How to SSH Tunnel with the Linux Command Line

How to SSH Tunnel with Linux Command LineSSH stands for secure shell and is an encrypted data transfer protocol which is commonly used for Linux server communication. Tunnelling, in the context of computer networking, is the act of creating a link between two systems with one protocol that encapsulates additional protocols within itself.

One of the most simple ways to set up an SSH Tunnel is to make use of the ssh command’s -D argument. This argument allows you to specific a port upon which to listen locally. This causes ssh to act as a local SOCKS proxy server, routing any traffic pointed at this local proxy through the SSH tunnel. More details about the -D argument of ssh is shown below in the form of an extract from ssh’s man page.

-D port

Specifies a local “dynamic” application-level port forwarding. This works by allocating a socket to listen to port on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file.

One of the simplest methods to set-up an SSH tunnel, is the following command in a Linux terminal.

ssh -D 8080 [email protected]

This connects to the computer at ‘example.com’ and attempts to authenticate as ‘username’, asking for a password if necessary. When authentication is successful, ssh will act as a SOCKS proxy server on port 8080 as defined in the command. All you then need to do is configure your software (for example, your web browser) to run through a SOCKS proxy at ‘localhost’ or ‘127.0.0.1’ on port 8080.

Additional information on SSH tunnelling is available from Wikipedia’s article on tunnelling protocols. Here’s an extract.

To set up an SSH tunnel, one configures an SSH client to forward a specified local port to a port on the remote machine. Once the SSH tunnel has been established, the user can connect to the specified local port to access the network service. The local port need not have the same port number as the remote port.

SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services — so long as a site allows outgoing connections. For example, an organization may prohibit a user from accessing Internet web pages (port 80) directly without passing through the organization’s proxy filter (which provides the organization with a means of monitoring and controlling what the user sees through the web). But users may not wish to have their web traffic monitored or blocked by the organization’s proxy filter. If users can connect to an external SSH server, they can create an SSH tunnel to forward a given port on their local machine to port 80 on a remote web server. To access the remote web server users would point their browser to http://localhost/.

Some SSH clients support dynamic port forwarding that allows the user to create a SOCKS 4/5 proxy. In this case users can configure their applications to use their local SOCKS proxy server. This gives more flexibility than creating an SSH tunnel to a single port as previously described. SOCKS can free the user from the limitations of connecting only to a predefined remote port and server.

Hopefully this will help you set-up quick and easy SSH tunnels when you need them!

Jordan is a passionate programmer, with 5+ years of industry experience in web development, Linux server administration and IT support. His main interests are cryptocurrency, peer-to-peer networking and web applications, with a strong lean towards free open source software.

4 thoughts on “How to SSH Tunnel with the Linux Command Line”

  1. Wonderful. But it leads to another question, and I hope you my be able to help. Once you have the secure tunnel create.. Is there any way to set a linux device to route ALL network data through that connection. Rather than just a per application basis?

    I’ve been looking for a solution to do this for some time and have not found anything that works. Anyone have any ideas?

    1. You can proxy applications that officially do not support proxies using an application calling tsocks (for Linux) or Proxifier (for Windows/Mac).

      The way tsocks works is by intercepting the calls applications make to establish TCP connections and transparently proxying them where necessary.

      There is an Ubuntu/Debian package available for tsocks. Tell me how you get on. :)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>