Home » Wiki » SSH Tunneling Client Command & Server Configuration Guide

SSH Tunneling Client Command & Server Configuration Guide

by | SSL Certificate

SSH Tunneling Client Command

A Basic Overview of SSH Tunneling

SSH tunneling is a powerful technology that enables secure connections between networks by tunneling traffic through an encrypted SSH connection. It creates an encrypted tunnel between a local and remote computer and forwards traffic inside that tunnel securely. SSH tunnels provide strong encryption to tunnel unencrypted traffic over untrusted networks. They can be used to bypass firewalls, access network services on the remote network, or encrypt insecure protocols. This guide will provide a comprehensive overview of SSH tunneling along with practical examples of client command and server configuration on Linux/Unix systems.

Key Takeaways

  • SSH tunneling allows encrypted connections between networks to secure otherwise unencrypted traffic.
  • It enables accessing remote network services, bypassing firewalls, and more through an encrypted tunnel.
  • SSH tunnels have local and remote ends connected by an encrypted SSH connection.
  • Common tunneling techniques are local, remote, and dynamic port forwarding.
  • Local port forwarding listens to the local port and forwards it to the remote host/port.
  • Remote port forwarding listens to the remote port and forwards it to the local host/port.
  • Dynamic port forwarding turns SSH client into SOCKS proxy server.
  • SSH tunnels can be created easily from command-line with ssh client commands.
  • Servers need to permit tunneling in sshd_config for successful tunnel creation.

How Does SSH Tunneling Work?

SSH tunneling establishes an encrypted SSH connection between a local and remote host as a secure tunnel. This tunnel can route traffic for other protocols/applications securely between the local and remote networks through the encrypted Connection.

SSH tunneling works by listening on a specified local port and forwarding any traffic received on it to a specified remote host and port through the encrypted SSH tunnel. This allows other protocols, such as HTTP, POP3, IMAP, etc., that are otherwise unencrypted, to be transmitted securely through the tunnel.

Key Aspects of SSH Tunneling

  • Encrypted Connection: The SSH tunnel provides encryption and ensures all data flowing through it is secure.
  • Forwards arbitrary traffic: Almost any TCP/IP protocol/traffic can be forwarded through the tunnel.
  • Listens on local port: The local host listens on a port and captures any traffic sent to it.
  • Forwards to remote: The captured traffic is forwarded through the tunnel to a specified remote host/port.
  • Access remote services: Can provide access to services on remote networks that are not exposed publicly.
  • Bypass firewalls: Tunneling through SSH may avoid restrictive firewalls on the remote network.

There are different techniques for SSH tunneling depending on the direction of traffic flow:

  • Local Port Forwarding: Listens on local port and forwards to remote host/port
  • Remote Port Forwarding: Listens on remote port and forwards to local host/port
  • Dynamic Port Forwarding: Turns SSH client into a SOCKS proxy server

Local Port Forwarding

Local port forwarding is the most common SSH tunneling method. It listens on a local port and forwards any traffic received to a specified remote host and port.

The syntax of the local port forwarding command is:

ssh -L local_port:remote_host:remote_port username@server

This connects to the server as username and creates a tunnel between local_port and remote_host:remote_port through the SSH connection.

For example, to forward any local traffic received on port 2000 to example.com’s port 80 through server:

ssh -L 2000:example.com:80 username@server

Any traffic sent by local applications to localhost:2000 will now reach example.com:80 through the encrypted SSH tunnel.

This can be used to access remote services on a different network through an intermediate SSH server. Traffic sent to local port 2000 is securely forwarded to the example.com website.

Local Forwarding Use Cases

Some common use cases of local port forwarding:

  • Access remote websites: Forward local web traffic to a remote web server.
  • Use remote databases: Access a remote database not directly reachable.
  • Bypass firewalls: Access services blocked by firewalls on the remote network.
  • Protect protocols: Tunnel insecure protocols like POP3 IMAP through SSH.
  • Obfuscate traffic: Mask the source of traffic by forwarding it through the intermediate server.

Remote Port Forwarding

Remote port forwarding is the reverse of local forwarding. It listens on a remote port and forwards any traffic received there to a specified local host and port.

The syntax is:

ssh -R remote_port:local_host:local_port username@server

This makes the server listen to remote_port and forward any traffic received to local_host:local_port.

For example, to forward any traffic received on port 80 of the server to the local machine’s 3000:

ssh -R 80:localhost:3000 username@server

This allows exposing services running on your local machine to external networks through the SSH server. Traffic to the server’s port 80 is forwarded to the local process on port 3000.

Remote Forwarding Use Cases

Some common uses of remote port forwarding:

  • Expose services: Make locally running services accessible externally.
  • Remote administration: Manage networked devices from a central location.
  • Share internet connection: Forward traffic from the remote server to the local internet connection.

Dynamic Port Forwarding

Dynamic port forwarding turns the SSH client into a SOCKS proxy server. It listens on a local port for SOCKS protocol connections and tunnels traffic to remote destinations.

The syntax is:

ssh -D local_port username@server

This sets up a SOCKS proxy on localhost:local_port that forwards any traffic sent to it through the server. SOCKS protocol allows forwarding traffic not only to remote hosts but also to remote subnets or IP ranges.

For example:

ssh -D 3000 username@server

Configuring applications to use the SOCKS host as localhost and port as 3000 will forward their traffic through the encrypted SSH tunnel.

Dynamic forwarding is more flexible than port forwarding as it tunnels all TCP traffic rather than forwarding to a single port.

Dynamic Forwarding Use Cases

Some common uses of dynamic port forwarding:

  • Proxy local applications: Tunnel application traffic like web browsers or messaging clients.
  • Access internal sites: Access intranet sites and applications from outside.
  • Mask traffic source: Hide the source address of traffic by tunneling through SSH.
  • Bypass censorship: Avoid network blocks and censorship by routing through SSH.

Authenticating SSH Tunnels

  • Use key-based authentication instead of password authentication. Generate a public/private key pair and copy the public key to the remote server. This is more secure than using passwords.
  • Configure the SSH daemon on the server to only allow key-based authentication and disable password authentication. This prevents brute force attacks.
  • Use SSH certificates instead of plain public keys if you need to frequently authenticate new clients. Certificates can be issued from a trusted CA and provide expiration dates.
  • Enable 2-factor authentication for SSH if possible. Require users to provide a second factor like a token or biometric in addition to their SSH key to log in.
  • Tunnel SSH over VPN if the SSH traffic would otherwise go over an untrusted network. A VPN provides encryption for the SSH tunnel.
  • Use firewall rules to only allow SSH connections from known IP addresses or subnets to limit access.
  • Monitor for brute force attacks in SSH logs and consider using iptables rules to block abusive IP addresses.
  • Keep SSH server and client software up-to-date to ensure vulnerabilities are patched.

Persistent SSH Tunnels

  • Use autossh to automatically restart tunnels if they drop. Just prefix your ssh command with autossh.
  • Add your tunnel to /etc/autossh/autossh.conf so it starts on boot. The file should contain the autossh command to launch the tunnel.
  • Use SSH keys for authentication instead of passwords so tunnels restart seamlessly without intervention.
  • For tunnels that listen on local ports, use something like iptables to persist the port forwards even if the tunnel drops.
  • Configure the tunnel in SSH config instead of specifying the full ssh command each time. Just refer to the config by name when creating the tunnel.
  • Set up a systemd or init script to launch the tunnels on startup. This is more robust than autossh method.
  • For tunnels accessing web UIs or APIs, set up a reverse proxy like Nginx that can cache responses and retry requests if the tunnel temporarily fails.

How to Configure the SSH Server for Tunneling

The SSH server plays a key role in enabling and restricting clients’ tunneling capabilities. Tunneling must be explicitly permitted through the sshd_config file.

Enable Tunneling

Tunneling is disabled by default for security. The following options in sshd_config allow client tunneling:

AllowTcpForwarding yes
GatewayPorts yes

This permits incoming TCP connections and port forwarding requests from authenticated SSH clients.

Restrict Access

Access can be limited only to specific clients or IP ranges:

AllowTcpForwarding no
AllowTcpForwarding 192.168.1.0/24
AllowTcpForwarding xyz@client1.com

This enables forwarding only for clients in the 192.168.1.0/24 subnet and user xyz@client1.com

Permit Specific Ports

Authorize tunnels only to certain destinations:

PermitOpen 10.2.0.1:80
PermitOpen 10.2.0.1:443

This allows tunnels only to ports 80 and 443 on host 10.2.0.1.

Disable Root Login

Prevent root login for increased security:

PermitRootLogin no

Regular user accounts should be used for tunneling instead of root.

Properly configuring the SSH daemon prevents tunneling abuse while providing select access to legitimate clients. Mandatory access controls, user permissions, and network rules give more protection.

SSH Tunnels from Windows

SSH tunnels can also be created from Windows using tools like PuTTY.

Local forwarding with PuTTY:

  • Launch PuTTY and configure the session to connect to the remote server.
  • Go to Connection> SSH > Tunnels.
  • In the Source port field, enter the local port to listen on.
  • In Destination, enter the remote hostname/IP and port to forward to.
  • Click Add to add the tunnel.
  • Save the session and connect to create the forwarded Connection.

Persistent tunnels with PuTTY:

  • Go to Connection> SSH > Tunnels
  • Select Local or Remote under the Connection type.
  • Enter Source port and Destination details.
  • Check the ‘Auto’ box to keep the tunnel active in the background.
  • Save the session and connect to create a persistent background tunnel.

Common SSH Tunneling Problems

Some common issues faced when establishing SSH tunnels:

  • Permission denied: The server is not allowing TCP forwarding in sshd_config or is blocked by firewall rules.
  • Connection refused: Remote port or service not available. Remote firewall blocking access.
  • Timeout errors: Network issues between server and Destination. Firewalls blocking traffic.
  • Protocol errors: Incorrect tunnel configuration. Wrong port or unreachable Destination.
  • Tunnel hangs: Authentication issues on the server. Key or password problems.
  • Unstable tunnels: Network instability between hops. Changing routes, IP addresses, etc.

SSH Tunneling Security Best Practices

Some tips to securely use SSH tunnels:

  • Utilize strong keys: Use robust RSA, ED25519 keys instead of weak keys like 1024-bit RSA.
  • Enable key-based authentication: Avoid using password logins to establish tunnels.
  • Restrict access: Limit source IP ranges allowed to connect to SSH server.
  • Enable logging: Log tunnel connections and forwarded traffic for auditing.
  • Rotate credentials: Periodically rotate passwords and private keys.
  • Limit privileges: Tunneling users should have minimal required server privileges.
  • Disable root login: Do not permit root SSH logins to create tunnels.
  • Utilize firewalls: Allow only necessary access and traffic through the tunnel.
  • Check processes: Monitor and kill unauthorized background tunnels.

Final Words

SSH tunneling is a powerful tool for securing connections and accessing remote resources. This guide covered the key concepts of SSH tunnels, including port forwarding, dynamic port forwarding, and reverse tunnels.

Both command line and graphical client tools were explored for establishing tunnels, along with configuring the SSH server for optimal tunneling support. Whether accessing a remote database, securing web traffic, or bypassing restrictive networks, SSH tunneling enables secure encrypted connections.

Following the procedures and recommendations in this guide will allow setting up effective SSH tunnels for a variety of use cases. With proper configuration and an understanding of the core principles, SSH tunneling can enable secure remote access and data transmission.

Frequently Asked Questions

What protocols can be tunneled through SSH?

Almost any TCP/IP-based protocol can be forwarded through an SSH tunnel. Common examples include HTTP, SMTP, POP3, IMAP, FTP, etc. UDP and non-IP protocols can generally not be tunneled.

Is an SSH tunnel secure?

Yes, SSH tunnels are considered very secure as all traffic flowing through them is encrypted. Encryption protects sensitive data as it travels through external or untrusted networks.

Do both sides need SSH access?

No, only the client side needs SSH access to the server to initiate the tunnel. The remote resource does not require any SSH software installed.

Can SSH tunnels bypass firewalls?

Yes, tunnels often allow bypassing firewalls as the encrypted SSH traffic appears innocuous to firewall rules meant for other protocols. Traffic forwarded through SSH may not be recognized or blocked.

Are SSH tunnels slow?

SSH tunnels add some overhead and latency but have minimal impact on performance in most use cases. For high-throughput needs, performance testing tunnels before deployment is recommended.

Can I SSH tunnel through multiple hops?

Yes, tunnels can be chained through multiple SSH servers to construct multi-hop tunnels for added security and flexibility. Traffic is decrypted and re-encrypted at each hop as it flows through the tunnel.

Priya Mervana

Priya Mervana

Verified Badge Verified Web Security Experts

Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.