SSH Tunneling is a technology that creates encrypted channels through SSH connections to securely transmit various network traffic. It can bypass network restrictions, protect data privacy, and provide secure network access methods.
SSH Tunnel Types
1. Local Tunneling
Forwards local port traffic through SSH connection to remote server.
# Basic syntax ssh -L [local_address:]local_port:target_address:target_port user@remote_server # Example: Access remote MySQL ssh -L 3306:localhost:3306 user@remote-server # Example: Access internal service through jump server ssh -L 8080:internal-server:80 jump-server # Bind to specific local address ssh -L 127.0.0.1:8080:remote:80 user@server
Use Cases:
- Securely access remote databases
- Access internal network services through jump servers
- Local development testing of remote services
2. Remote Tunneling
Forwards remote server port traffic to local machine.
# Basic syntax ssh -R [remote_address:]remote_port:target_address:target_port user@remote_server # Example: Let remote server access local development server ssh -R 8080:localhost:3000 user@remote-server # Example: Intranet penetration ssh -R 2222:localhost:22 user@public-server # Bind to all interfaces (requires server GatewayPorts yes) ssh -R 0.0.0.0:8080:localhost:3000 user@server
Use Cases:
- Intranet penetration, allowing external access to local services
- Remote debugging of local applications
- Accessing local resources from remote servers
3. Dynamic Tunneling
Creates SOCKS proxy supporting dynamic forwarding to multiple targets.
# Basic syntax ssh -D local_port user@remote_server # Example: Create SOCKS proxy ssh -D 1080 user@remote-server # Bind to specific address ssh -D 127.0.0.1:1080 user@server
Use Cases:
- Browser proxy access to internal network resources
- Bypass network restrictions
- Unified proxy for multiple services
Advanced Tunnel Configuration
Persistent Connections
# Use autossh to maintain connection autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -L 8080:remote:80 user@server # Or set in SSH configuration ServerAliveInterval 60 ServerAliveCountMax 3 TCPKeepAlive yes
Background Running
# Run tunnel in background ssh -f -N -L 8080:remote:80 user@server # -f: Run in background # -N: Do not execute remote command
Multi-Tunnel Configuration
# Create multiple tunnels simultaneously ssh -L 8080:remote:80 -L 3306:remote:3306 -L 2222:remote:22 user@server # Or configure in config file # ~/.ssh/config Host tunnel HostName remote-server.com User username LocalForward 8080 localhost:80 LocalForward 3306 localhost:3306 RemoteForward 9000 localhost:3000 DynamicForward 1080
Server Configuration
Allow Tunneling
# /etc/ssh/sshd_config # Allow TCP forwarding AllowTcpForwarding yes # Allow gateway ports (for remote tunnel binding to all interfaces) GatewayPorts yes # Allow agent forwarding AllowAgentForwarding yes
Restrict Tunneling
# Disable tunneling AllowTcpForwarding no GatewayPorts no # Only allow specific users AllowTcpForwarding yes Match User tunneluser AllowTcpForwarding yes Match All AllowTcpForwarding no
Practical Use Cases
1. Secure Remote Database Access
# Create local tunnel ssh -L 3307:db.production.internal:3306 jump-server # Local database connection mysql -h 127.0.0.1 -P 3307 -u user -p
2. Intranet Penetration
# Expose local service to public network ssh -R 8080:localhost:3000 user@public-server # External access curl http://public-server:8080
3. Secure Browsing
# Create SOCKS proxy ssh -D 1080 corporate-server # Browser configuration # SOCKS5 proxy: 127.0.0.1:1080
4. Multi-Hop Connection
# Through multiple jump servers ssh -J jump1,jump2 -L 8080:target:80 user@final-server # Or use ProxyJump configuration Host target ProxyJump jump1,jump2 LocalForward 8080 target:80
Security Considerations
1. Access Control
# Limit tunnel binding address GatewayPorts clientspecified # Only allow client-specified addresses # Use firewall to restrict access iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.0/24 -j ACCEPT
2. Monitoring and Auditing
# Enable verbose logging LogLevel VERBOSE # Monitor tunnel connections ss -tlnp | grep ssh # Check active tunnels netstat -an | grep LISTEN | grep ssh
3. Timeout and Cleanup
# Set connection timeout ClientAliveInterval 300 ClientAliveCountMax 2 # Automatically clean up disconnected connections TCPKeepAlive yes
Troubleshooting
Common Issues
# Problem: Cannot bind port # Solution: Check if port is in use using netstat -tlnp # Problem: Tunnel connection drops # Solution: Use autossh or configure ServerAliveInterval # Problem: Remote tunnel inaccessible # Solution: Check server GatewayPorts configuration
Debugging Tips
# Verbose debug information ssh -vvv -L 8080:remote:80 user@server # Test tunnel connection telnet localhost 8080 # Check SSH configuration ssh -G user@server | grep -i forward
SSH tunneling is a powerful tool for network engineers and developers, capable of securely solving complex network access requirements and is an important component of modern IT infrastructure.