Linux: Create Encrypted Tunnels with SSH Port Forwarding – The New Stack

admin on January 30, 2024 Leave a Comment

Secure Shell (SSH) has several really cool tricks up its sleeve, each of which offers a handy feature (wrapped in a comforting blanket of security) to help make your life a bit easier.

Last week, we discussed key authentication with SSH; this week we will talk about port forwarding, which can be used to:

There are three different types of SSH port forwarding. They are local (connections from a client are forwarded, via SSH, to a remote host), remote (connections from a remote server are forwarded, via SSH, to another machine), and dynamic (connections from different applications are forwarded, via SSH, to several servers).

There are many examples of port forwarding, some of which can get rather complicated. Because of this, were only going to deal with the first two types of port forwarding here (local and remote). These are also the types of SSH port forwarding that youll use the most.

SSH port forwarding is built into SSH by default, so as long as you have SSH installed, you should have everything you need to work with this feature.

With that said, let me show you how SSH port forwarding works.

Your Linux distribution probably already has SSH installed. However, for port forwarding, youll want the SSH server added as well. For that, you can log into your Linux machine and install it on an Ubuntu-based distribution like so:

sudo apt-get install openssh-server -y

sudo apt-get install openssh-server -y

On a RHEL-based distribution, that command would be:

sudo dnf install openssh-server -y

sudo dnf install openssh-server -y

Once the server is installed, start and enable it on an Ubuntu-based distribution with the command:

sudo systemctl enable --now ssh

sudo systemctl enable --now ssh

On a RHEL-based distribution, the start/enable command is:

sudo systemctl enable --now sshd

sudo systemctl enable --now sshd

The first type of port forwarding well deal with is local. Lets say youre developing a new site and you want to be able to access it via an encrypted connection. This new site may be on your local network or on a remote server. Either way, you can connect to it using the remote SSH server from a local port to a remote port.

Lets say you want to use local port 8080 and forward a connection IP address 192.168.1.11 port 80, via SSH. To do that, the command would be:

ssh -L 8080:192.168.1.11:80 localhost

ssh -L 8080:192.168.1.11:80 localhost

You will be prompted for your local SSH user password and then will be returned to the command prompt. To verify the tunnel worked, open a web browser and point it to:

The remote site (at 192.168.1.11) should appear in the web browser and is being tunneled via SSH encryption.

You can keep using the encrypted tunnel as long as you remain logged in from the terminal window. To close the encrypted tunnel, go back to the terminal window and type:

You will probably find this type of port forwarding to be more useful because it can allow you to give others access to a remote machine, via an encrypted tunnel. Say, for instance, you have someone on your LAN who needs VNC access to a server with a GUI and you want to ensure that connection is encrypted for security purposes. This, of course, would require you have VNC set up properly on the server and a VNC viewer on a client machine.

For this example, well stick with the 192.168.1.11 IP address for the remote machine and the client machine is at 192.168.1.21. You must have SSH access to the client machine as well.

Before you do this, however, you must take care of a simple SSH configuration. Open the SSH server configuration file with the command:

sudo nano /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

Add the following line to the bottom of the file:

Save and close the file. Restart SSH with either:

sudo systemctl restart ssh

sudo systemctl restart ssh

or

sudo systemctl restart sshd

sudo systemctl restart sshd

Now, lets create the remote tunnel. To create the tunnel for VNC (which runs on port 5900), run the following command on the remote server (which, for our example, is at 192.168.1.11):

ssh -R 5900:localhost:5900 USERNAME@192.168.1.21

ssh -R 5900:localhost:5900 USERNAME@192.168.1.21

Where USERNAME is a username on the client machine to which you have access. Once you authenticate that user, the SSH remote tunnel is up and running. The other user could then connect to the server, using a VNC client, with localhost and port 5900.

Remember, even when the remote user disconnects their VNC connection, the tunnel is still up and running. To close the tunnel, go back to the remote servers terminal and type exit.

If youre looking to create encrypted tunnels for various use cases, look no further than SSH. Once you get the hang of creating these tunnels, youll find they can be very useful in several different types of scenarios.

YOUTUBE.COM/THENEWSTACK

Tech moves fast, don't miss an episode. Subscribe to our YouTubechannel to stream all our podcasts, interviews, demos, and more.

SUBSCRIBE

See the original post:
Linux: Create Encrypted Tunnels with SSH Port Forwarding - The New Stack

Related Posts
Posted in Encryption

Comments are closed.