The idea behind SSH Tunneling is, you have a SSH server that you can access, and from a SSH client, you can connect to this SSH server and tunnel traffic through your SSH connection to it. You then bounce from the server to connect to most everything else the server can connect to. This is extremely useful for accessing your home network without a true VPN put in place. All you need to do is SSH into a system on the other side of your home firewall, and then you can access you home PC securely, without opening it directly to the outside world(for example, port forwarding tcp/3389 to your home PC...baaaad idea).
Personally, I have a Linksys-hacked Linux box behind a FreeBSD firewall. The firewall port forwards the SSH traffic to the linksys box, where public key SSH authentication takes place, and from there I "bounce off" and am able to access my NAS via SCP and my home PC via RDP(its windows, you can do the same with VNC on Linux). My Private key is on my encrypted USB thumb drive with a nice passphrase on it....good security is like layers of an onion, right? :-)
Back to the walkthrough...here's an overview of how to setup putty(on windows) to easily tunnel anything you want.
What will it do?
- Encrypt ALL traffic that goes through the tunnel, such that all Big Brother will see is SSH traffic between you and the SSH server, nothing else, this gives you plauible deniability if you get caught on a corporate network
- Give you nearly 100% secure access to your home network, brute force attacks won't work(if you enable public key authentication only) and you protect your private workstation/servers from directly being able to come under attack
- Remote Desktop, SCP, HTTP, other modern TCP, non-dynamic port protocols are all able to be forwarded
What won't it do?
- FTP, unless your FTP server supports SSH redirection natively, this wont work...so don't bother. FTP is not an intelligent protocol and is quite old.
- I've not had much luck forwarding CIFS/SMB shares
- Hide the number of bytes transferred...if you are streaming video and your traffic use is being watched, they will see the total amount of traffic...so use this wisely!
What do you need to know beforehand? (i.e. I'm not going to explain these items in detail)
- How to add port forwards on your firewall
- How to setup a SSH Server with public key authentication(I'll probably write that up at a later time......maybe)
- First, download PuTTY. While you are at it, download puttygen if you dont already have a valid ppk file.
- If you don't have a ppk file, open puttygen and hit "Import Key" under the converstions menu, load your private key file and it will allow you to save a putty ppk file. (make sure the ppk file is saved in the same directory as the putty exe)
- Now from the command line, run putty with the following syntax(this example will allow you to browse the web through your tunnel):
Encrypted Web Browsing(circumvent corporate blocks)
putty -ssh -l UserName -D 8080 -i home.ppk SSHServerAddress
- For "UserName", enter the username you wish to use with your pubkey authentication on your SSH Server
- Instead of home.ppk, enter the name of your ppk file
- For SSHServerAddress, enter the IP Address you use to access your SSH server
- Configure your browser of choice(hopefully firefox) to use a proxy server at 127.0.0.1 port 8080
- Enjoy your encrypted browsing session :-)
Tunnel SCP traffic:
putty -ssh -l UserName -L 22:192.168.1.100:22 -i home.ppk SSHServerAddress
- Fill out UserName, home.ppk, and SSHServerAddress as above
- the -L command( as explained here) is the LocalListeningAddress(assumed here to be 127.0.0.1 since its excluded):LocalListeningPort:IPAddressToConnectTo:PortToConnectTo
- The IPAddressToConnectTo is the IP address that the SSH server will use. This is important because if you are doing this to connect from work to your home file server through your home SSH Server, put your home servers PRIVATE IP Address, as your SSH Server uses the private address if it wants to communicate
- After you connect, open your SCP program and connect to 127.0.0.1 port 22 and it will go through the SSH Tunnel and connect to the SCP server
putty -ssh -l UserName -L 127.0.0.2:3390:192.168.1.100:3389 -i home.ppk SSHServerAddress
- Notice the difference in the "LocalListeningPort" and the "PortToConnectTo" the reason for the difference is that for some reason since Windows XP SP2, you cannot connect to the local lookback of 127.0.0.1 or port 3389. Using the local loopback of 127.0.0.2 and local port of 3390 works fine, and with the above command, you can easily circumvent this issue
- Have your RDP Client connect to 127.0.0.2:3390(type it just like that on the connect screen)