Lyndi Castrejon

Published on

SSH Tunneling: What It Is and How to Set It Up

Authors

What is SSH Tunneling?

Let's say that you want to access remote services (e.g., a database or web server) securely over an untrusted network -- like the internet. How can you do so without exposing your data to bad actors? SSH tunneling is a basic technique to do this.

An SSH tunnel creates a secure connection between a local computer and a remote server -- similarly to a VPN. It encrypts the data sent between the two endpoints, making it difficult for eavesdroppers to intercept the connection.

How to Set Up an SSH Tunnel

Setting up an SSH tunnel is straightforward, using a single ssh command:

ssh -L 8080 -N -f -l <USERNAME> <REMOTE_SERVER_IP> -p <PORT>

Here's what that really means:

  • -L 8080: This flag tells SSH to listen on port 8080 on your local machine.
  • -N: This flag tells SSH not to execute any remote commands (useful for port forwarding).
  • -v: This flag enables verbose mode, which can be helpful for debugging. I prefer to use it when setting up the tunnel so I can see what's happening. Using ctrl+c will exit verbose mode and close the connection.
  • -l <USERNAME>: This flag specifies the username to use when connecting to the remote server.
  • <REMOTE_SERVER_IP>: This is the IP address of the remote server you want to connect to. Alternatively, you can use the domain name if one has been assigned.
  • -p <PORT>: This flag specifies the port number to connect to on the remote server. You will need to know setup an open port on the remote server to connect to.

Additional commands:

  • -f: This flag tells SSH to run in the background (daemon mode). No need to keep the terminal open. This is useful when you want to keep the tunnel open for an extended period.
  • -C: This flag enables compression, which can speed up the connection if you're transferring large files.

Helpful Tools

FoxyProxy

In a browser, you can use a tool like FoxyProxy to route your browser traffic through the SSH tunnel. This is useful when you want to access web services running on the remote server.

autossh

autossh is a tool that automatically restarts the SSH tunnel if the connection is lost. This is useful for long-running connections where you want to ensure the tunnel stays open.

Try It Out Using a DigitalOcean Droplet

Let's set up a simple VPS to test this out ourselves. For this example, I'll use a DigitalOcean droplet. You can use any VPS provider you like.

  1. Create a new droplet on DigitalOcean.
  2. Copy the IP address of the droplet.
  3. Run the following command on your local machine:
ssh -L 8080 -N -f -l root <REMOTE_SERVER_IP> -p 22

Replace <REMOTE_SERVER_IP> with the IP address of your droplet. This command will create an SSH tunnel on port 8080 to the remote server.

  1. Open your browser with FoxyProxy installed and set up a new proxy to route traffic through localhost:8080.
  2. To close the tunnel, run the following command:
ps aux | grep ssh

Find the process ID of the SSH tunnel and kill it using kill -9 <PID>.

Advanced Tips

If you are doing this on your own VPS, it's advisable to open a different port and close port 22 as this is a common SSH port that is frequently targeted by bots/attackers. You can also set up a firewall to restrict access to the SSH port.

Additionally, it's a good idea to set up key-based authentication instead of password-based authentication for better security. This will prevent brute-force attacks on your server and it also makes it quicker to connect to the server.

Things to Keep in Mind

SSH tunneling is a powerful tool, but it's important to use it responsibly. Make sure you have permission to access the remote server and that you're not violating any laws or terms of service agreements. Always secure your server and keep your software up to date to prevent unauthorized access.

Discuss on Bluesky