Can someone explain SSH tunnel in a simple way?

Question

Although I use some alias to do ssh tunnel or reverse tunnel, I never understand how it works. Does somebody know how to explain it in very simple way?

I think the 3 primary uses are:

First of all, I can use my home computer to ssh to foo.mycompany.com, without using any password (foo is a server at work)

1. How to make foo.mycompany.com:8080 go to my home computer's localhost:3000 ?

2. If at home, I cannot access http://bar.mycompany.com, but foo can access bar, how to make the home computer able to access http://bar.mycompany.com?

3. If at home, I cannot access MySQL db at db.mycompany.com, but foo can, how to make it possible to access db.mycompany.com also using ssh tunnel.

Can it be explain in very simple terms? Are there actually some other popular use besides these 3? thanks.

Answer 1

1) Assuming you connect from home to foo, you need a reverse tunnel (-R)

ssh -R 8080:localhost:3000 foo.mycompany.com

This will enable processes running at foo to connect to localhost:8080 and actually speak to your home computer at port 3000. If you want other computers at your work to be able to connect to foo:8080 and access your home computer at port 3000, then you need

ssh -R 0.0.0.0:8080:localhost:3000 foo.mycompany.com

but for this to work you also need this option to foo's sshd_config

 GatewayPorts yes

2) The best way to create an http proxy with ssh is with socks. First connect with

ssh -D 8888 foo.company.com

then go to your browser connection settings and enable proxy connection, choose socks4/5 and host: localhost, port 8888. Then just type http://bar.mycompany.com in your browser's address bar.

3) Now you need a local port forward (-L).

ssh -L 3333:db.mycompany.com:3306 foo.mycompany.com

This means that you will be able to connect at localhost:3333 from your home computer and everything will be forwarded to db.mycompany.com:3306 as if the connection was made by foo.mycompany.com. Host db will see foo as the client connecting, so you need to login with the same username and password you use when working from foo.

Adding -g flag will enable other computers from your home network to connect to your computer port 3333 and actually access db:3306.

Answer 2

Quite an old question, but see if this page helps explain it for you, it's got pretty pictures and all. :)

https://www.ssh.com/ssh/tunneling/

Basically, a SSH Tunnel is a tunnel that can be used to pass (tunnel) data from one place to another, encrypted.

It is also commonly used to route traffic (via a tunnel, think wormhole) to somewhere else, which allows for things such as tunnelling through a firewall or redirecting traffic (encrypted port forwarding).

Let's say you have a firewall between you and the server. The server can access another server (server2) on it's internal network.

[client]--------||------[server]----[sever2]

Let's say you want to access a web server on server2, and for obvious reasons you can't do this directly. Let's say that port 22 (ssh) is open on the firewall. So what we would do is create an SSH tunnel (on server) from server to server2. This will mean that any (outbound?) traffic on port 22 will be sent, via this tunnel, from server:22 -> server2:80.

[client]--------||------[server:22]======[sever2:80]

So (as I understand it), if we connect to server:22, it should redirect traffic on port 22 to the web server on server2:80 using this new SSH tunnel. (as far as I understand, the data is only encrypted in the tunnel, so the end will be decrypted data, if you're wondering if server:80 has to be SSL).

I suppose in one way that using SSH, is in itself, an SSH Tunnel for your old telnet communication. It's just that in most times you hear about SSH Tunnelling, people are referring to the (secure) port forwarding feature it offers, without having to have access to the firewall admin, which is a nifty little feature that a lot of hackers like to use to get around security.

On the more legitimate reasons; it's great way to relay certain traffic to an internal server that works on a different port, should you be limited by a firewall and such, or you want to secure the traffic between two machines (like the SSH program does).

Hope this helps.

EDIT

Found this over at the UNIX SO https://unix.stackexchange.com/questions/46235/how-does-reverse-ssh-tunneling-work, lots of answers with very clear (and pictorial) explanations of what you need!

Answer 3

SSH tunnelling is very simple. It opens a listening socket at one end. Whenever anyone connects to that listening socket, it opens a corresponding connection from the other end to the configured location, then forwards all information both ways between the two, over the SSH link.

Answer 4

First of all I will explain SSH:

SSH is remote login shell that helps you to connect remote machines using encrypted connection. So once you made ssh connection to any remote host the connection between hosts are secure and encrypted.

SSH tunneling is routing your traffic through SSH secure connection.

In simple words SSH tunneling is nothing but one connection is encapsulated by another connection. By taking this as a advantage we make tunnels by using SSH client.

Following command helps you to create simple socks proxy

ssh -D 8080 user@sshserverip

Answer 5

Sharing a nice tutorial I found with some diagrams: https://iximiuz.com/en/posts/ssh-tunnels/

Local Port Forwarding

E.g. Accessing an online server's database (MySQL, Postgres, Redis, etc.) using a fancy UI tool from your laptop.

ssh -L [local_addr:]local_port:remote_addr:remote_port [user@]sshd_addr

The -L flag indicates we're starting a local port forwarding.

What it actually means is:

• On your machine, the SSH client will start listening on local_port (likely, on localhost).
• Any traffic to this port will be forwarded to the remote_private_addr:remote_port on the machine you SSH-ed to.

Remote Port Forwarding

Expose a local service to the outside world, e.g. exposing a dev service from your laptop to the public Internet for a demo.

ssh -R [remote_addr:]remote_port:local_addr:local_port [user@]gateway_addr

The -R flag indicates we're starting a remote port forwarding.

Answer 6

Read the man page, specifically the -L, -R and -D options. I don't think someone rewriting this, and possibly introducing mistakes, is useful. If you don't understand it though you could ask more specific questions.

-D gives a SOCKS proxy, which is another useful application of ssh tunnelling.