SSH Tunneling

Configure SSH Tunnel (Port Forwarding) on macOS, Linux and Windows using OpenSSH. In this example, I will show how to tunnel an RDP connection traffic over OpenSSH.

SSH Tunneling
Photo by Daniel Jerez / Unsplash

SSH is the base tool for any nerd and SSH tunneling is a grate way of by passing firewalls, connect to a work computer from home or a home computer from work.

You will also see how dangerous this is — hacking is made easy. ⚠️

I hope you will start to see why all devices on your local networks need to have their firewalls on and also run other things like fail2ban.

As we run Servers, we usually always have OpenSSH installed.

Local Port Forwarding

As this is an SSH Tunneling post, we call it by its other name, Local Tunneling.

Problem statement

My first use case, starting with homelabbing, was I wanted to address my home PC, used Windows at that time, use Remote Desktop. Our IT department had closed that port, 3389. Probably a really common scenario.

The solution

Using a Local SSH Tunnel on the office PC,

ssh -L 8081:192.0.2.200:3389 [email protected]

When you see [email protected]'s password: enter the password for your home PC

Now you can open the Remote Desktop Connection and type localhost:8081 as the Computer and you are in. You might need to check for an open port.

This way, the communication will leave on port 8081 and be on port 3389 in your home.

Dynamic Port Forwarding

Also called Dynamic Tunneling.

Problem statement

Your company block sites you need access too. We had this problem due to the low level people doing the block lists, mostly foreign high school kids and ultra low cost country personnel.

Solution

Use your home PC to do the browsing to these sites, by a dynamic tunnel.

ssh -D 8081:192.0.2.200:3389 [email protected]

When you see [email protected]'s password: enter the password for your home PC

Then go to your browsers proxy setting and look for Internet Properties → LAN settings → Proxy Server/Proxy Settings here set up the proxy server to be: Socks: localhost and Port: 8081.

With these settings, you use your block list on your PC.

Browsing will be a little slower due to some latency.

Reverse SSH Tunneling

Also called Remote TCP Forwarding or Reverse SSH. This is wow to allow a Local Computer to access a Server or your PC at the office.

Now we get to the scary stuff.

😨 If you think how easy it is. If you just get access for a few seconds, you can take over any network. 😱
Remember to keep your machine secure! ⚠️

Problem statement

You like to access your work PC from home, and pretty sure your company don't. Usually, any user needing to access the resources, being on the road, has a laptop and a VNP setup by default. The use of anything else than laptops is not the norm anymore. That said, there are instances where desktops are needed long into the future.

Solution

Before you leave the office, open the tunnel

ssh -R 8081:localhost:3389 [email protected]

When you see [email protected]'s password: enter the password for your home PC

At home, you can open the Remote Desktop Client and type localhost:8081 and connect.

Remote access to local Intranet

You want an external machine 192.0.2.100 to access a local Intranet (it's not accessible from Internet). Create the reverse tunnel by:

ssh -R 8080:intranet:80 [email protected]

To access the Intranet website from the remote SSH server, use the address http://localhost:8080 in a browser.

Opening Backdoors into the Enterprise

Remote SSH port forwarding is commonly used by employees to open backdoors into the enterprise. You can get a free-tier server from Amazon AWS, for this.

  • Log in from the office to that AWS server
  • Specify remote forwarding from a port on the server to some server/application on the enterprise network.
  • Multiple remote forwards can be specified to allow access to more than one server/application.

You also set GatewayPorts yes on the server (most users don't have fixed IP addresses at home, so you can't restrict the IP address).

E.g., open access to an internal Service on port 1323 and an internal SSH port 222.

ssh -R 222:d76767.my.example.com:22 -R 1323:server3.my.example.com:1323 aws.mydomain.net.

Prevent Tunneling to bypass Firewalls

Port forwarding need to be disabled when not needed. ⚠️
Leaving port forwarding enabled can expose your network and all units on it to security risks and backdoors.

For example, if a server allows port forwardings, those forwardings might be used to gain access into the internal network from the Web.

The problem

Port forwarding can in practice only be prevented by a server or firewall.
You can't control all servers on the Internet.
Firewall-based control can also be tricky, if you have servers running in cloud services, and those servers are usually accessed using SSH.

With SSH tunnels, you can create port forwarding chains. You can enable or disable SSH tunneling in the OpenSSH configuration file (sshd_config) using:

AllowStreamLocalForwarding yes
AllowTcpForwarding remote
PermitTunnel no
Some of these configuration options might not be available in your OpenSSH version, like in the current version of OpenSSH for Windows.

Final words

I use WireGuard for my basic needs to connect into my network while travelling.

  • The port to use is any random port that is left open.
  • I just happened to use port 8081 for these examples.
  • You might need to check for an open port.
  • You might need to configure the SSH config file before you get it to work.
  • Allowing port forwarding is dangerous ⚠️ — but sometimes you have to

References

SSH [1]


  1. OpenSSH Manual Pages, Security page, homepage ↩︎