Monday, January 17, 2005

Telecommuting via ssh tunneling

Sometimes you want to be able to work on your work machine from home, but the company firewall only allows you ssh access into one of the servers. That's all you need in order to gain remote access (for example via VNC) to your work machine. An additional benefit is that the network traffic between your home and your work machines will be encrypted, so you can use this technique to secure plain-text protocols such as POP or IMAP.

Here is the scenario I'll cover:
  • You have ssh access to a server at work which is behind the corporate firewall and can be reached via an external IP address or a name such as gateway.corp.com; your account on that server is called gateway_account
  • You need to get remote access into a machine running VNC called work_machine which has an internal IP address such as 192.168.1.100
  • You have a home Linux/OS X box called home_machine
Here's what you need to do:

1. Open a shell session on home_machine and run the following command:

ssh -l gateway_account -L 5900:192.168.1.100:5900 -g -C gateway.corp.com

This command creates an ssh tunnel which forwards the local port 5900 (which is the default VNC port) to the remote port 5900 on machine 192.168.1.100, using the account gateway_account on machine gateway.corp.com, using data compression (-C).

If you have a fast link into the company network, you can omit the -C switch. The -g switch allows the remote host to connect back into the local host via the established tunnel.

2. Run the VNC client on home_machine and connect to localhost:0. This will actually connect to the local end of the ssh tunnel, which will then forward the connection to the remote end on 192.168.1.100. You should now have a VNC connection into work_machine.

This recipe can be used for other types of remote access, for example:
  • mail: replace port 5900 with either 110 (POP3) or 143 (IMAP) ; replace the IP address of work_machine with the IP address of the corporate mail server
  • Remote Desktop: replace port 5900 with port 3389
In all cases, you will connect to localhost (or 127.0.0.1) via the corresponding application (mail reader, Remote Desktop app, etc.) and you will be tunneled via ssh to the remote machine behind the corporate firewall.

This technique can be abused by hackers, so corporate firewalls should really allow ssh access only from known IP addresses (which of course can be spoofed, so this is only a weak form of protection). This is one reason why many companies offer only VPN access into their internal networks, so the ssh tunneling technique will be of no use in this case.

Note: if your work_machine runs Windows and you want to connect via VNC, you might have problems if your home_machine runs Linux. I've seen the remote Windows VNC server crash when a Linux client tried to connect to it. In this scenario, you have a better chance if you:

1. run your ssh tunnel on your Linux box at home as specified above
2. go to another home machine running Windows, start the VNC client there and connect to linux_home_machine:0.

Here are some other articles that describe ssh tunneling:

O'Reilly article
SSH.com article


2 comments:

Anonymous said...

Hello,

What if your company firewall doesn't allow ssh access into one of their servers and/or any type of incomming connection to their workstations (eg: the target machine is behind NAT). You are not allowed to change the firewall configuration. How do you connect to your work computer from home? :-)

Anonymous said...

You use a ssh tunnel, so while at work something like:
"ssh -R 2000:localhost:22 you@home.com"

The 2000 says what port on the remote computer to setup the port to.

Next when you get home you can do:
"ssh workuser@localhost -p 2000" and ssh right into your work computer.