SSH tunneling/gateway question
-
When I connect with my ssh client to a remote ssh server, is it possible to give the remote ssh server access to LAN resources local to the ssh client? Or at least resources on the actual ssh client?
Note that only the ssh client can connect to the remote ssh server and not the other way around (no outbound traffic allowed).
-
Yes, SSH tunneling makes a VPN that can work in either direction.
-
@scottalanmiller said in SSH tunneling/gateway question:
Yes, SSH tunneling makes a VPN that can work in either direction.
Thanks Scott!
Now that I know it's possible I had a closer look at the ssh client and it lays out two different options;
-
TCP Forwarding (Remote/Local/Dynamic)
The TCP Forwarding option allows you to:
- Forward a local port to a remote port (-L) aka local forwarding
- Forward a remote port to a local port (-R) aka remote forwarding, reverse tunneling
- Proxy (-D) using SOCKS protocol, aka dynamic forwarding
So the forwarding options works from local to remote computer and the other way but not fully LAN to LAN.
The SSH-based VPN option (-w) creates a TUN virtual network interface that you can route to by setting it up in the route table. So this is the LAN to LAN option.
-
-
Can you be a little more specific on what you are trying to accomplish?
Are you just trying to have access to files?
-
@IRJ said in SSH tunneling/gateway question:
Can you be a little more specific on what you are trying to accomplish?
Are you just trying to have access to files?
Kind of. I want to be able to update packages on remote servers that sit behind hardware firewalls that don't allow any outbound traffic.
While it's no problem downloading individual package files over ssh and updating that way, it's a lot of work getting all the dependencies and all the packages transferred and installed in the right order. So I want to let the package manager on the remote servers (apt in this case) access the software repositories on the local LAN (of the ssh client) over the ssh connection.
-
Simplified the plan looks something like this:
In reality there are more firewalls, VPN links and other stuff (think large enterprise network). -
It would have been better to have a package repository located with the remote servers and let that server have outbound access. But this is the way it is right now.
-
What about something like this?
-
@black3dynamite said in SSH tunneling/gateway question:
What about something like this?
That is the local tcp forwarding. I knew that could be done but in this case it's the opposite direction I need, the remote tcp forwarding. It's like putting internet and the proxy on Computer B instead.
-
@Pete-S said in SSH tunneling/gateway question:
@black3dynamite said in SSH tunneling/gateway question:
What about something like this?
That is the local tcp forwarding. I knew that could be done but in this case it's the opposite direction I need, the remote tcp forwarding. It's like putting internet and the proxy on Computer B instead.
I think I have it figured out though. Just need to try it on a couple of test VMs first.
-
@scottalanmiller said in SSH tunneling/gateway question:
Yes, SSH tunneling makes a VPN that can work in either direction.
I never knew you could do this with SSH... Why is this not more commonly done?
-
@dafyre said in SSH tunneling/gateway question:
I never knew you could do this with SSH... Why is this not more commonly done?
It's pretty darn common. It's the most common vendor support VPN tool, for example.
-
@Pete-S said in SSH tunneling/gateway question:
@black3dynamite said in SSH tunneling/gateway question:
What about something like this?
That is the local tcp forwarding. I knew that could be done but in this case it's the opposite direction I need, the remote tcp forwarding. It's like putting internet and the proxy on Computer B instead.
Yeah essentially replace the -L with a -R. It's the same thing.
-
OK, this is what I ended up doing.
I wanted the remote server to have access to a local repository served over http. This works with any kind of traffic over tcp though, as it's not a web proxy but tcp forwarding.
I set up the files and served the website on the ssh client machine with PHPs build-in server. It's easy to use and requires no setup. You just start it in the base directory you want to serve. I used port 8000.
php -S localhost:8000Then access the remove server from the client with the reverse tcp forwarding active.
Basically forwarding port 8000 on the remote host to port 8000 on the local ssh client.ssh -R 8000:localhost:8000 remote_ipBut since I was connecting with a windows machine I used putty instead.
This is how you set up the tcp forwarding:
It seems like you can not only forward one port, but many ports and in whatever direction you want at the same time.
To try that you have things working:
wget localhost:8000In my case I wanted apt package manager to use the forwarded port so I just changed it to use http://localhost:8000 to access the packages.
-
@Pete-S said in SSH tunneling/gateway question:
OK, this is what I ended up doing.
I wanted the remote server to have access to a local repository served over http. This works with any kind of traffic over tcp though, as it's not a web proxy but tcp forwarding.
I set up the files and served the website on the ssh client machine with PHPs build-in server. It's easy to use and requires no setup. You just start it in the base directory you want to serve. I used port 8000.
php -S localhost:8000Then access the remove server from the client with the reverse tcp forwarding active.
Basically forwarding port 8000 on the remote host to port 8000 on the local ssh client.ssh -R 8000:localhost:8000 remote_ipBut since I was connecting with a windows machine I used putty instead.
This is how you set up the tcp forwarding:
It seems like you can not only forward one port, but many ports and in whatever direction you want at the same time.
To try that you have things working:
wget localhost:8000In my case I wanted apt package manager to use the forwarded port so I just changed it to use http://localhost:8000 to access the packages.
Right you can name any number of ports. If you want to do dynamic tunneling you can pass a -D and use the remote host as a SOCKS proxy. Then only define the one port for the proxy in your browser or wherever.
SSH is pretty awesome.
-
using ssh to tunnel rdp is quite handy as well.
