SSH Tunneling

From Computing and Software Wiki

Revision as of 04:07, 14 April 2008 by Partsea (Talk)
(diff) ← Older revision | Current revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Tunneling refers to a packet, which is based on one protocol, being wrapped, or encapsulated, in a second packet that is based on another protocol. The encapsulating packet's protocol will be whatever differing protocol is needed in order for it to travel over an intermediary network. An SSH tunnel is an encrypted network tunnel created using an SSH connection. This type of tunnel allows you to transmit otherwise insecure TCP traffic in a secure fashion, as well as transfer packets with incompatible protocols over an intermediary network. When a tunneling protocol uses data encryption (SSH) to transport packets that are based on insecure protocols over the Internet, they are in essence providing VPN functionality. In real-life terms, tunneling is comparable to "encapsulating" a present (the original packet) in a box (the capsule) for delivery through the postal system.


Components of a tunnel

Tunneling Components

The Tunnel - The series of networks that the packet must travel to go from the starting network to the destination network.

Tunnel Interfaces - These are the points where the starting and destination networks come into contact with the tunnel.

Passenger Protocol - This is the original data being transferred that may be either insecure or incompatible with the carrier protocol.

Encapsulating Protocol - This is the protocol that is wrapped around the original passenger protocol. This protocol must be understood by both tunnel interfaces and commonly come in the form of GRE, IPSec, L2F, PPTP & L2TP.\\

Carrier Protocol - This is the protocol use by the network that the encapsulated package is travelling over.

The Tunneling Process

In this example, we will create secure connection using SSH and local port fowarding.

1) First you launch the SSH client on the command line.

2) Use the SSH client to log into the remote machine using whatever authentication method is available, such as password, Pubkey, etc.

3) The SSH client binds the local port you specified, on the loopback interface,

4) When a process connects to on the the client machine on the port you specified, SSH client program accepts the conection.

5) The SSH client informs the server, over the encrypted channel, to create a connection to the destination, such as a mailserver shown in the example below.

6) The client takes any bits sent to the port you specified on your machine and sends them to the server inside the encrypted SSH session, who decrypts them and then sends them in the clear to the destination (the mailserver). The server takes any bits received from the mailserver and sends them inside the SSH session back to the client, who decrypts and sends them in the clear to the process that connected to the client's bound port (the port you intially specified).

7) When the connection is closed by either endpoint, it is torn down inside the SSH session as well.


A typical use would be to securely retrieve e-mail from work, while at home & using a POP client. By connecting to the machine directly, you would be sending your login and password in the open and risk having them stolen to be subsequently used to gain access to confidential information.

To avoid this, instead of connecting directly, establish an SSH connection to the network of which the mail server is a part of. The SSH client software sets up a port forwarding mechanism, making the traffic heading to your home computer's POP be forwarded over the encrypted tunnel and end up at the mail server's POP port. You then direct your email client to your local POP port and it thinks that it is talking to the remote end, only this time, the entire session is encrypted. Anyone trying to listen in on the conversation between your home computer and work machine, will hear something resembling noise.

To set this up, all you'll need an SSH client capable of tunneling. OpenSSH is a free open source version of SSH connectivity tools. Under Windows, you'll need a client like SecureCRT, which is commercial software. Cygwin is a linux like environment for Windows that contains an SSH package.

See Also

Applications of SSH

Virtual Private Networks

The Future of the Internet: IPv6


1) SSH Tunneling Explained

2) How Virtual Private Networks Work

3) What is Tunneling?

External links

OpenSSH Main Page

SecureCRT Main Page

Cygwin Main Page

--Partsea 22:31, 13 April 2008 (EDT)

Personal tools