HOWTO SSH Tunnel

From SHellium Wiki
Jump to: navigation, search
Geographylogo.png In other languages: English | Afrikaans | Albanian | Arabic | Brazilian | Bulgarian | Catalan | Chinese | Croatian | Czech | Danish | Dutch | Esperanto | Estonian | Filipino | Finnish | Flemish | French | German | Greek | Hebrew | Hindi | Hungarian | Indonesian | Italian | Japanese | Latvian | Lithuanian | Macedonian | Malay | Malayalam | Norwegian (Bokmål) | Norwegian (Nynorsk) | Persian | Polish | Portuguese | Romanian | Russian | Serbian | Slovak | Slovenian | Spanish | Swedish | Turkish | Ukrainian | Urdu

One of the many features of SSH is the ability to "tunnel" your traffic.

Contents

Why Tunnel?

The Problem

Let's say you are using a public WiFi hotspot. All of your traffic is transmitted over the air, unencrypted. Anyone with the brainpower, the proper wireless card, and a sniffer such as kismet can view your traffic.

Now, this is usually fine and dandy, if you are using an encrypted protocol, such as SSL (Not always, SSL can be susceptible to Man in the Middle attacks), however, if you are using a legacy protocol such as POP3 or SMTP, traffic is not always encrypted, and your password is sent as plaintext across the network.

Let's see how this looks:

Unencrypted.png

The Solution

To solve this, we can encrypt our traffic through an SSH Tunnel. This works by taking our traffic, and "tunneling" it. Here is an example:

Encrypted.png

Tunnel Types

Local

This is the most basic type of SSH tunnel. It allows you to create a static tunnel.

Let's jump right in: 

 $ ssh -L 2110:mail.example.com:110 ssh.shellium.org

Let's break this down.

  • ssh - this is the ssh command
  • -L - this signifies that we want to set up a local tunnel
  • 2110 - this is the local port number that we will be establishing the tunnel on, in this case, it is port 2110
  • mail.example.com - this is the server that we would like to tunnel to, in this case, it is mail.example.com
  • 110 - this is the remote port that we would like to tunnel to, on mail.example.com, in this case, it is port 110 -- the POP3 port

This will create a tunnel from localhost:2110 to mail.example.com:110. In your email client, you can go ahead and add localhost:2110 as your mail server, but it will actually be mail.example.com:110, however it will be tunneled through ssh.shellium.org.

So how does this look? 

 [Localhost:2110]<== Encrypted Traffic ==>[ssh.shellium.org]<-- Unencrypted Traffic -->[mail.example.com:110]

Ok, so your incoming email is moving securely through your newly created tunnel. Now, let's say, we'd like our outgoing email to traverse the tunnel as well. We could start another instance of ssh like so: 

 $ ssh -L 2025:mail.example.com:25 ssh.shellium.org

This will do basically the same thing as the first command, except running on local port 2025 and it will connect to port 25 on mail.example.com.

Now you may ask, why do I have to run two different instances of SSH to do this? You don't!

Go ahead and give this a shot: 

 $ ssh -L 2110:mail.example.com:110 -L 2025:mail.example.com:25 ssh.shellium.org

This will create two tunnels, one running on port 2110 for your POP3 (Incoming Mail), and one on port 2025 for your SMTP (Outgoing Mail).

Remote

So, you're running a VNC server on your laptop, and you want to allow your friend to connect to it, for collaboration on a project. However, as we know, 'VNC is an insecure protocol', with passwords sent via plaintext.

So, to solve this, we can create a reverse tunnel. Once again, let's dive right in. 

 $ ssh -R 55900:localhost:5900 ssh.shellium.org

Let's break this down:

  • ssh - the ssh command
  • -R - this signifies that this is a remote tunnel
  • 55900 - this is the port opened up on the SSH server
  • localhost - this is the address we'd like the tunnel to connect to, locally
  • 5900 - this is the port we'd like to connect to, locally
  • ssh.shellium.org - this is our ssh server

So what's this all doing?

This is where things can get slightly confusing. We're invoking the SSH command from our local machine. 

 [VNC Server -- localhost:5900]<== Encrypted Connection ==>[SSH Server -- ssh.shellium.org:55900]<-- Unencrypted Traffic -->[VNC Client]

So, for someone to connect to your VNC server, you would instruct them to connect to ssh.shellium.org:55900, rather than your_ip:5900. You can lock down your VNC server by only allowing connections from localhost (the ssh client is connecting to your VNC server, and the VNC client is connecting to the SSH server).

Dynamic

A dynamic tunnel allows the SSH tunnel to function as an encrypted SOCKS5 proxy.

Let's take a look at the command: 

 $ ssh -D 1234 ssh.shellium.org

Port 1234 is the port that the SOCKS5 will run on, locally, so you can point any application that supports SOCKS5 to port 1234 on localhost.

To create the SSH tunnel in the background 

 $ ssh -fND 1234 ssh.shellium.org

The N switch tells the SSH client not to execute a remote command while the f switch tells it to go to background. You will be asked for your password then dropped back to your local command prompt.

The SSH client runs a server on the local computer, on the port specified, and tunnels all traffic through the SSH tunnel. You can use the tunnel for any application that supports SOCKS5 proxies. If the application does not support SOCKS5 proxies, you still have hope for this method. (See Setup Any Program)

Setup by OS

Linux

Command Line

  • Local 
 $ ssh -L local_listen_port:remote_connect_address:remote_connect_port ssh.shellium.org
  • Remote 
 $ ssh -R remote_listen_port:local_connect_address:local_connect_port ssh.shellium.org
  • Dynamic 
 $ ssh -D local_listen_port ssh.shellium.org

GNOME

For managing your SSH tunnels in GNOME, there is a great application available called gSTM -- GNOME SSH Tunnel Manager.

If you are using Ubuntu, you can install this through apt. 

 $ sudo apt-get install gstm

For other distributions, please check your repositories, or the gSTM website here: http://sourceforge.net/projects/gstm/

After installation, start up the program.

On my Ubuntu 9.04 install, it is located at Applications -> Internet -> gSTM.

You will presented with a window that looks similar to this:

Gstm1.png

Go ahead and click Add.

A dialog will appear asking you to name this connection:

Gstm2-2.png

In this example, I've named the connection "Shellium".

You will be presented with a dialog, asking for more details:

Gstm3.png

For host, we will use ssh.shellium.org. For the "Login:" field, replace your_username with your username. Leave the port as is -- 22. If you would like this tunnel to automatically connect upon starting gSTM, go ahead and check the Autostart checkbox. We're now ready to add a forward. Go ahead and click Add.

You will be presented with this dialog box:

Gstm4.png

In this example, I've chosen to setup a dynamic tunnel running on local port 1234. Set up your forward as you wish. Click OK when you have it the way you'd like it. If you'd like to add another tunnel, go ahead and click Add again, and set up your tunnel(s).

When done, click OK.

You'll be returned to the main screen, however, your newly setup tunnel will be listed.

Gstm5.png

Go ahead and click Start.

If you have not used this tunnel before, you will be prompted to add the key.

You will then be prompted for your password. Go ahead and enter your password. Once you're authenticated, you're ready to use your tunnel! Read ahead to learn how to set up your programs.

If you'd like to hide gSTM, go ahead and click the gSTM icon in your notification area.

KDE

Windows

PuTTY

Ok, So you want to use a Tunnel for connecting using putty?

First, Goto Connection -> Proxy Then Click SOCKS 5 Now input in "proxy hostname" localhost also in the "port" Goes the port you have set up on the tunnel.

Setup Your Browser

Ok, so you've got a freshly created dynamic SSH tunnel, let's put it to use. A common use of these tunnels is for securing your web traffic, so let's get out browser configured.

Firefox

First off, we need to access our preferences dialog.

On *nix, this can be done by clicking:

Edit -> Preferences

On Windows, this can be done by clicking:

Tools -> Options

Once inside the preferences dialog, go ahead and click the Advanced tab, then the Network tab.

Go ahead and click Settings. You'll be presented with a dialog box similar to the one shown below.

Firefox-sshtunnel.png

Click Manual Proxy Configuration:

Under HTTP Proxy, go ahead and enter localhost as your host, and the port number you're running your tunnel on (in this example, we're running the tunnel on port 1234). Check the box '"Use this proxy server for all protocols"'. Click OK, and close the preferences dialog. You're all set, and ready to browse securely!

Chrome

These instructions also apply to Chromium, the Open Source, Linux version of Google Chrome.

  • Open your Options Panel
  • Go to the Under the Hood Tab
  • Click Change proxy settings
  • Select Manual proxy configuration
  • Check Use the same proxy for all protocols
  • Type in localhost for your host, and for the port number, the port your dynamic tunnel is running on

You're all set! Enjoy browsing the web securely!

Internet Explorer

Setup Other Programs

Pidgin

Setup Any Program

Linux

tsocks

Setup of tsocks is very very easy.

Simply editing /etc/tsocks.conf, you should have something like this: 

server = 127.0.0.1 # toscks will connect on localhost, where ssh dinamic tunnel is running
server_port = 1234 # in this article, local_listen_port: where ssh tunnel is listening??
server_type = 5

After this setup, simply run almost any program using the syntax: 

$tsocks command_to_run argument1 argument2...

By example 

$tsocks lynx http://www.google.it

Windows

Sockscap

FAQ

Retrieved from "http://wiki.shellium.org/index.php?title=HOWTO_SSH_Tunnel&oldid=21577"
Personal tools
Namespaces

Variants
Actions
Navigation
Indexes
SHellium Sites
Toolbox