007-ssh-tunnels.txt (5707B)
1 ## Rationale 2 3 Corporate and academic networks are closed by design, with routers 4 and firewalls forwarding and filtering content going to and from 5 the wider internet. For security reasons this is an absolute 6 necessity, as the guardkeeping prevents unwanted incoming connections 7 to the networked devices. 8 9 However, it is often necessary to connect to internal devices or 10 services from the outside. This could be the case if an employee 11 needs to access a shared database on the company network, or a 12 subscription website only allows full access from a certain range 13 of IP addresses. Network administrators usually offer virtual 14 private network (VPN) access to achieve such goals. Unfortunately, 15 VPN access occasionally requires particular software that may not 16 work on all operating systems. In other cases, the network 17 administrators may enforce strict requirements to the remote systems 18 before allowing VPN access. 19 20 ###### Closed Network ###### 21 # # 22 # +----------+ +----------+ +----------+ 23 # | Office | | Router/ | ? | Outside | 24 # | Computer |<~~~~>| Firewall | ? ? | Computer | 25 # +----------+ +----------+ +----------+ 26 # # 27 ############################ 28 29 So what do you do if you need outside access to a network, have no 30 administrative rights over the router and firewall, and cannot (or 31 don't want to) access via VPN? Fortunately, OpenSSH, the widely 32 used secure shell (SSH) implementation, offers simple and secure 33 solutions to this problem. Almost all Linux/BSD/UNIX/MacOS systems 34 come with OpenSSH preinstalled, so you might already have it on 35 your system. 36 37 If you can access the closed network from the outside via SSH, this 38 makes things straightforward as described in Scenario 1 below. If 39 not, see Scenario 2. 40 41 42 ## Scenario 1: SSH access available from the outside 43 44 Some networks are configured to allow outsiders to connect to an 45 internal SSH server through port forwarding on the network router: 46 47 ###### Closed Network ###### 48 # # 49 # +----------+ +----------+ +----------+ 50 # | Office | SSH | Router/ | SSH | Outside | 51 # | Computer |<~~~~~| Firewall |<~~~~~| Computer | 52 # +----------+ +----------+ +----------+ 53 # # 54 ############################ 55 56 For the purposes described here, this is an ideal situation since 57 it is easy to create a tunnel that connects the outside computer 58 with the internal network via SSH. The following command creates 59 the tunnel when executed on the outside computer: 60 61 $ ssh -D 1337 -C -N company-domain.com 62 63 Note that the port number specified with the -D option should be 64 greater than 1000 when running as an unpriviledged (non-root) user. 65 The -C option turns on compression, which is useful for slow network 66 connections at the cost of little CPU overhead. 67 68 With the SSH tunnel in place, you can make most webbrowsers and 69 other network programs on the outside computer use the tunnel for 70 all their network traffic by pointing them to the SOCKSv5 proxy 71 "socks://localhost:1337". This allows access from programs on the 72 outside computer to any device within the closed network. Connections 73 to the wider internet utilizing the tunnel will originate from an 74 IP address associated with the closed network, achieving the 75 objectives stated above. 76 77 78 ## Scenario 2: SSH access unavailable from the outside 79 80 Unfortunately, outside SSH access to corporate networks is becoming 81 increasingly rare. However, the OpenSSH toolset again offers a 82 solution if you have a persistent SSH server outside of the network 83 at your disposal: 84 85 ###### Closed Network ###### 86 # # 87 # +----------+ +----------+ +---------+ +---------+ 88 # | Office | SSH | Router/ | SSH | Outside | SSH | Outside | 89 # | Computer |<~~~~>| Firewall |<~~~~>| Server |<~~~~~| Laptop | 90 # +----------+ +----------+ +---------+ +---------+ 91 # # 92 ############################ 93 94 As long as you can initiate *outgoing* SSH connections from inside 95 the closed network to your outside SSH server, you can create a 96 reverse ssh tunnel and utilize it in a similar manner as in the 97 previous scenario. On the office computer, create a reverse tunnel 98 to the outside server: 99 100 $ ssh -f -N -R 10022:localhost:22 outside-server.com 101 102 As long as the above command runs, you can initiate new SSH connections 103 from the outside server to the office computer with the command 104 `ssh -p 10022 localhost`. If you're working from an outside laptop, 105 you can utilize this reverse tunnel to connect to the office computer 106 and network. Add the following configuration to `~/.ssh/config` 107 on the outside laptop: 108 109 Host office_computer 110 ProxyCommand ssh -q outside-server.com nc localhost 10022 111 112 With the above configuration, it is very easy to establish a SSH 113 connection from the outside laptop to the office computer: 114 115 $ ssh office_computer 116 117 As in the previous example, you can use this setup to create a SSH 118 tunnel all the way from the outside laptop to the office computer: 119 120 $ ssh -D 1337 -C -N office_computer 121 122 Again, this creates a SOCKSv5 proxy that you can use for tunneling 123 network traffic from the outside laptop to the closed network. It 124 is useful to automatically monitor the tunnel status using pgrep(1), 125 and reinitialize it if the ssh command unexpectedly quits. 126 127 128 References: 129 130 - OpenSSH: https://www.openssh.com/ 131 - ssh(1) manual page: https://man.openbsd.org/ssh 132 - gramscii(1), used for drawings in this post: git://bitreich.org/gramscii 133 134 Thanks to KatolaZ for feedback on this post.