# Tunnelling SSH though a firewall with ssh -L



## Carpetsmoker (Nov 13, 2010)

Hereâ€™s a little tip on how to tunnel ssh through another machine with the [font=mono]-L[/font] option. While not terribly difficult, I did spend some time figuring this outâ€¦Maybe this will save someone else some time ;-)

The network setup at work (simplified):


```
[ Workstation ]
          |
          |
     [ Firewall ]
          |
          |
   ~ The Internet ~
          |
          |
   [Public webserver]
```

The problem is connecting to public webserver from my workstation, I had to first ssh or sftp to the Linux firewall, and from that to the webserver.

There has to be an easier way â€¦ And a look at the SSH manpage provided the answer: The [font=mono]-L[/font] option.

Excerpt from From [font=mono]ssh(1)[/font]:


```
-L [bind_address:]port:host:hostport
               Specifies that the given port on the local (client) host is to be
               forwarded to the given host and port on the remote side.  This
               works by allocating a socket to listen to port on the local side,
               optionally bound to the specified bind_address.
```

Let me just give you an example on how to create the tunnel:


```
$ ssh -f -N -p 22 username@firewall -L 2844/webserver.example.com/22
```

To briefly explain what the other options mean:


[font=mono]-f[/font] Runs the tunnel in the background.
[font=mono]-N[/font] Don't execute a login command, just setup the tunnel.
[font=mono]-p[/font] Connect to the firewall on port 22

You can now connect with ssh, sftp, or scp though [font=mono]localhost:2844[/font]


```
$ ssh -p 2844 myusername@localhost
  $ scp -P 2844 file.tar.gz myusername@localhost:file.tar.gz
```

Note that [font=mono]ssh(1)[/font] requires [font=mono]-p[/font] and [font=mono]scp(1)[/font] [font=mono]-P[/font].

*Testing*
For debugging, donâ€™t forget you can specify [font=mono]-v[/font] up to three times to get more information about whatâ€™s going on. In addition, itâ€™s probably best to test with [font=mono]telnet[/font] since this excludes things like authentication problems.


```
$ telnet localhost 2844
  Trying ::1...
  Connected to localhost.
  Escape character is '^]'.
  SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
```

If you donâ€™t see the last line, something is wrong.

*Bonus tip*
As a free complimentary bonus tip, itâ€™s also very easy to setup a convenient shortcut in [font=mono]~/.ssh/config[/font]


```
Host webserver
  	Hostname localhost
  	Port 2844
  	User myusername
```

*Further reading*
[font=mono]ssh(1)[/font] 
[font=mono]ssh_config(5)[/font]


----------



## phoenix (Nov 14, 2010)

Another way to do the same, using nc(1) (aka netcat) and ProxyCommand in OpenSSH:

sshproxy

```
#!/bin/sh

# $1 is the proxy server
# $2 is the port on the proxy
# $3 is the remote host to connect to
# $4 is the remote port to connect to

if [ -z "$4" ]; then
        remoteport=22
else
        remoteport=$4
fi

ssh -q -p $2 $1 "nc $3 $remoteport"
```

.ssh/config

```
Host host-you-want-to-connect-to
        ProxyCommand ~/scripts/sshproxy firewall-to-bounce-off 22 %h %p
```

Then, it's a simple `$ ssh host-you-want-to-connect-to` and OpenSSH takes care of the rest.  First by connecting to *firewall-to-bounce-off*, then running netcat to the SSH server on *host-you-want-to-connect-to*, and passing traffic from one SSH connection to the other.

While there are more steps involved in setting this up initially, the nice thing about it is that your SSH commands are always the same:  ssh someserver.  And, the configuration is saved/handled via the SSH config file, which is portable between systems (so long as the proxyssh script is installed).

If netcat is installed as something other than nc, or if the remote "bounce" server uses the GNU netcat, you would either have to edit the script, or create symlinks.  Or, just install a BSD version of netcat, since it works better anyway.


----------



## Carpetsmoker (Nov 14, 2010)

That's quite clever.


----------



## sossego (Apr 17, 2012)

How does one properly ssh tunnel to a specific computer within a network if

*t*he IP address of the physical location is DHCP,
the computer with the internal address is not on a constant connection and is given an ad*d*ress by DHCP

???

I'm aware that the computer can be allowed direct access to the internet; but, for now, I'd rather have the added safety of the router.

Apologies for necro-posting.


----------



## SirDice (Apr 17, 2012)

sossego said:
			
		

> How does one properly ssh tunnel to a specific computer within a network if
> 1) the IP address of the physical location is DHCP,
> and
> 2)the computer with the internal address is not on a constant connection and is given an adress by DHCP


Use the hostname. It doesn't need to resolve on the 'outside' as long as it resolves on the 'inside'.


----------



## zennybsd (Apr 18, 2012)

*poorman's vpn: sshuttle ;-)*

@Carpetsmoker & @phoenix: Thanks for sharing. I used to tunnel either using ssh or nc in the past.

Since I found sshuttle (https://github.com/apenwarr/sshuttle), I have been using it with my GNU/linux local clients. it is like creating vpn without openvpn or ipsec installed on the serverside. Pretty easy and impressive (though gpl2-licensed). 

A single command makes a vpn-looking tunnel on the fly including dns-resolution proxied to the remote server:


```
%sshuttle -dns -vvr remoteserver_username@remoteserver_address 0/0
```

However it needs the sudo passwd to reconfigure the iptables for all applications in the local client. Also ask passwords two times: the local client sudo passwd first and then the remote host's user password.

A nice piece of work, I prefer to call poorman's vpn script. have a look at the site. 

Maybe something worth porting to *BSD! JFYI.


----------

