How to connect to a service behind a firewall using ssh tunneling
When we have a service behind a firewall in a remote server sometimes we want a simple way to connect to it without setting up port forwarding. Setting up a ssh tunnel is pretty straight forward and pretty secure because your traffic will be encrypted on his path. This is perfect for a quick and simple connection for yourself without sacrificing the security of your server.
Let’s get started with SSH tunnels
Before you start, if you’re connecting to a remote host over the internet just make sure that your ssh connection is secured. This tutorial assumes that you know how to do it. The ssh tunnel will be just as secure as your ssh connection is.
Firstly, you need to make sure that you can connect to a server using a normal SSH connection. For demonstration let’s say that you have a server with the hostname “myremoteserver”, and you have a shell on your local computer, to connect to it, you just issue the following command to your shell:
After that you should be connected. If you see an error or you don’t know how to do it you will need to understand how to set up and secure a ssh server before you follow this tutorial, after that just come back to learn how to tunnel like a pro 😊;
Using your browser just like you are on a server.
Let’s say you have an Nginx Proxy Manager running on your webserver and you would like to connect to the port 81 that is setup by default with the administration page.
You can have your ports 80, and 443 setup with port fowarding (open to the world) and keep the port 81 hidden ant set up your ssh tunnel accordingly.
ssh -N -L 1001:127.0.0.1:81 [email protected]
Running the above command you will open the tunnel, now if you open up a browser and go to http://localhost:1001 you will see the NPM Admin console. Great, isn’t it?
Mantain the shell window open while your using the tunnel and stop it using the keys CTRL + C
Connecting to a remote MYSQL instance
In this example you can use your PC just like he was the mysql server. And i’ll be breaking down the ssh tunnel command.
ssh -N -L 5001:127.0.0.1:3306 [email protected]
Using the above command you will be able to connect to the remote mysql instance just like you were running it on our localmachine, your local computer’s port 5001 will be fowarding everything securely to the port 3306 (default mysql port) on the server side.
Let’s dissect the above command by seeing the parameters :
- -N Does not execute a remote command. This is useful if you just want to forward ports;
- -L Specifies that the specified port on the local (client) host is to be forwarded to the specified host and port on the remote side;
- The first port (5001) is your local port that will be mapped to the second specified port in this case is 3306. The “myremoteserver” part is just the remote server name that you use to connect to;
if you want to see more ssh options just check the ssh’s man page
Now you can connect to it like the MySQL instance is running on your own computer, just pass the parameter –port to tell the mysql client that he will need to use the port 5001 instead (remember that we specified that on the command, you can use the default too, I just changed it to make the comand clearer):
mysql -h 127.0.0.1 --port=5001 -u MYUSERNAME -p
This is very usefull, imagine your developping an app, and you want to connect to a remote database just like the app is running on the remote server, you just set up this tunnel and develop with peace of mind that you are not oppening a security breach just to test something out.
For security reaseons in most Operating Systems ports bellow 1000 can require admin permissions to open. So if you don’t need to use such a port just stay above 1000, that way you avoid having to use admin permissions to run a tunnel.
Conclusions about using a SSH Tunnel to connect to remote services
SSH is very powerfull, in this tutorial you learned about creating and connecting to a remote service using a computer to serve like a pivot in the middle of the connection. Using this method is perfect if you want to make casual connections while mantaining the service hidden behind a firewall, only the users with ssh access will be able to use it. Keep in mind if you have a lot of services in different ports that you want to access you maybe want to use a VPN server instead. Here on SlashLogs we have a tutorial on how to install and use a local VPN server in a Raspberry Pi, but it will work for any system.