SSH Tunnels
Why use SSH Tunnels?
In the past, all computers on the Computer Science Department network had public IP addresses. This means they were accessible from anywhere in the world. This was convenient for those working at home because they could directly connect to the computers in their offices and research labs.
Public IP addresses also caused problems. Because these computers were universally accessible, they could be attacked by anyone on the global Internet. They could also become infected by a virus or a worm and spread the infection to others.
By using the Computer Science Department's Linux Open Labs (which have public IP addresses), you can forward traffic to a computer with a private IP address (such as an office or research lab computer). This allows you to have the security of a private IP address, while retaining the convenience of a public IP address. It works in the same manner as a Virtual Private Network, but with a simpler configuration.
Contents
Overview
How does an SSH Tunnel work?
An SSH tunnel is a connection that takes traffic from an arbitrary port on one machine and sends it through an intermediate machine to a remote machine. Because it uses SSH to create the tunnel, all your data is encrypted.
There are three basic steps to creating a tunnel to a privately addressed machine, and it requires three machines: your local machine, an intermediate machine with a public IP address, and the privately addressed machine to which you want to establish a connection.
- Start an SSH connection from your local machine to the intermediate machine with a public IP address.
- Tell that connection to listen for traffic to some port on your local machine, and send it through the intermediate machine to a specific port on the privately addressed machine. This port is said to be forwarded.
- On your local machine, use the application that you want to connect to the remote machine, and tell it to use the forwarded port on your local machine. When you connect to the local port, it will look like it is the destination machine.
What are SSH Keys
SSH uses public and private encryption keys to secure communication between computers. When you initiate an SSH connection each machine exchanges public keys. Only the computer that has the matching private key can read communications encrypted with the public key. This means that public keys can be used to identify computers.
The first time you connect to a machine, SSH will warn you that it has never seen that computer before and cannot verify that it is the one you expect it to be. If you are sure that no one is trying to fool you into connecting to the wrong machine (a rather small risk) then you can just continue connecting. SSH will store the public key in a cache so that on follow-up connections it can compare the received public key with the cached version and verify that it hasn't changed. If the key has changed, SSH will warn you that someone could be trying to lure you into giving your password to the wrong machine. Usually such key changes are due to normal machine maintenance and nothing to worry about, but an unexpected change in the SSH keys of the host to whom you are connecting could mean that an attacker is intercepting your traffic. If you are paranoid then you might want to ask the administrator of the remote machine why the key changed.
Initiating an SSH Tunnel From Windows
To use an SSH tunnel you must first establish the tunnel using an SSH client, and then connect to it using the application which you want to access the remote machine. The next section shows you how to set up the tunnel. Each of the following sections will explain how to connect a specific application to the tunnel to access the privately addressed machine.
In each of these examples, the machine with a private IP is remotehost.cs.byu.edu. In our examples, we will always use apple.cs.byu.edu as the lab machine to forward our requests. When you do this, please use a different intermediate machine and connect to it on a different port. You can get a list of possible intermediate machines here.
Use Putty to set up a tunnel
Most SSH clients for Windows will allow you to create an SSH tunnel. For this document we will focus on Putty. You can get Putty at http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe. You don't need to install the program; just save the executable in a convenient place like the Desktop.
To establish the tunnel:
Open Putty.
In the Category pane of the application window, select the "Tunnels" option found under Connection->SSH.
In the main pane, in the "Port Forwarding" section, do this:
Add the port that you would like to forward (we chose 4444 here, but you want to select a random number over 1000).
Type the hostname of the machine with the private IP in the Destination box (we use remotehost.cs.byu.edu).
At the end of the hostname, add a colon followed by the port number of the service you want to access through the tunnel. Common port numbers are:
- SSH 22
- Web 80
- VNC 5900
Our example uses port 22 for SSH.
If you are running an X server on your local machine, you can use X applications through the tunnel if you check the "Enable X11 forwarding" option on this dialog and connect to the tunnel with SSH (as described in the next subsection).
This is an image of how it should look:
Click the Add button.
In the Category pane, click on Session and:
Enter the hostname of the machine with a public IP address through which you want to establish your tunnel (we use apple.cs.byu.edu).
Select SSH as your protocol. This should set the port number to 22. This is an image of how it should look now:
Click Open. If Putty warns you about keys, you can probably click okay. See the sub-section "What are SSH Keys" in the "Overview" section of this document for more information.
Enter your username and password when prompted.
Sending SSH through the tunnel
Once you have created a tunnel to port 22 of the remote machine (using the instructions in the previous subsection), you can connect your SSH client to that tunnel. Make sure that you have an SSH server running on the privately addressed remote machine and:
Open a new copy of Putty.
In the Category pane of the application window, click on Session and:
Enter the "localhost" in the "Host Name" box.
Select SSH as your protocol.
Enter into the "Port" box the number of the port on your local machine you forwarded to the remote machine. We used 4444, but you should enter whatever you used while creating your tunnel in the previous subsection. This image shows you how it should look:
Click Open. If Putty warns you about keys, you can probably click okay. See the sub-section "What are SSH Keys" in the "Overview" section of this document for more information.
Enter your username and password for remotehost when prompted.
You are now connected to remotehost.cs.byu.edu.
Receiving Web pages through the tunnel
Once your tunnel has been established to port 80 of the remote machine (using the instructions in the subsection "Use Putty to set up a tunnel"), you can view web pages served by remotehost.cs.byu.edu. Make sure that the web server is running on the privately addressed remote machine and:
- Open your Web Browser.
- In the location bar enter http://localhost:<PORTNUMBER>/, where <PORTNUMBER> is the number of the port on your local machine which you forwarded to the remote machine when you established your connection (in our example we used 4444, but you should have used a different number).
- The web pages served by remotehost.cs.byu.edu should appear in the browser.
Tunneling VNC
Once your tunnel has been established to port 5900 of the remote machine (using the instructions in the subsection "Use Putty to set up a tunnel"), you can connect a VNC client to a server running on remotehost.cs.byu.edu. Verify that a VNC server is running on the privately addressed remote machine and:
- Open your VNC client.
- The address you will connect to in your VNC client is localhost::<PORTNUMBER>/, where <PORTNUMBER> is the number of the port on your local machine which you forwarded to the remote machine when you established your connection (in our example we used 4444, but you should have used a different number). Make sure you use two colons, otherwise it will not work.
- After entering your VNC password you should be viewing the desktop of remotehost.cs.byu.edu.
Initiating an SSH Tunnel From Linux
To use an SSH tunnel you must first configure your Linux install to send traffic for the remote machine to the tunnel instead of the Internet, then you need to set up the tunnel with SSH, and finally you should connect to the tunnel using the application which you want to access the remote machine. The next section shows you how to configure the machine and set up the tunnel. Each of the following sections will explain how to connect a specific application to the tunnel to access the privately addressed machine.
In each of these examples, the machine with a private IP is remotehost.cs.byu.edu. In our examples, we will always use apple.cs.byu.edu as the lab machine to forward our requests, and we will forward port 4444. When you do this, please use a different intermediate machine and connect to it on a different port. A list of possible intermediate machines can be found here. When you establish your connection, you want to forward a random port over 1000.
Setting up the tunnel
Before using any specific application, you need to tell Linux to send traffic destined for the remote machine to the tunnel instead of to the Internet.
Make sure you have SSH installed. OpenSSH is part of the default installation of most Linux distributions.
Edit the /etc/hosts file. It should contain the line:
127.0.0.1 localhost
Change it to add the names of the computers you would like to access on the network, such as remotehost.cs.byu.edu. It should end up looking like this:
127.0.0.1 localhost remotehost.cs.byu.edu
This says: "Send any requests to remotehost.cs.byu.edu back to my local computer". You can add as many remote machines as you want by appending their hostnames to this list.
Then you need to use SSH to establish the tunnel.
Run the following command
ssh -X -f myusername@apple.cs.byu.edu -N -L 4444:remotehost.cs.byu.edu:<DESTPORT>
The -X allows you to forward X connections (graphical programs) from the remote host to your desktop. The -f tells SSH to run in the background after getting your password. 4444 is our example port number to forward; you should use the port you listed in your .ssh/config. <DESTPORT> is the port number of the service you want to access through the tunnel. Common port numbers are:
- SSH 22
- Web 80
- VNC 5900
Remember to choose a lab computer besides apple.cs.byu.edu.
Enter your password when prompted. If ssh warns you about keys, you can probably just type "yes" to continue with the connection. See the sub-section "What are SSH Keys" in the "Overview" section of this document for more information.
You might find it useful to create a small shell script so you don't have to type this every time. If you do that you will need set up SSH to use keys instead of passwords when establishing the connections.
Sending SSH through the tunnel
After having added remotehost.cs.byu.edu to your /etc/hosts file, and having created an SSH tunnel using the instructions in the previous subsection, you can connect to that tunnel using SSH and access the privately addressed remote machine.
Make sure that when you established your tunnel (using the instructions in the previous subsection) you chose to forward a different local port numbered over 1000 for each remote machine, and that you specified port 22 as your <DESTPORT> for each machine to which you want to connect using SSH. If all that is correct, then:
Edit the file in your home directory called .ssh/config and add the following
Host remotehost.cs.byu.edu port 4444
This says: "Make any SSH connections going to remotehost.cs.byu.edu use port 4444. You should have one of these entries for each remote computer to which you want to connect using SSH. Each specified computer should have a separate connection created for it using the instructions in the previous subsection, and each connection should use a different forwarded port numbered over 1000 instead of our example of port 4444.
You can now SSH to remotehost.cs.byu.edu in the normal manner and it will establish the connection through the tunnel that you have set up.
ssh -X remotehost.cs.byu.edu
The -X tells SSH to transmit any X applications through the tunnel and display them on your local desktop. If ssh warns you about keys, you can probably just type "yes" to continue with the connection. See the sub-section "What are SSH Keys" in the "Overview" section of this document for more information.
Enter your username and password for remotehost when prompted.
For this to work, make sure you have an SSH server running on the remote machine.
Receiving Web pages through the tunnel
Once you have created your SSH tunnel using the instructions in the subsection "Setting up the tunnel", you can connect to that tunnel in your favorite web browser and view web pages served from remotehost.cs.byu.edu. Make sure that you specified port 80 as your <DESTPORT> when establishing your connection.
Open your favorite Web browser.
Specify as the URL:
http://remotehost.cs.byu.edu:4444
Instead of our example port of 4444, you want to list in the URL the local forwarded port numbered over 1000 which you specified when creating the tunnel.
For this to work, make sure that you have an HTTP server running on the remote machine.
Tunneling VNC
Once you have created your SSH tunnel using the instructions in the subsection "Setting up the tunnel", you can connect to that tunnel using a VNC client and view the desktop of remotehost.cs.byu.edu. Make sure that you specified port 5900 as your <DESTPORT> when establishing your connection.
Open the VNC client and use the following URI:
remotehost.cs.byu.edu:4444
Instead of our example port of 4444, you want to list in the URL the local forwarded port numbered over 1000 which you specified when creating the tunnel.
For this to work, you have to have a VNC server running on the remote machine.