007-ssh-tunnels.html (6103B)
1 <h2>Rationale</h2> 2 3 <p>Corporate and academic networks are closed by design, with routers 4 and firewalls forwarding and filtering content going to and from 5 the wider internet. For security reasons this is an absolute 6 necessity, as the guardkeeping prevents unwanted incoming connections 7 to the networked devices.</p> 8 9 <p>However, it is often necessary to connect to internal devices or 10 services from the outside. This could be the case if an employee 11 needs to access a shared database on the company network, or a 12 subscription website only allows full access from a certain range 13 of IP addresses. Network administrators usually offer virtual 14 private network (VPN) access to achieve such goals. Unfortunately, 15 VPN access occasionally requires particular software that may not 16 work on all operating systems. In other cases, the network 17 administrators may enforce strict requirements to the remote systems 18 before allowing VPN access.</p> 19 20 <pre><code> ###### Closed Network ###### 21 # # 22 # +----------+ +----------+ +----------+ 23 # | Office | | Router/ | ? | Outside | 24 # | Computer |<~~~~>| Firewall | ? ? | Computer | 25 # +----------+ +----------+ +----------+ 26 # # 27 ############################ 28 </code></pre> 29 30 <p>So what do you do if you need outside access to a network, have no 31 administrative rights over the router and firewall, and cannot (or 32 don't want to) access via VPN? Fortunately, OpenSSH, the widely 33 used secure shell (SSH) implementation, offers simple and secure 34 solutions to this problem. Almost all Linux/BSD/UNIX/MacOS systems 35 come with OpenSSH preinstalled, so you might already have it on 36 your system.</p> 37 38 <p>If you can access the closed network from the outside via SSH, this 39 makes things straightforward as described in Scenario 1 below. If 40 not, see Scenario 2.</p> 41 42 43 <h2>Scenario 1: SSH access available from the outside</h2> 44 45 <p>Some networks are configured to allow outsiders to connect to an 46 internal SSH server through port forwarding on the network router:</p> 47 48 <pre><code> ###### Closed Network ###### 49 # # 50 # +----------+ +----------+ +----------+ 51 # | Office | SSH | Router/ | SSH | Outside | 52 # | Computer |<~~~~~| Firewall |<~~~~~| Computer | 53 # +----------+ +----------+ +----------+ 54 # # 55 ############################ 56 </code></pre> 57 58 <p>For the purposes described here, this is an ideal situation since 59 it is easy to create a tunnel that connects the outside computer 60 with the internal network via SSH. The following command creates 61 the tunnel when executed on the outside computer:</p> 62 63 <pre><code>$ ssh -D 1337 -C -N company-domain.com 64 </code></pre> 65 66 <p>Note that the port number specified with the -D option should be 67 greater than 1000 when running as an unpriviledged (non-root) user. 68 The -C option turns on compression, which is useful for slow network 69 connections at the cost of little CPU overhead.</p> 70 71 <p>With the SSH tunnel in place, you can make most webbrowsers and 72 other network programs on the outside computer use the tunnel for 73 all their network traffic by pointing them to the SOCKSv5 proxy 74 "socks://localhost:1337". This allows access from programs on the 75 outside computer to any device within the closed network. Connections 76 to the wider internet utilizing the tunnel will originate from an 77 IP address associated with the closed network, achieving the 78 objectives stated above.</p> 79 80 81 <h2>Scenario 2: SSH access unavailable from the outside</h2> 82 83 <p>Unfortunately, outside SSH access to corporate networks is becoming 84 increasingly rare. However, the OpenSSH toolset again offers a 85 solution if you have a persistent SSH server outside of the network 86 at your disposal:</p> 87 88 <pre><code> ###### Closed Network ###### 89 # # 90 # +----------+ +----------+ +---------+ +---------+ 91 # | Office | SSH | Router/ | SSH | Outside | SSH | Outside | 92 # | Computer |<~~~~>| Firewall |<~~~~>| Server |<~~~~~| Laptop | 93 # +----------+ +----------+ +---------+ +---------+ 94 # # 95 ############################ 96 </code></pre> 97 98 <p>As long as you can initiate *outgoing* SSH connections from inside 99 the closed network to your outside SSH server, you can create a 100 reverse ssh tunnel and utilize it in a similar manner as in the 101 previous scenario. On the office computer, create a reverse tunnel 102 to the outside server:</p> 103 104 <pre><code>$ ssh -f -N -R 10022:localhost:22 outside-server.com 105 </code></pre> 106 107 <p>As long as the above command runs, you can initiate new SSH connections 108 from the outside server to the office computer with the command 109 `ssh -p 10022 localhost`. If you're working from an outside laptop, 110 you can utilize this reverse tunnel to connect to the office computer 111 and network. Add the following configuration to `~/.ssh/config` 112 on the outside laptop:</p> 113 114 <pre><code>Host office_computer 115 ProxyCommand ssh -q outside-server.com nc localhost 10022 116 </code></pre> 117 118 <p>With the above configuration, it is very easy to establish a SSH 119 connection from the outside laptop to the office computer:</p> 120 121 <pre><code>$ ssh office_computer 122 </code></pre> 123 124 <p>As in the previous example, you can use this setup to create a SSH 125 tunnel all the way from the outside laptop to the office computer:</p> 126 127 <pre><code>$ ssh -D 1337 -C -N office_computer 128 </code></pre> 129 130 <p>Again, this creates a SOCKSv5 proxy that you can use for tunneling 131 network traffic from the outside laptop to the closed network. It 132 is useful to automatically monitor the tunnel status using pgrep(1), 133 and reinitialize it if the ssh command unexpectedly quits.</p> 134 135 136 <h2>References</h2> 137 138 <ul> 139 <li>OpenSSH: <a href="https://www.openssh.com/">https://www.openssh.com/</a></li> 140 <li>ssh(1) manual page: <a href="https://man.openbsd.org/ssh">https://man.openbsd.org/ssh</a></li> 141 <li>gramscii(1), used for drawings in this post: git://bitreich.org/gramscii</li> 142 </ul> 143 144 <p>Thanks to KatolaZ for feedback on this post.</p>