SSH Tunneling: Practical Examples and Key Features
SSH tunnels are used to establish secure channels between a local machine and a remote server. They enable tasks such as file transfer and editing, running applications, and creating backups.
How Tunnels Work Copy link
SSH, or Secure Shell, is a secure network protocol for remote management. It encrypts traffic and is compatible with all major operating systems. SSH tunneling establishes a secure connection to a remote machine, involving port forwarding via SSH rather than protocol encapsulation. This technology involves transmitting TCP packets and translating IP headers, adhering to specific rules.
Creating a Tunnel Copy link
To identify the user, two SSH keys are needed: a private key stored on the local machine and a public key stored on the server. The process of establishing a secure connection varies by operating system.
Linux and macOS Copy link
Open a terminal and run:
ssh-keygen -t rsaThis command initiates a dialogue in the terminal:
Enter file in which to save the key (/home/user/.ssh/id_rsa):By default, the private key is saved in the .ssh folder in the id_rsa file. You can specify a different path and filename if desired.
The system will prompt you to create a passphrase for additional key protection. This enhances security by preventing unauthorized use of the key if multiple users share the same machine. If a passphrase is not needed, leave the field empty and press Enter:
Enter passphrase (empty for no passphrase):After successfully creating the key pair, you’ll see a message with the paths the keys have been saved to.
Copy the public key to the remote machine. You can either open the /home/user/.ssh/id_rsa.pub file with a text editor or display its contents in the terminal:
cat ~/.ssh/id_rsa.pubCopy the key and add it to the server, ensuring there are no spaces or line breaks. Alternatively, use the command:
ssh-copy-id user@remoteserverReplace user with your username and remoteserver with the host or IP address of the remote machine.
To connect via SSH, use:
ssh root@remoteserverReplace remoteserver with the server's public IP address. If no passphrase was set, no further input is required. The system will verify the keys and establish a secure connection. The first connection will prompt you to trust the host:
Are you sure you want to continue connecting (yes/no)? yesFor enhanced security, avoid using a superuser account. Limit the connection between local and remote machines by specifying the -N parameter:
ssh -N -L -g 3389:192.168.0.105:3389 user@rt.example.comThis prevents accidental command execution on the remote machine intended for the local computer.
Windows Copy link
On Windows, generate key pairs using PowerShell or PuTTygen (included with PuTTY).
Using PowerShell
Open the terminal and run:
ssh-keygen -t rsaProtect the private key with a passphrase or leave the field empty and press Enter:
Enter passphrase (empty for no passphrase):By default, the public key is saved in ~/.ssh/id_rsa.pub, and the private key in the same folder. Open the public key file with a text editor or use:
cat ~/.ssh/id_rsa.pubCopy the public key and add it to the remote server.
Connect to the server:
ssh root@remoteserverReplace remoteserver with the server's public IP address. If no passphrase was set, no further input is needed. Trust the host upon first connection:
Are you sure you want to continue connecting (yes/no)? yesUsing PuTTYgen
-
Click the Generate button and move the cursor until the progress bar fills.
-
Save the public and private keys.
-
Open the public key file, copy its contents, and add it to the remote server.
-
To connect using PuTTY, enter the host name or IP address in the Host Name field and click Open. Configure the SSH tunnel under Connection → SSH → Tunnels.
Using SSH Proxy Copy link
SSH Proxy allows access to a home or corporate system. Applications must support SOCKS-proxy. To tunnel through a proxy:
ssh -D 8888 user@remoteserverThis command starts a SOCKS proxy on port 8888 on localhost, but can be adjusted to listen on Ethernet and Wi-Fi, allowing applications to connect through Secure Shell.
For example, to launch Google Chrome with a SOCKS proxy:
google-chrome --proxy-server="socks5://192.168.1.10:8888"Dynamic SSH Tunnels Copy link
A dynamic SSH tunnel opens a local TCP socket and uses it as a SOCKS4/SOCKS5 proxy, meeting all security requirements. To establish a dynamic tunnel:
ssh -D 1080 user@vps.example.comThis sets up a SOCKS proxy on port 1080. No external ports are opened; all traffic is encrypted.
For Windows, configure the dynamic SSH tunnel in PuTTY under Connection → SSH → Tunnels.
SSH Tunnel Usage Examples Copy link
Port Forwarding Copy link
Port forwarding is common with SSH tunnels. Open a port on the local machine and connect it to a remote server port:
ssh -L 9999:127.0.0.1:80 user@remoteserverThis listens on port 9999 and forwards it to port 80.
Reverse SSH Tunnel Copy link
For reverse tunneling, connect a listening port to another local machine port:
ssh -v -R 0.0.0.0:1999:127.0.0.1:902 user@remoteserverThis connects from the remote server to port 1999, then to port 902 on the local machine.
Remote Command Execution Copy link
Execute commands on a remote machine via SSH:
ssh remoteserver "cat /var/log/nginx/access.log" | grep badstuff.phpThis downloads a log and runs a grep command on the remote server.
Rsync via SSH Copy link
For regular backups, use rsync:
rsync -az /home/testuser/data proglibserver:backup/Rsync compares differences and saves time by not copying unchanged files.
Running Applications Copy link
Launch GUI applications on a remote server through SSH:
ssh -X remoteserver vmwareThe application runs on the remote server, but its interface is available locally.
Host Hopping Copy link
For segmented networks requiring multiple hops, use the -J parameter:
ssh -J host1,host2,host3 user@host4.internalThis establishes encrypted connections through each host.
Mounting Local Folder on Remote Machine Copy link
Use sshfs to mount a local directory to a remote server:
sshfs user@proglibserver:/media/data ~/data/This is useful for file sharing and other operations.
Conclusion Copy link
SSH tunneling is a powerful tool for securely managing connections between local and remote systems. By using SSH tunnels, you can ensure encrypted data transfer, safely access remote resources, and perform various network tasks with enhanced security. Whether you're forwarding ports, setting up proxies, executing remote commands, or performing regular backups, SSH tunneling offers a versatile solution across different operating systems, including Linux, macOS, and Windows.
With practice, the basic operations will become second nature, and for more complex scenarios, this guide provides a solid foundation to build upon. Secure your connections, streamline your workflows, and leverage the full potential of SSH tunneling to meet your network management needs.