|Update to version: 13.1|
This article needs to be tested for a newer version. If you are using this guide on the newer version and you find the guide up-to-date to this version, please add the version number to the Knowledge bar. Please refer to version related jobs: SDB pages for more information.
Most programs making use of TCP connections can be passed over a secure tunnel using OpenSSH. This is used to multiplex additional TCP connections over a single ssh connection. It is useful for concealing connections and encrypting protocols which are otherwise unsecured, and for bypassing firewalls. UDP connections may sometimes be tunneled with the aid of programs such as netcat. Examples of easily tunneled programs include the X Window System, HTTP using a proxy and VNC. An X Window System tunnel is often created automatically between two Unix computers, so GUI programs from remote computers can be run simply by typing their names.
One of the most common ways to tunnel applications, is by port forwarding. You could, by example forward port 139, to tunnel SMB connections, or port 80 to tunnel a web server. Both localhost ports and remote address ports can be forwarded. This can be handy if you would like to forward your router's website which is located in your SSHD server network. In order to allow Port forwarding, edit /etc/ssh/ssh_config with your favorite editor and set, if it isn't already:
The setting of which and how ports are to be forwarded is done in one of the SSH config files or on the command line. In this examples we will use the personal configuration file ~/.ssh/config. Putting the options in /etc/ssh/sshd_config will work the same, but will be applicable for all users.
Local Forward means: forwarding a port from the server and "bind" it to a port on the client. Ports will by default be binded to the "localhost:port" address. If you specify an interface address (which must be an existing address of one of your computer's network interfaces) it will be binded to this address and can be accessed by other hosts, where your firewall allows. This will be a typical setting of a defined host based port forward. As normal user edit ~/.ssh/config with your favorite editor:
## These are just settings to define a host. Use "Host *" if you want to configure it for all hosts. You can define as must host as you like. Host ssh-server Hostname 220.127.116.11 Port 2222 ## Here we will define the Local Forwards ## # This forwards a POP3 server that is active on "ssh-server" LocalForward 1110 ssh-server:110 # This forwards a web server (eg your router) which is not active on "ssh-server" LocalForward 8080 192.168.1.1:80 # This forwards a squid proxy server that is active on "ssh-server" and binds it to an interface adress. LocalForward 192.168.1.103:3128 ssh-server:3128
Remote Forward means: forwarding a port from the client and "bind" it to a port on the server. Port binding behauvior is identical to Local Forward. This option will come in handy if you would like to make a service available to your SSHD server, which is only available in your local network. In addition to above examples:
# This forwards a local NFS server to "ssh-server". RemoteForward 1025 localhost:1025 # This forwards a local SSHD server to "ssh-server" and binds it to an interface address on "ssh-server" RemoteForward 172.20.20.1:5041 localhost:22
Dynamic Forward / creating SOCKS
Dynamic Forward gives you the possibility to create an "ad-hoc" proxy server. This is to support more flexible proxying than is possible with ordinary port forwarding. With this option only the "bind" address and port on the client are specified. All connection requests on this address will automatically be forwarded to the applicable address and port on the server side. When no "bind" address is specified, it will by default "bind" on localhost.
SOCKS tunneling is supported by the following popular programs: Chrome, Gnome-shell, and many others
In addition to above examples:
# This establishes a SOCKS server that listens on "localhost:1080". DynamicForward 1080 # This establishes a SOCKS server that listens on "192.168.1.103:5555", where your Firewall allows. DynamicForward 192.168.1.103:5555
# The command line flag would be: $ ssh -D 5555 192.168.1.103
To prevent anybody else from using your local forwarded ports, ports are usually "bind" to the localhost address. The GatewayPorts option gives you to choice to change this. Setting this option to yes will change the default "bind" to the wildcard address, meaning all your configured addresses. (local and external interfaces). You can add this line to one of you configuration files to enable it.:
Beginning with version 4.3, OpenSSH implements an OSI layer 2/3 "tun"-based VPN. This is the most flexible of OpenSSH's tunneling capabilities, allowing applications to transparently access remote network resources without "socksification."