The Secure SHell, or SSH, is a simple but effective tool for encrypted remote login to a Linux-based workstation or server. Not only does it give you secure command-line access to the remote PC, but it can also be used to securely redirect data to be routed or processed on the remote PC’s LAN such as HTTP traffic or perhaps another protocol such as Jabber that is blocked on your local Internet connection. This process is called tunneling.
Creating an SSH tunnel is easy. Say you wanted to forward the local port 2100 to a web server inside your remote network on IP 192.168.0.99. The public hostname of the SSH server you are using to connect to is myserver.com. You can issue the command:
$ ssh email@example.com -L 2100:192.168.0.99:80 -N
…this will redirect local port 2100 to port 80 on the server with LAN IP 192.168.0.99 on the remote network, via the Internet-accessible SSH server on myserver.com, logging into it as the user jbloggs. Everytime you now access http://localhost:2100 with your web browser, your traffic will be redirected to the remote web server, using an encrypted tunnel over the Internet.
Now this is great, but that command line looks a bit convoluted. Isn’t there a more intuitive way to create an SSH tunnel?
There sure is – a neat little Gnome GUI app called the Gnome SSH Tunnel Manager or gSTM for short.
Here’s a diagram to illustrate what we are trying to do.
The Internal LAN web server cannot be accessed from the Internet, only local LAN users. For the workstation on the other side of the Internet to be able to access the LAN web server at 192.168.0.99, we need to tunnel into the SSH server and then pass through it to get to the Internal LAN web server.
First up, we need to install gSTM. It exists in the Ubuntu repository, so all you have to do is enter:
$ sudo apt-get install gstm
Once installed, you will find it in the Applications->Internet->gSTM menu. When you fire it up, you will be presented with the following window (in this case I’ve already setup three tunnels – your list will be empty):
The list shows all the tunnels you have created to various locations. Each tunnel can have multiple ports directed over it. The green light next to the tunnel name indicates an active tunnel. A red light indicates an inactive tunnel.
- Creating a new tunnel is simplicity itself – just click on the Add button. A new window appears.
- In this window, we specify an arbitrary name for the tunnel, then the SSH server we’re connecting to, eg: myserver.com in the previous example (or its public IP address), the login name used to access that SSH server, eg: jbloggs, and the port that the remote SSH server is listening to (which by default is 22, but you may have changed it to a non-standard port number above 1000 for greater security).
- These are the only values you need to fill in to establish the basic tunnel. Next, we need to specify which ports we are going to redirect into that tunnel. Click on the “Add” button to add a new port.
- First we specify where the port we’re redirecting is coming from. “Local” means that we’re redirecting a port from the PC you are working on, to the remote PC. In the above example, we are going to redirect an arbitrary port number 32456 to port 80 on the PC 192.168.0.99 on the remote network’s internal LAN (via the remote SSH server). Click OK and then click OK on the previous window to save your Tunnel settings. It now appears in the list of available tunnels.
- Simply click on the Start button and you will be prompted for the password for the account you specified for the tunnel to access the remote SSH server with. Type it in and hit Enter.
- Once the green light appears next to your tunnel name in the list, you are ready to go. Open your web browser and type in http://localhost:32456 and you will suddenly see the web page of the internal machine on the remote network.
That’s pretty cool, but let’s try something even cooler. Stop your tunnel by clicking on the Stop button, then bring up the Properties for it again.
Let’s say you are at an office or school where the local Internet web access is filtered. There is a website that you’d like to visit, but it is blocked by the local organisation’s filter. Assuming outbound SSH access is allowed, you can effectively bypass the filter by routing all your web traffic via your remote SSH server whose web access is unfiltered. Here’s a diagram to illustrate what we’re doing:
The workstation tries to access the blocked website (indicated by the red line) but fails. By using an SSH tunnel (the green line), we can access the blocked website via the remote SSH server.
- To do this, add a redirection but change “Local” to be “Dynamic”, and specify an arbitrary port number, eg: 9100. You will notice that you cannot specify a To host or To port. Click OK.
- Now open up your web browser and bring up the Proxy settings. In Firefox, this is located by going to the Edit->Preferences menu, then click on the Advanced icon, then the Network tab, then finally click on the Settings button. You are presented with the following window:
- Change the radio selection at the top of the window to Manual proxy configuration and then in the SOCKS Host box ONLY, specify “localhost” and port “9100”.
- Now click OK and then close the Firefox preferences window.
- Start your SSH tunnel again by clicking on the Start button.
- Now try surfing to your blocked website. Instead of it being filtered, you will now find it magically appears because your web traffic is being proxied to your SSH tunnel and retrieved through your unfiltered remote Internet connection!
- When you are done, don’t forget to shutdown your SSH tunnel and change your web browser’s proxy settings back to whatever they were previously.