SSH tunneling establishes a secure communication channel between the local work node and the remote server. We understand how SSH tunnels can be created, what useful functions they have for the system administrator and why it is important to remember about the security of the Internet connection.
Any important data should be transmitted via secure information channels. But this is not always easy to implement, especially when the user needs to perform urgent operations on a remote server, and it is possible to connect to the Internet only through public unsecured Wi-Fi. In this case, SSH tunneling is used, which establishes a secure communication channel between the local work node and the remote server. With it, you can not only transfer or edit files remotely, but also run GUI applications, make backups, transfer passwords, and even organize streaming.
How SSH tunnels work
Creation, conditions of use and benefits for sysadmins
The situation when urgent access to a home computer or an internal corporate network is required is familiar to everyone. Unfortunately, the quality and security of public networks often leave much to be desired. It is better not to transmit important information over such networks. In addition, external software (Team Viewer and others) is often required to organize access. For system administration, there is a way to use public networks and at the same time create a secure connection to the necessary nodes without using the same VPN. It’s about SSH tunneling.
SSH (from the English Secure Shell — “secure shell”) is a network protocol that is used for remote control of the OS and proxying TCP connections. Performs encryption of all traffic (this also includes passwords and other data important for corporate security). SSH servers work with most of the network operating systems on the market.
You can connect to almost any server using this protocol. So-called SSH tunnels can be used to establish a secure connection. But from the point of view of terminology, these are not the tunnels that are usually discussed when talking about system administration. The name itself, SSH tunnel, was formed among sysadmins for the simplicity of technology designation — SSH Port Forwarding (port forwarding). It implements several features of the SSH network protocol at once, namely, the transmission of TCP packets and the translation of the IP header during the transmission of information, provided that a predefined rule exists.
The main difference between SSH tunnels and their VPN counterparts is that information is not transmitted in any direction. Such a communication channel has one entry point and works exclusively with TCP packets. Creating SSH tunnels is more like port forwarding on top of the protocol, rather than tunneling in its pure form.
How to create an SSH tunnel and configure its parameters
In order to identify the user, two keys are required. The public key is placed directly on the server, and the private key is created and stored on the user’s computer.
Create SSH keys
It takes several minutes to create a key and establish a connection with a remote server.
Creating an SSH key in Linux (Ubuntu)/macOS. Step-by-step instructions:
1. To create a key, enter the following command:
ssh-keygen -t rsa
2. After entering the command, a dialog will appear on the control console screen:
Enter file in which to save the key (/home/user/.ssh/id_rsa):
3. To further protect the connection, the system will prompt the user to come up with and enter a special code word (phrase).
Enter passphrase (empty for no passphrase):
4. Of course, item #3 can be skipped by pressing Enter. The same should be done by answering the following question.
5. After completing the creation of two types of keys (public and private), you can proceed to establish SSH communication. A message will appear on the console:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
476:b2:a8:7f:08:b4:c0:af:81:25:7e:21:48:01:0e:98 user@localhost
The key’s randomart image is:
+—[RSA 2048]—-+
| ..o o |
| .. * * = . |
| . o O o B .|
| . . + = = o |
| oo S o = . .|
| .. B . = . . |
| . B o = ..|
| . .o.o.. o .. .|
| .oooE o. |
+—-[SHA256]—–+
6. At the next stage, you need to enter a command in the terminal that will show the public key:
cat ~/.ssh/id_rsa.pub
7. The public key must be entered in the control panel. Carefully check the correctness of the key entry.
8. The last stage remains. To create an SSH tunnel to a remote server, just run one command:
ssh root@HOST
The HOST parameter is the public IP address of the server.
We add that the introduction of additional passwords is not required. And when using the Selectel server, you can use your own script (bash) for quick configuration.
For the convenience of Windows 10 users, you can create an SSH tunnel in the Windows emulator (MinGW64).
The instructions for creating an SSH tunnel in Windows 10 look similar:
1. To generate a key pair, use the command:
ssh-keygen -t rsa
2. It is advisable to protect the private key with a password (or press Enter if it is not needed):
3. Keys generated:
4. The public key is stored in the file ~/.ssh/id_rsa.pub. The private key is located in the id_rsa file and must be kept secret:
5. To view the contents of the public key, use the command:
cat ~/.ssh/id_rsa.pub
6. This key (the entire line starting with ssh-rsa) must be inserted in the Selectel control panel, in the Operating System / SSH key field of the selected server. When installing the OS, it will be copied to the .ssh/authorized_keys file. When you change the key in the Selectel control panel, the current OS image will be recreated, and the data on the server will be lost.
7. To connect to the server via SSH, use the command:
ssh [email protected] (The IP address of the server will be different).
8. When you connect for the first time, the SSH utility reports an unknown host and asks if you are sure that you trust it. If the answer is yes (the answer should be yes), the IP address and the public certificate of this server will be added to the ~/.ssh/known_hosts file on the local machine:
9. If a password was set earlier when generating a key pair, the SSH utility will ask you to enter it:
10. After entering the password and pressing Enter, an encrypted connection to the server is established:
Another way to use this type of connection is to create a communication channel using the RDP protocol. This option is suitable when the user cannot connect to the node due to lack of access to it from the network. But he has access to the router. This is enough to use this type of tunneling.
The parameters of the communication channel are set by the initiator of the connection. The target server is always located at the second end of the communication channel. So, the client may be a VPS server, and the exit point is the sysadmin’s computer. The entry point can be created from any side of the tunnel: it is through it that connections are accepted. The reverse side of the tunnel — the exit point — is only capable of routing packets of information, taking into account the established rules. A separate option is to connect to a remote machine running the Docker module (SSH Docker). We will tell you more about this in the following publications.
Similarly, the process of establishing a connection with a specific server takes place. As an example, let’s take the target server with the address 192.168.0.105. At the same time, only the router (192.168.0.1) is available to the user. The entry point is 127.0.0.1:3389. In addition, a translation rule is set that defines the node receiving data at the exit of the SSH tunnel. In our case, 192.168.0.105:3389 is specified as the rule. Make sure that the specified address really exists, otherwise you will not be able to connect to the target server.
After you set the source data, a TCP socket will appear, which is created by the SSH service. This local socket monitors when connections to port 3389 start. The destination point is localhost (127.0.0.1). Note that the RDP client does not have information about the real destination of the package recipient. The client only opens a dynamic port to send a data packet that has a destination address (entry point) and a source address (127.0.0.1:61256).
The packet with the information follows from the SSH tunnel input point to its opposite end. The broadcast address will change. Now it says 192.168.0.105:3389. In the next step, the SSH server will simply put its address instead of the source address. All information that is transmitted inside the channel will be sent over the protocol. And the RDP client operates exclusively with a local socket. It is important that all information inside the tunnel is protected — it is encrypted. But the connection between SSH and RDP servers remains normal. Of course, this factor should be taken into account if the user is working with insecure protocols.
SSH Proxy: how to organize access to any system (accessing the proxied server)
Using an SSH tunnel, you can use your home (or corporate) network, even using unreliable free Wi-Fi. To do this, the user will need to launch an SSH proxy, and then create a tunnel to the target network according to a similar principle (for example, you can connect to your home network).
It is important that the applications that the initiator of the connection needs to work support the SOCKS proxy. Using the tunnel, network services will become available for remote work. Another option: the user will be able to access the Internet using a home connection, but sitting on the other side of the world and using a public network. All information transmitted through the tunnel will be encrypted.
This is not the only way to use SSH tunneling in practice. One of the most popular cases — SSH Proxy — opens access to the desired system if it is available for a remote server. At the same time, to tunnel through a proxy server, you will need to enter only one command:
localhost:~$ ssh -D 8888 user@remoteserver
localhost:~$ netstat -pan | grep 8888
tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN 23880/ssh
The command above shows that the user is running a SOCKS proxy. The port for operation is assigned 8888. In addition, it is necessary to check whether this TCP port is active (listening mode is used). The service runs exclusively on localhost (127.0.0.1). If you modify the command a little, you can listen to all interfaces (including ethernet or Wi-Fi). This allows applications to connect to the proxy server via SSH proxy:
localhost:~$ ssh -D 0.0.0.0:8888 user@remoteserver
Settings are required for the browser to work correctly. For example, to run Chrome with an activated SOCKS proxy, you will need the command:
localhost:~$ google-chrome –proxy-server=”socks5://192.168.1.10:8888″
It creates a SOCKS proxy, and also initiates tunneling of DNS requests. The tcpdump utility checks whether DNS queries are visible or not.
In addition to browsers, many modern applications work with SOCKS proxies: it is enough to change their parameters to activate the proxy server. Separately, tools are used that help applications use this important function — for example, proxychains allows you to run through the Microsoft RDP SOCKS proxy.
Why do we need dynamic SSH tunnels
The dynamic SSH tunnel differs from the connection types discussed above. It opens a local TCP socket for use as a SOCKS4/SOCKS5 proxy. It is usually used when a VPN is required, and its deployment is impossible. This type of SSH tunnel also meets the necessary security requirements.
In addition, creating a dynamic tunnel is convenient when the user needs to access the Internet once:
ssh -D 1080 [email protected]
The SOCKS proxy works via port 1080.
In addition, the dynamic tunnel does not provide for the opening of additional ports to the external network. All traffic will pass exclusively through an SSH connection, thereby hiding the nature of the user’s Internet activity.
Commands and practical applications of SSH tunnel functions
Let’s look at some practical examples of SSH tunneling.
Port Forwarding — Port Forwarding
To perform port forwarding, you will need to create an SSH tunnel. To do this, a port is opened in the local system, and to create a communication channel, the user must select a port at the other end of the tunnel:
localhost:~$ ssh -L 9999:127.0.0.1:80 user@remoteserver
The command installs a wiretap on port 9999. Port 80 is used for forwarding. Proxy servers or TCP services are also used for Port Forwarding.
Automating the copying of a public (public) key
Traditionally, the user has to copy public keys manually. SSH protocol significantly speeds up this process:
localhost:~$ ssh-copy-id user@remoteserver
This command copies the public key by default or from the directory ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys (it is located on a remote server).
SSH reverse tunnel
Obviously, an SSH tunnel can be created in the opposite direction. It is enough to connect the listening port to another local port:
localhost:~$ ssh -v -R 0.0.0.0:1999:127.0.0.1:902 192.168.1.100 user@remoteserver
This tunnel works as follows: from port 1999 to remoteserver, and after that it accesses port 902 on the local client.
Remote command execution using SSH
The SSH command allows you to create an interface for working with commands on a remote host. They are written as the last parameter:
localhost:~$ ssh remoteserver “cat /var/log/nginx/access.log” | grep badstuff.php
After downloading the grep log, you can run it on the remote side.
Copying, rsync-copy function (rsync via SSH)
To create a duplicate folder on a remote server, it is enough to first compress the folder using bzip2, and then extract the bzip2 stream on the other side. The command for this operation is as follows:
localhost:~$ tar -cvj /datafolder | ssh remoteserver “tar -xj -C /datafolder”
Rsync is used for regular backups of important information:
localhost:~$ rsync -az /home/testuser/data proglibserver:backup/
The rsync function allows you to copy differences by comparing information at different time points. Thus, it is possible to recover important data in case of a failed transfer session.
GUI applications: Remote launch via SSH
The SSH tunnel supports a feature that allows GUI applications to be run remotely:
localhost:~$ ssh -X remoteserver vmware
Note: despite the fact that the GUI runs on a remote server, the window is displayed on the local desktop. In the example, the VMware Workstation virtual machine console is running for operation. But for the successful implementation of the command, the X11 and YES packages for X11 Forwarding are required in the sshd_config file.
Editing text files
The method of editing files with one command involves creating a file in /tmp, and then copying it to a specified directory:
localhost:~$ vim scp://user@remoteserver//etc/hosts
Jumping on hosts
Tunneling involves going through multiple hosts if a user encounters network segmentation:
localhost:~$ ssh -J host1,host2,host3 [email protected]
The -J parameter uses redirection to establish a session with each subsequent host in the chain. At the same time, the working session is fully encrypted — from localhost to host4.
Filtering traffic using iptables
The iptables utility allows you to set rules for blocking or allowing traffic to pass: INPUT, FORWARD and OUTPUT. If the user has not set any rules, this firewall will perform the default filtering. To establish communication with the target server, the utility will compare the IP address of the initiator of the connection with the list that is in the INPUT rules, and then either give access to the server or prohibit it.
However, working with iptables requires some caution. The reason is simple: if the filtering rule is set incorrectly, remote access may simply be impossible until the user removes the restrictions by gaining physical access to the computer.
Implementation of SSH tunnels in Windows
Tunneling capabilities are also available for those who use Windows 10: there are a number of SSH clients for this OS. One of the most used is PuTTY. Running a server under Windows is a more complex task that requires specialized qualifications from the user.
PuTTY is configured quite simply: to do this, open SSH Tunnels in the Connection tab, where you need to register the basic connection settings — Source port (entry point), Destination (destination); radio switches Local — Remote — Dynamic determine the type of future communication channel. The address of the target node is specified in another section — Session.
Opening additional ports or deploying a VPN is not required.
Are SSH tunnels safe
As we have already noted, one of their tasks is to create a secure connection with a remote machine. However, do not forget about the “side effects” of such tunnels. In addition to connecting to a remote server, the user receives a console that opens on the server.
If the user forgets about his connection, he can execute those commands that were originally intended to be executed on the local node. To avoid such an error (especially if the user has superuser rights), the -N parameter should be specified when starting the communication channel:
ssh -N -L -g 3389:192.168.0.105:3389 [email protected]
In addition, you should not use a superuser account when connecting to a remote machine, an account with normal rights is suitable for these purposes. And don’t forget that you need to delete the SSH tunnel upon completion.