Archive for September 6, 2007

Remote computer access (both ways) with ssh port forwarding

September 6, 2007 at 10:44 am · Filed under tech

Today I’ll describe how to use port forwarding to access just about anything between two computers you have access to. If you’re not already using port forwarding then chances are pretty good you don’t know what it can do for you. Chances are even better that you don’t care about it and won’t after reading all of this, but it’s still worth understanding a couple of the things it can do for you, so consider going through a couple of these first bullets before moving along.

Why you might want SSH port fowarding

The typical uses can be lumped into one of a couple categories: you want to do something from a computer but that network is trying to block you, you want to do something from a computer but don’t trust the network security, or you want to do something from a computer but don’t have the right configuration set up between computers to allow you to do take that action. Some specific examples include…

  • Bypassing remote computer security restrictions - a certain company I used to work for required that we use a bunch of shitty RAS software and smartcard to connect from home to the corporate work network. In principle I have no problem with the idea of “we want to secure our network” but in practice, the software was writen by trained monkeys and was painfully slow to connect, frequently wouldn’t work, and completely impossible to debug when it (inevitably) failed to work.
  • Accessing some remote computer with a single, simplified configuration setting - rather than set up port forwarding in a router for every remote application you want to allow, you set up one setting for ssh and then tunnel all your traffic through that port.
  • Accessing another computer securely - ssh is secure shell. All of the network activity over it is encrypted so you can securely send credit card numbers on web forms, etc. if you are on a network that you don’t necessarily trust.
  • Bypassing network constraints from one network - maybe your work proxy forbids you from going to flickr or it stops you from listening to streaming audio - with port forwarding you can route your work computer, though the tunnel, to your home computer and to the internet.

Setting up SSH port forwarding

The model includes two computers and two networks and I’ll refer to these as WorkPC/WorkNet (the external computer) and HomePC/HomeNet (your personal computer).

First you need to get HomePC set up to allow ssh and remote connections

  1. To begin, you need the ssh server (sshd) installed on HomePC. On a Windows PC the easiest way to get this is to install and configure cygwin since cygwin includes sshd. You need to do a little fiddling with sshd to get it working (creating the user account that will have ssh access and possibly modifing /etc/sshd_config), but this is pretty straightforward.
  2. Second, you need to be able to access HomePC remotely. Most people have DSL or cable modem or some sort of dynamic IP address for their home networks (you can go to whatismyip.com to see what yours currently is). These don’t change frequently, but they do change, and besides this it’s much more convenient to be able to access your computer with a hostname like HomePC.kicks-ass.org than trying to remember the IP. So sign up for free dynamic DNS hosting from dyndns.com, then configure your router to take advantage of this (almost every cable modem or DSL or wi-fi router has the feature to talk with dyndns). Basically you’re saying “hey, dyndns, I want to be HomePC.kicks-ass.org” and then telling your router “if the IP ever changes, please tell dyndns so they update the routing appropriately.”
  3. Now in your router create the single application port forward that has traffic from outside HomeNet on the port you have sshd running on go to HomePC. The default ssh port is 22 but this can be customized in /etc/sshd_config in cygwin. You might find it worthwhile to change the port to something like 110, too, because at WorkNet they might block traffic over port 22 (since that is used by default for things like I’m describing) but port 110 will probably be left open (since 110 is normally used for email (SMTP), but you probably aren’t running an email server at home so you won’t miss having port 110 available for this).

Second, you need WorkPC to be able to connect to HomePC.

  1. This is really pretty straightforward. You just need an SSH client on WorkPC to talk with the ssh server you just set up on homepc.kicks-ass.org (or whatever hostname you got from dyndns). I use putty for Windows, but if you have cygwin installed on WorkPC that also has the basic ssh command line application. And when just trying to set up port forwarding, I usually use this portforwarder which is a small application designed to just set up the ssh connection and do port forwarding.

Using port forwarding

Now that you have everything on both computers that you need to take advantage of port forwarding, here’s how you’ll do it. The typical first application is setting up a local forward entry that says “local traffic on port X should go to the remote computer on port Y.” Here are some specific applications where you’re trying to get from WorkPC to HomePC.

  1. Say HomePC is streaming music over port 8000 but your work has this port blocked so you can’t get to the music server on http://homepc.kicks-ass.org:8000/. On WorkPC’s ssh client, you might set up a local forward entry for port 8000 to talk with HomePC port 8000. Then when you connect to http://localhost:8000/, that traffic gets tunneled by ssh from WorkPC to HomePC through the single ssh session which is happening on port 22.
  2. Say HomePC has remote access set up so you can run the Windows Remote Desktop client to get to your home computer but your work is blocking traffic on port 3389 (the default remote desktop port). On WorkPC’s ssh client, you might set up a local forward entry for port 4389 to talk with HomePC’s port 3389. Then if you fire up the Remote Desktop Client and tell it to connect to localhost:4389, that traffic also gets tunneled by ssh from WorkPC to HomePC through the ssh connection on port 22.

This is really pretty sweet. If you changed your ssh server port from the default (22) to the default email port (110) then on the work network all the traffic just looks like email. If you’re streaming music then it will probably look kind of suspicious that you’re downloading email continuously all day long (rather than in the short bursts of send/receive that normally happen), but it all just looks like email.

Also, notice that on HomePC you only needed to configure your router to allow ssh access. All the other traffic gets configured inside ssh and you can manage that from outside your home network.

Using remote (reverse) port forwarding

The next most interesting scenario is using port forwarding to tunnel in the opposite direction - from HomePC to WorkPC. Generally you won’t be able follow the above steps for going from HomePC to WorkPC. That is, you won’t be able to configure WorkNet so that WorkPC is available to the outside world. Instead, you’ll want to set up remote forwarding. Remote forwarding is just like regular forwarding except that it says “remote traffic on port X should go to the local computer on port Y.”

  1. So if you aren’t finished with work but need to go home and would then like to use the Remote Desktop Client from HomePC to connect to WorkPC, you might set up a remote forward entry that says that traffic from the remote computer on port 4389 should go to the local computer on port 3389 (which is still the default port for remote desktop connections).
  2. Then you’ll fire up putty or ssh or portfowarder with that remote forwarding entry and leave the connection open when you go home. When you get home, you’ll fire up the Remote Desktop Client and have it connect to localhost:4389 and the ssh connection you set up at work will be listening on the home computer and your home computer will now talk through ssh to your work computer and voila, you’ve just remoted to WorkPC.

Tunneling web browser traffic with SSH port forwarding

Finally I mentioned securing your web browsing from WorkPC. This gets more complicated but you’d set it up with something like the following.

  1. On HomePC you would set up some web browsing proxy. On my windows PC I use privoxy and will say “privoxy” below when I mean “whatever browser proxy you set up.” This proxy will run over some port like 8080.
    1. Aside… there are advantages to running your own proxy so even if you don’t want to use it for the remote tunneling scenario I’m decsribing here, you might decide this is worthwhile. Some of those advantages include…
      Setting up adblocking. Set it up once inside privoxy and then just configure your various browsers and clients to browse through privoxy and they’ll all get the ad blocking features (even if it’s a browser that doesn’t support this very well by default vs. one that does).
      Stop your kids from accessing porn. I’m not sure how to set this up because if I’m paying comcast $50 a month for anything, it’s not “less porn” but you could configure privoxy to stop access to certain sites and then (again) all the browsers that go through privoxy will get that centralized site blocking (rather than you having to set up some custom software on all the computers you want to control access on).
  2. OK, now you have privoxy running and on HomePC if you configure your browser to use the proxy on localhost port 8080, all your traffic will go through privoxy.
  3. Again, on WorkPC you’d set up a local forward entry so that port 8080 on WorkPC goes to port 8080 on the remote computer. Then you configure your browser on WorkPC to use the proxy on localhost port 8080 and (again, while the ssh connection is active) it will be tunneled from WorkPC via ssh to the HomePC on port 8080 where privoxy is listening and will send your traffic back out to the internet. And now your web browsing at work just looks like more traffic over port 22 (or more email over port 110 if you configured sshd_config to behave that way).

Closing remarks

I (clearly) think this is tremendously useful and I use it all the time. But it is important to understand why some network restrictions are in place. If your work forbids you from browsing to flickr then it might not be a good idea to set up ssh port forwarding to tunnel your browsing traffic to get around that. It could get you fired. Or if you want to surf the web for porn from work and want to set up access to your own personal proxy then you probably have a bunch of other problems and I can’t really advocate this use of port forwarding.

But there are a ton of legitimate uses and it can be tremendously useful. For instance I wouldn’t really recommend walking up to a computer in a cafe or a library, firing up an ssh connection with port forwarding to HomePC, and then using the browsing proxy and thinking “everything’s safe” because you have no idea if that cafe/library/whatever computer itself is safe. But if you bring your laptop to a public wifi spot and then set up the SSH connection while you take advantage of the (potentially unsecure) wifi network, you can be a little less worried about whether your traffic on that connection is getting sniffed because it’s all encrypted with ssh.

Comments