forwards port 5900 to the localhost address of the ssh server also port 5900, it also forwards local port 5901 to server2 port 5900


2) Setting the tunnel to accept connections from other computers on your network to forward through the tunnel.

This one I am going to do in putty only, But putty is available for linux as well. I am unsure if it can be done with openssh

Figure 4

Just one more checkbox here, what this allows you to do is forward on requests from other machines through the tunnel to the far side, making this even more VPN like (Kind of like VPN + NAT through the tunnel)

*Note in all above screenshots replace server2 with the IP address of Server 2 or the host name if the ssh server knows it