For the longest time I didn’t realize how easy it was to use an SSH connection as a path to the services only available on the Local Area Network of an SSH-enabled machine. Now that I am “thinking with tunnels”, almost everything I use behind a firewall is through an SSH tunnel. Like a tunnel used for pedestrian or vehicle traffic, an SSH tunnel has two endpoints. One end, the machine I am connecting from, is where the traffic goes in. The other end, the machine I connect to, is where the traffic comes out. One consideration that needs to be made of tunnels is that traffic that exits the tunnel appear to come from the exiting node, not the originating node. In most cases this will make things easier, but depending on what you’re using the tunnel for it’s best to know going in that the origin of the data is not the origin the destination thinks it is.
In my example, I’ve set up a Plex server on a public IP address but part of the setup requires that I point the browser to the localhost address (and the traffic must come from the server itself). Being that the server is a “headless” virtual machine, I don’t have a GUI or a graphical web browser — just a terminal window via an SSH connection. With SSH Tunneling, I can set up the proper forwarding and browse using the graphical web browser on my local machine, connecting through the tunnel, and using the remote machine’s accessibility. It should be noted that on Windows, I use KiTTY as my SSH/Telnet/Serial client; so my examples will be the configuration windows for KiTTY though they are very familiar for PuTTY users. KiTTY is a drop-in replacement for PuTTY with some add-ons and upgraded features. To get KiTTY, or learn more about it, visit the project page.
First, connect to your SSH machine. It doesn’t need to be the target of the tunnel, just the end of the tunnel that has access to the resource you want to utilize.
I am forwarding port 32400 (plex) from my local machine through the tunnel to port 32400 (plex) on the Plex machine (that I’m also connected to for the terminal). This means that I need to connect to the localhost (or 127.0.0.1) on the other end of the tunnel. So, lets change the settings of the connection (right click on the KiTTY window allows you to change settings to the live shell session).
Click Add, and Apply.
Your tunnel should now be active, but we can check that by checking the Port forwarding dialog. Right click on the KiTTY window and select “Port forwarding”. What’s displayed will show you the local port (L32400) and the endpoint destination of the traffic that goes through the tunnel.
Now open your browser or direct the client to the localhost (your machine), and if necessary the port specified, and access your remote resource through your newly created SSH Tunnel!