Tunneling with SSH is a real good combo to encrypt every network communication you want. You are also be able to access other network services which are only availble to the destination which you trying to ssh to.
As you can see, these two reasons are just two of a bunch more why tunneling with SSH is something you should definitly consider. Also tunneling with SSH is really simple. The following pictues I created tries to show you how easy it really is:
So as you can see in the picture, the first number after the -L parameter (marked red) states the local port on your local machine where you execute the ssh command. So this means that the remote service will be available locally on your machine with this port. NOTE: You should only use ports above the “System Ports” which are regulated in RFC 6335. This means ports > 1023 (in the picture we use port 5000 which is fine).
The second value (the one between the two colons, yellow marked) states the remote address. The remote address can be of course localhost but in this case localhost does not mean your local machine. It means the remote machine you are ssh-ing to. It is possible that you also insert here a machine name or IP behind the destination machine you trying to ssh to. The destination tries to establish the connection to the remote address then.
The third value after the -L parameter (marked blue) is the port of the destination address which is given in the step before (yellow marked). So this means, if you want to connect for e.g. to a running Webserver on, then you have to enter 80 here (80 is the standard port for a HTTP connection).
The last value (marked green) is of course your username and the server you’re going to ssh to.
Another good example would be something like this:
ssh -L5000:www.google.de:443 myserver.my.domain
This example will open a SSH connection to the server myserver.my.domain and will tunnel (or forward) the Port 443 on the destination address (in this example “www.google.de”) to the local port 5000 on your local machine. After this you will be able to enter https://localhost:5000 in your webbrowser on your local machine and you should see the google start page. This means all the traffic via localhost:5000 is routed over your server (myserver.my.domain in this example) to Googles webservers.
A more practical example:
Everbody knows VNC … it’s easy to use and especially easy to install under Linux. I tried a lot of other solutions for remote access like X2Go or NXNomachine. These solutions are good, no doubt about that, but nothing comes close to easyness and portability as VNC did.
For my personal purposes I use the TigerVNC Client and Server implementation. Actually I didn’t found a possibility to encrypt the traffic which was created from VNC. To do this, we could just use an SSH Tunnel. Useing an SSH tunnel while useing VNC gives you some great benefits:
- The VNC traffic between your local machine and the destination (VNC Server) is encrypted.
- As a home server user, you can just open the SSH port in your routers firewall for external access. All other ports can remain closed because you can port forward them with the help of SSH.
- Due to the SSH user authentication you have something like a “low-level” user authentication.
The following example opens a SSH connection to the server myserver.my.domain and forwards the VNC Server port on this server so that the VNC Server is reachable locally under the port 5000:
ssh -L5000:localhost:5900 myserver.my.domain
After the connection is established the VNC Server on the server myserver.my.domain can now be reached under the address localhost port 5000. If your server does listen on another port than the standard port of SSH (22) you can add the -p parameter to ssh to your server with the port you want:
ssh -p1234 -L5000:localhost:5900 myserver.my.domain