Putty/ssh port forwarding!
Thought I’d create this post to remind myself and show my colleague and friend @Dark_KnightUK about setting up secure tunnel with port forwarding using ssh, either with putty on Windows or normal ssh client on Linux/Unix/Windows (Yes Windows now has a native ssh client!). I shall walk through setting up both windows and Linux clients to connect to a Windows Desktop on my home network.
Why would you want to use ssh tunneling?
SSH tunnels are useful for securing traffic between 2 hosts that you would like to remain private. SSH itself is a secure shell replacement for Telnet as all traffic is encrypted rather than sent in clear across the network. This mechanism can also be used to bypass various restrictions on public or unknown networks providing your destination has a listening ssh server at the other end.
Reasons I use ssh tunnels:
1. Proxying Web requests via my own http proxy server.
2. Accessing resources in my home network, such as CCTV or mail system.
3. Being able to use RDP on my desktop at home securely.
What is a ssh tunnel?
An ssh tunnel is where you use an already setup ssh connection to forward other traffic securely by specifying which ports need to be proxied. SSH tunnels are not as flexible as a full grown VPN solution as for each port you want to forward needs to be specified individually in the config file. (VPN’s will pass and traffic to any ports once a connection has been made) But its ease of setup makes it easy solution for simple things.
Firstly you need to setup your home router to port forward (sometimes called a service port) any requests it receives on a particular port from its public interface to an internal address which has a listening SSH server on.
Public address: 188.8.131.52
Home SSH server address: 192.168.0.1 port 22 (default)
Home Windows desktop: 192.168.0.4 port 3389 (default)
In this example my destination public address is on 184.108.40.206 and I have set up the router to listen on port 1337 and forward any requests it gets to an internal address to 192.168.0.1 port 22
Note: You could use any port you wish, not just 1337 😉
SSHD supports tunnels by default, if not check the sshd_config file for the clause ‘Permit Tunnel’ and make sure it is commented out.
I would like to connect to my Windows Desktop at home from work.
Using Windows Putty client:
Setup a normal connection to the public address and before you hit open, go to the SSH > Tunnels section of the client.
Add in the source port box 3390 and the destination of 192.168.0.4:3389 and hit Add. It should add the entry to the window above.(Note: I use 3390 as a service may already be using port 3389 on my local windows machine. In this case it would be RDP services)
Log in to ssh as normal, once in all I need to do is fire up Remote Desktop Client (mstsc) and then make a connection to my local address (127.0.0.1) and the port specified.
I should now be connected to my own machine.
The Spring update to Windows 10 provided a new native ssh client via Powershell:
ssh -L 3390:localhost:3389 firstname.lastname@example.org
This should do the same thing as putty but via Powershell instead. Now just use RDP client as above and you should have a desktop as well.
Accessing RDP on a windows machine on my home network.
ssh email@example.com -L 3390: 192.168.0.4:3389
Connect to host 220.127.116.11 with username of ‘me’ forward (-L) the local port 3390 to ip of 192.168.0.4 to port 3389. Easy.
Then just fire up yor favourite RDP client (rdesktop or other) and point it to your local address on port 3390 and you be now connected to your own machine.
There are many more ways to use ssh tunnels with both remote and local port forwarding. This method is the one I find the most useful. Hope this has been clear for you all. Some of these concepts can mess with your head.