ssh-host is host where "ssh" command is executed to create ssh-tunnel
ssh-peer is host to which ssh-host connects via SSH to form an ssh-tunnel
destination-host is a host we want to access over the ssh-tunnel
For both Local and Remote SSH tunnels:
- connection from ssh-host to ssh-peer is allowed
- only traffic between ssh-host ans ssh-peer is encrypted (this traffic is in ssh-tunnel), traffic after ssh-tunnel (connection to destination-host itself) is not encrypted and security here based on TCP protocol being used (HTTP, FTP will remain unencrypted / HTTPS, SSH will be encrypted)
Local
Generally:
- created on ssh-host
- accessed from ssh-host
- port is listened on ssh-host
Local - tunnel is created and accessed on the <ssh-host>, <destination-host>:<destination-port> must be accessible from the <ssh-peer> (see below explanation):
[root@ssh-host ~] ssh -L <port-to-listen-on-ssh-host>:<destination-host>:<destination-port> <ssh-peer>
[root@ssh-host ~] ssh -L <port-to-listen-on-ssh-host>:<destination-host>:<destination-port> <ssh-peer>
<ssh-host> connects to <ssh-peer> with SSH protocol to form an ssh-tunnel. When <ssh-host> connects to <localhost>:<port-to-listen-on-ssh-host> on itself, <ssh-peer> connects to the <destination-host>:<destination-port> and sends this connection over SSH to the <ssh-host> which listens to this connection traffic at the <port-to-listen-on-ssh-host>
Or in other words:
<destination-host>:<destination-port> is accessed as <localhost>:<port-to-listen-on-ssh-host> from <ssh-host>
PS if <destination-host>:<destination-port> will be for example localhost:80, then ssh-peer will connect to itself on 80 port
Remote - tunnel is created on the <ssh-host> and accessed on the <ssh-peer>, <destination-host>:<destination-port> must be accessible from the <ssh-host> (see below explanation):
To view existent SSH tunnels (IPv4 (option -i4), IPv6 (option -i6) or both IPv4 and IPv6 (option -i) tunnels, don't do IP resolving - option -n; show numerical ports - option -P):
If you want create tunnels in the background and don't want to send any commands through SSH tunnel, then use options "-f" (forces going to the background and sending stdin to /dev/null but asks for passwords) and "-N" (do not execute a remote command), use below syntax:
[root@ssh-host ~] ssh -f -N -L <port-to-listen-on-ssh-host>:<destination-host>:<destination-port> <ssh-peer>
[root@ssh-host ~] ssh -f -N -R <port-to-listen-on-ssh-peer>:<destination-host>:<destination-port> <ssh-peer>
Or in other words:
<destination-host>:<destination-port> is accessed as <localhost>:<port-to-listen-on-ssh-host> from <ssh-host>
PS if <destination-host>:<destination-port> will be for example localhost:80, then ssh-peer will connect to itself on 80 port
Remote
Generally:
- created on ssh-host
- accessed from ssh-peer
- port is listened on ssh-peer
Remote - tunnel is created on the <ssh-host> and accessed on the <ssh-peer>, <destination-host>:<destination-port> must be accessible from the <ssh-host> (see below explanation):
[root@ssh-host ~] ssh -R <port-to-listen-on-ssh-peer>:<destination-host>:<destination-port> <ssh-peer>
<ssh-host> connects to <ssh-peer> with SSH protocol to form an ssh-tunnel. When <ssh-peer> connects to <localhost>:<port-to-listen-on-ssh-peer> on itself, <ssh-host> connects to the <destination-host>:<destination-port> and sends this connection over SSH to the <ssh-peer> which listens to this connection traffic at the <port-to-listen-on-ssh-peer>
<ssh-host> connects to <ssh-peer> with SSH protocol to form an ssh-tunnel. When <ssh-peer> connects to <localhost>:<port-to-listen-on-ssh-peer> on itself, <ssh-host> connects to the <destination-host>:<destination-port> and sends this connection over SSH to the <ssh-peer> which listens to this connection traffic at the <port-to-listen-on-ssh-peer>
Or in other words:
<destination-host>:<destination-port> is accessed as <localhost>:<port-to-listen-on-ssh-peer> from <ssh-peer>
PS if <destination-host>:<destination-port> will be for example localhost:80, then ssh-host will connect to itself on 80 port
<destination-host>:<destination-port> is accessed as <localhost>:<port-to-listen-on-ssh-peer> from <ssh-peer>
PS if <destination-host>:<destination-port> will be for example localhost:80, then ssh-host will connect to itself on 80 port
Check
To view existent SSH tunnels (IPv4 (option -i4), IPv6 (option -i6) or both IPv4 and IPv6 (option -i) tunnels, don't do IP resolving - option -n; show numerical ports - option -P):
[admin@localhost ~]$ lsof -i4 -n -P | grep ssh
As background process
If you want create tunnels in the background and don't want to send any commands through SSH tunnel, then use options "-f" (forces going to the background and sending stdin to /dev/null but asks for passwords) and "-N" (do not execute a remote command), use below syntax:
[root@ssh-host ~] ssh -f -N -L <port-to-listen-on-ssh-host>:<destination-host>:<destination-port> <ssh-peer>
[root@ssh-host ~] ssh -f -N -R <port-to-listen-on-ssh-peer>:<destination-host>:<destination-port> <ssh-peer>
Address binding
If you want, you can use address binding to more easily identify SSH tunnels:
- Tunnel to 10.10.10.100:
- ssh -L 127.0.0.100:2100:localhost:22 root@10.10.10.100
- Tunnel to 10.11.11.200:
- ssh -L 127.0.0.200:2200:localhost:22 root@10.11.11.200
- Now you have two "links" to access these SSH tunnels:
- ssh root@127.0.0.100 -p 2100 for 10.10.10.100
- ssh root@127.0.0.200 -p 2200 for 10.11.11.200
Accessing one host over another
If you have 2 servers you want to interconnect (the servers can't access each other directly) and have third server (can access both 1st and 2nd server) and have all traffic in the route being encrypted:
- Setup
- 1st server IP 10.10.10.1
- 2nd server IP 11.11.11.2
- 3rd server IP 12.12.12.3
- you want to access 10.10.10.1 from 11.11.11.2
- Configure
- [admin@12.12.12.3 ~] ssh -L 2001:localhost:22 root@10.10.10.1
- [admin@12.12.12.3 ~] ssh -R 2003:localhost:2001 root@11.11.11.2
- Access 10.10.10.1 from 11.11.11.2
- Access with SSH
- ssh root@localhost -p 2003
- rsync
- rsync -av -e "ssh -p2003" /some-dir/some-file root@localhost:/sync-dest-dir/
- rsync with synchronized files (directories are not deleted) deletion on source server:
- rsync -av -e "ssh -p2003" --remove-source-files /some-dir/some-file root@localhost:/sync-dest-dir/