What is SSH port forwarding and when would I use it?
Why do you (or why would you most want to) use ssh port forwarding?
Secure Shell is a Swiss Army knife
Secure Shell goes beyond the scope of providing shell access for remote administration over a secure channel. The port forwarding functionality of ssh allows the remote system to act like a TCP proxy for your ssh client. With a few configuration directives, you can set up a secure tunnel between your client workstation and the remote SSH server:
- to bypass firewall policy
- to communicate with otherwise inaccessible private addresses
- to secure communication with SSH encryption on an otherwise untrusted network
These are just a few examples of how ssh port forwarding can help make your life easier.
The following tutorial assumes you have access to SSH on some remote system. For an introduction to SSH, refer to my Hub on setting up SSH. If you don't already have a Linux- or Unix-based firewall in front of your home network, refer to Hubber skear's articles on pfsense: this one in particular.
Note that SSH only forwards TCP ports. This tutorial won't help you if you need to proxy UDP or some other protocol. (Read more about What's the difference between TCP and UDP?)
How to phone home from work
I use SSH port forwarding to gain access to computers on my home network. Because my home network uses private IP addresses, without port forwarding they are inaccessible behind my home firewall. For security concerns, I configured my firewall to listen for SSH connections on an alternate port and I have restricted what networks are allowed to connect.
My iMac at home is configured to listen for remote desktop sessions using VNC. Here are the steps I take to access the remote desktop from another location:
- make use of a dynamic DNS to keep track of my cable modem's IP address
- initiate ssh access from my work computer to my home firewall
- configure ssh port forwarding to proxy VNC access from my work computer to my home computer via the home firewall
- open vnc client to a local port on my work computer
Sophos Astaro UTM
- Sophos UTM
I've used Astaro's SOHO firewall ISO for several years. My first experience was before the Sophos acquisition. I still use it today to provide a family-friendly web-browsing experience. Their web filter is one of the easiest I've encountered.
Use Dynamic DNS to initiate access
The first step is to establish a connection with some publicly addressable endpoint. If you can initiate a connection to the remote shell on your home firewall, that's the start you need.
ssh -p 4222 firstname.lastname@example.org
From a packet capture, an observer can see that the traffic was initiated from my work laptop to tcp port 4222 on my home firewall. Because the connection is encrypted, there is no meaningful data in the payload - it looks like gibberish.
While you're logged in to your home firewall, try to telnet to your target resource. In this case, I will attempt to telnet to tcp 5900 on host 192.168.1.100.
telnet 192.168.1.100 5900
If you get any errors at this step, you won't be able to continue with the next. Take a moment to troubleshoot any firewall policy or addressing errors before moving on.
- Free Dynamic DNS
While there are many dynamic DNS services to choose from, NoIP works for me! It's free! My only complaint is that I have to fill out a CAPTCHA every so often to keep my entry alive.
Configure SSH port forwarding
Next, we instruct SSH to set up the proxy by defining what TCP ports go where. On the iMac at home, VNC listens for new connections on tcp port 5900 on its local IP address of 192.168.1.100. On my laptop at work, I will connect to port 5999 on my localhost loopback address. Notice that the -L option is the only difference from the previous command.
ssh -p 4222 -L 5999:192.168.1.100:5900 email@example.com
As before, a packet capture shows that the traffic appears to be ssh traffic initiated from my work laptop to tcp port 4222 on my home router's public IP address. However, with the LocalForward directive, the effective path of the logical tunnel is that the connection I initiate to tcp port 5999 on my localhost will proxy to the interior address of my home network, 192.168.1.100, at tcp port 5900.
And we have liftoff! Don't take my word for it - open up your VNC client with the following host and port
To save this config as a permanent addition for Mac or Linux, open your ~/.ssh/config file with a text editor and add the information shown in the screen cap in the sidebar. Save and quit the text editor, then to access the new profile, fire off the new profile like so:
Windows users have a slightly different arrangement. See the screen caps below for where the putty client stores LocalForward and alternate Port directives. After saving the directives in a new profile named homeVNC, launch putty from the Run command: