Thursday, April 16, 2009

My PuTTY SSH Tunnel Guide

SSH Tunnelling is one of the most useful things  you can setup for securely and discreetly accessing your home network. Anything you see below should only be done for your own private educational purposes or for small exceptions when you need to get something done that is in line with your job and do not want to wait on another to process your exception request.

The idea behind SSH Tunneling is, you have a SSH server that you can access, and from a SSH client, you can connect to this SSH server and tunnel traffic through your SSH connection to it. You then bounce from the server to connect to most everything else the server can connect to. This is extremely useful for accessing your home network without a true VPN put in place. All you need to do is SSH into a system on the other side of your home firewall, and then you can access you home PC securely, without opening it directly to the outside world(for example, port forwarding tcp/3389 to your home PC...baaaad idea).

Personally, I have a Linksys-hacked Linux box behind a FreeBSD firewall. The firewall port forwards the SSH traffic to the linksys box, where public key SSH authentication takes place, and from there I "bounce off" and am able to access my NAS via SCP and my home PC via RDP(its windows, you can do the same with VNC on Linux). My Private key is on my encrypted USB thumb drive with a nice passphrase on it....good security is like layers of an onion, right? :-)

Back to the walkthrough...here's an overview of how to setup putty(on windows) to easily tunnel anything you want.

What will it do?



  • Encrypt ALL traffic that goes through the tunnel, such that all Big Brother will see is SSH traffic between you and the SSH server, nothing else, this gives you plauible deniability if you get caught on a corporate network

  • Give you nearly 100% secure access to your home network, brute force attacks won't work(if you enable public key authentication only) and you protect your private workstation/servers from directly being able to come under attack

  • Remote Desktop, SCP, HTTP, other modern TCP, non-dynamic port protocols are all able to be forwarded


What won't it do?



  • FTP, unless your FTP server supports SSH redirection natively, this wont work...so don't bother. FTP is not an intelligent protocol and is quite old.

  • I've not had much luck forwarding CIFS/SMB shares

  • Hide the number of bytes transferred...if you are streaming video and your traffic use is being watched, they will see the total amount of traffic...so use this wisely!


What do you need to know beforehand? (i.e. I'm not going to explain these items in detail)



  • How to add port forwards on your firewall

  • How to setup a SSH Server with public key authentication(I'll probably write that up at a later time......maybe)


Initial Steps:



  1. First, download PuTTY. While you are at it, download puttygen if you dont already have a valid ppk file.

  2. If you don't have a ppk file, open puttygen and hit "Import Key" under the converstions menu, load your private key file and it will allow you to save a putty ppk file. (make sure the ppk file is saved in the same directory as the putty exe)

  3. Now from the command line, run putty with the following syntax(this example will allow you to browse the web through your tunnel):


Encrypted Web Browsing(circumvent corporate blocks)


putty -ssh -l UserName -D 8080 -i home.ppk SSHServerAddress


  • For "UserName", enter the username you wish to use with your pubkey authentication on your SSH Server

  • Instead of home.ppk, enter the name of your ppk file

  • For SSHServerAddress, enter the IP Address you use to access your SSH server

  • Configure your browser of choice(hopefully firefox) to use a proxy server at 127.0.0.1 port 8080

  • Enjoy your encrypted browsing session :-)


Tunnel SCP traffic:


putty -ssh -l UserName -L 22:192.168.1.100:22 -i home.ppk SSHServerAddress


  • Fill out UserName, home.ppk, and SSHServerAddress as above

  • the -L command( as explained here) is the LocalListeningAddress(assumed here to be 127.0.0.1 since its excluded):LocalListeningPort:IPAddressToConnectTo:PortToConnectTo

  • The IPAddressToConnectTo is the IP address that the SSH server will use. This is important because if you are doing this to connect from work to your home file server through your home SSH Server, put your home servers PRIVATE IP Address, as your SSH Server uses the private address if it wants to communicate

  • After you connect, open your SCP program and connect to 127.0.0.1 port 22 and it will go through the SSH Tunnel and connect to the SCP server


Remote Desktop:


putty -ssh -l UserName -L 127.0.0.2:3390:192.168.1.100:3389 -i home.ppk SSHServerAddress


  • Notice the difference in the "LocalListeningPort" and the "PortToConnectTo" the reason for the difference is that for some reason since Windows XP SP2, you cannot connect to the local lookback of 127.0.0.1 or port 3389. Using the local loopback of 127.0.0.2 and local port of 3390 works fine, and with the above command, you can easily circumvent this issue

  • Have your RDP Client connect to 127.0.0.2:3390(type it just like that on the connect screen)

3 comments:

  1. Hi, I found your page when i searched the information of SSH tunnel. The following mentioned how to set ssh tunnel for SMB (i.e. shared folder in Windows) .
    Hope it's useful for u.
    http://social.technet.microsoft.com/forums/en-US/itprovistanetworking/thread/d30d3c98-58c5-47f6-b5a5-f5620882020d/

    ReplyDelete
  2. Okay...thanks to theultramage's insight and a bit of experimentation, I may have stumbled upon a workaround: Try this (but create a system restore point, do a backup, and cross your fingers first!):

    1) Go to "Device Manager" select View and enable "show hidden devices."
    2) Expand "Non-Plug and Play Drivers" and set "Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session)" to start on demand.
    3) Reboot
    4) Bind port 445 with your application. I used Putty and bound my local loopback addresses on ports 139 and 445 to the tunneled IP addresses' ports 139 and 445 on the remote network.
    5) Start the "Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session)" driver.
    6) Browse the remote shares like you used to do before KB942624.
    6) Celebrate! We just found a way around the Port forwarding 445 for SMB and SSH problem!


    I tried this on two different Vista machines: One with the KB942624 patch applied and the other with SP1 integrated in. It worked on both. No blue screens or any other quirks that I could see.

    Only problem is that you must bind the port before starting SMB.sys each time you start Windows. You can't stop the device once it's started (or at least I couldn't).

    Again, I didn't come up with this approach on my own. Theultramage's post pointed me in the right direction.

    ReplyDelete
  3. nice post i am using freenas a the sshserver and the port fording is even easer on the router put the ssh port on andport ford on the client i used my cellphone to tesy it out

    ReplyDelete