Jump to content.

FAQ/ Network/ SSH Tunneling

What is SSH Tunneling?

SSH tunneling (aka port forwarding) is a method by which secure (SSH) connections can be established to machines with private IP addresses (e.g., inside an office firewall) using any internet connection. The result is acheived by connecting securely to an intermediary machine which is publically accessible and able to communicate with the target machine. This connection is called a 'tunnel' and with proper configuration can be used to transmit data back and forth between the host and target.

How Do I Use SSH Tunneling?

Suppose you wish to send email using port 25 of gateway.eecs.berkeley.edu but cannot securely connect to that machine. To illustrate the concept of SSH tunneling, let us use PuTTY, a popular terminal program which supports SSH, to tunnel to argus.eecs.berkeley.edu and securely connect to gateway.

  1. First, open the PuTTY client and select SSH → Tunnels from the Category tree.
  2. In the Source port field enter a random number greater than 1000 (in this example, we have entered 12557). In the Destination field enter gateway.eecs.berkeley.edu:25. Click on Add.
    Screenshot of the PuTTY configuration page showing a tunnel created on port 12557 for 'gateway.eecs.berkeley.edu:25'.
  3. Now click on Session in the Category tree and enter argus.eecs.berkeley.edu in the Host Name field. Click on the SSH radio button and 22 should appear in the Port field. Click on Open and then sign onto argus to create the tunnel.
    Screenshot of the PuTTY 
 configuration page showing 'argus.eecs.berkeley.edu' entered in the 'Host 
 Name' field of the 'Session' configuration.
  4. Now, to send email via gateway, adjust your mail client's account settings (more information on doing this can be found here) to indicate localhost on port 12557 as your outgoing mail server, and then send messages as you normally would. Be sure to keep both PuTTY windows open while you send mail, otherwise the connection to gateway will be lost.

SSH tunneling may be used to access many different services on different machines by changing the hostname and port number in step 2 above. For example, in step 2, if you had entered freebie.eecs.berkeley.edu:80 in the Destination field, you could then type http://localhost:12557 into a web browser to view the web pages served by freebie.eecs.

Services Status

Resolved