We’ve previously covered a number of Secure SHell (SSH) topics from best practice security settings through mounting remote file systems and keeping a customized local SSH configuration. For most users, SSH is simply used to connect to a remote terminal shell and control the remote system. Something a lot of users don’t realize is that SSH packs in a number of other useful features. One is the ability to tunnel between your local and remote system.
Tunneling Used As “Poor Man’s VPN”
There are a number of uses for this such as the “poor man’s VPN”. This allows you to encrypt and send your internet traffic via a remote system just using SSH, or the ability to redirect local ports on your machine to a remote one.
Let’s start with a look at our poor man’s VPN. SSH is capable of creating a secure SOCKS proxy on your local computer that directs traffic pointed at it through the server to which it has been remotely connected. The tunnel can be created using either the SSH client on a Linux or Mac OS computer or using PuTTY on a Windows computer. When using SSH the command to connect is as simple as:
ssh -D 9999 firstname.lastname@example.org
The difference from a normal SSH connection is the use of the -D flag. This is used to denote the creation of a connection with dynamic port forwarding. 9999 is the local port to use for the SOCKS proxy, this can be any port number you like. To achieve the same when setting up the connection in PuTTY, you would create your SSH connection as normal, then on the left-hand side select Connection->SSH->Tunnels. In the section titled “Add new forwarded port:” on the page that appears, enter 9999 in the section for “Source port” and beneath click the radio button for “Dynamic”. Click add to save the port forwarding, and then go back to the “Session” section on the left to save the changes.
Server and SOCKS
Once you connect to the server via SSH or PuTTY then the chosen port (in this case 9999) will be open on your local machine to connect to as a SOCKS proxy. Most web browsers accept having a proxy configured along with many other applications that use a network connection. You can also change your network configuration to use your SOCKS proxy as the default network connection which will pass all traffic through to the server. This will allow you to connect to other systems that may only have a local connection to the server to which you have connected. It will also allow you to appear (to other places on the internet) to be originating from the server to which you connected. When configuring the SOCKS proxy in your software you would need to select SOCKSv5 as the type of connection, the host is localhost and then set the port to 9999 (or whatever you chose instead).
Specific Port Using -L Flag
Now let’s look at forwarding as a specific port, this can be done with the -L flag:
ssh -L 3306:localhost:3306 email@example.com
So let’s break down how this works: The first number after the -L flag is the local port number to use. After the colon is the host and port to forward to from the remote server. Using localhost we’ve indicated that we want to connect to the server itself, and again we’ve specified port 3306. If you’ve used MySQL, then you’ll probably recognize port 3306 as the port used by MySQL server. If you have a server where remote access to MySQL is blocked then you can use SSH to connect and forward the local MySQL port to the remote server using this command. Next, you will use the local MySQL client on your computer to connect to the remote MySQL server. The same works for other software you may be running on the remote server by changing the ports. Note here that you don’t have to use the same port on your local machine as the remote one, I’ve used it in this instance for clarity. Changing localhost to an IP of another remote machine will have the server forward the inbound traffic to the given port on that IP address, allowing you to jump straight through this server to another.
While these features of SSH don’t fully replace the use case for a VPN, they do provide a number of features for which a VPN may be used to access server clusters where some of the servers may not have their own public internet connections. Thus potentially enabling the cluster to be accessed without the need to create a VPN endpoint.