How To Create Encrypted Tunnels with SSH Port Forwarding on Linux
2 - 4 min read
Feb 04, 2024
Secure Shell (SSH) is a powerful tool with many cool tricks to help make your life a bit easier. Today, we will discuss port forwarding, which can be used to:
- Access a server you may not have otherwise been able to.
- Access a remote computer with more security.
- Allow a temporary encrypted tunnel to be created from your local computer to a remote device.
SSH port-forwarding comes in three types: local, remote, and Dynamic.
Port forwarding can be a complex process. We'll only cover the two first types of port-forwarding (local and remote) here. You'll use these types of SSH Port Forwarding the most.
SSH port-forwarding is included by default in SSH, so if you already have SSH installed, you can use this feature.
Now, let me explain how SSH port forwarding works.
Install the OpenSSH Server
SSH is probably already installed on your Linux distribution. You'll also need to add the SSH server if you want port forwarding. You can install it by logging into your Linux system and installing the Ubuntu distribution as follows:
Install openssh server with sudo apt get -y
This command is:
sudo dnf install openssh-server -y
Start and enable the server on Ubuntu-based distributions with the following command:
Sudo systemctl - now ssh
The start/enable command on a RHEL distribution is:
Sudo systemctl - now sshd
SSH Local Port Forwarding
Local port forwarding is the first type we will cover. Imagine you are developing a site and want to be accessible via a secure connection. The new site can be located on your local network or on a server remote. You can connect using the remote SSH from a local to a remote port.
Say you want to forward an IP address of 192.168.1.11 via SSH and use the local port 8080. This would require the following command:
ssh -L 8080:192.168.1.11:80 localhost
The command prompt will appear after you are asked for your SSH password. Open a web browser and navigate to the following URL:
localhost:8080
The remote site (at 192.168.1.11) will appear in your web browser. It is tunneled using SSH encryption.
The encrypted tunnel will continue to work as long as the terminal window is "logged in". Close the encrypted tunnel by typing:
exit
SSH Remote Port Forwarding
This type of port-forwarding is more useful, as it allows you to give others access via an encrypted tunnel to a remote computer. You may want to ensure the connection to your server is encrypted to protect it. You would need to have VNC installed on both the server and client machines.
In this example, the remote machine will be 192.168.1.11, and the client computer will be 192.168.1.21. SSH access is required on the client machine.
You must first perform a basic SSH configuration. Open the SSH configuration file using the following command:
sudo nano /etc/ssh/sshd_config
Add the following line at the end of the file:
GatewayPorts Yes
Close the file. Start SSH using either:
sudo systemctl restart ssh
You can also find out more about
sudo systemctl restart sshd
Let's now create the remote VPN tunnel. Run the following command to create a tunnel for VNC, which runs on port 5900.
ssh -R 5900:localhost:5900
USERNAME is the username of the machine on which you have remote access. The SSH remote tunnel will be up and running once you have authenticated the user. The other user can then connect using a VNC Client, localhost, and port 5900.
Even if the remote user disconnects the VNC connection, there is no need to worry, as the tunnel will continue to run. Close the tunnel by typing exit in the remote server terminal.
SSH is the best way to create encrypted tunnels. Once you master the art of creating tunnels, they'll be useful in various scenarios.
Have additional questions? Connect with us on X @lnxsec - we're here to help!
