Using SSH tunnels – this is how it works

Through an SSH tunnel, you can access remote content and content that is blocked on your network. Read here how this works.

An SSH tunnel establishes a connection to a remote server – but via an intermediate station. For example, if the page example.com is locked in your network, you access an SSH server that connects to example.com and forwards it to you. Using a reverse SSH tunnel, the whole thing works the other way round. Sounds confusing, but with a little explanation and examples, it’s easy.

What is an SSH tunnel?

What exactly SSH is, you can read here. Shortly: With SSH (Secure Shell) you establish an encrypted connection to a remote computer (SSH server) and can then work there – as if you were sitting in front of this remote computer yourself. Prerequisite number 1 for an SSH tunnel is therefore an SSH server. You can also use devices in your home network for testing purposes. However, the whole thing only becomes really useful when you can use a server on the Internet; for example, many web space providers also offer an SSH option. Requirement number 2: The SSH server must also be configured to allow SSH tunnels.

Tunnel now means that data from a third computer, for example a website, is requested from the SSH server and then forwarded to your local computer via the SSH connection. Suppose your network administrator has blocked the web page “example.com”. But you can access your SSH server “ssh.mysshserver.de” – and this in turn can access “example.com”. Then tell your SSH server to forward “example.com” to your local machine – and you can then view it in your browser. Best of all: SSH connections are encrypted as said before, meaning that nobody can see what data, in this case the web page of “example.com”, you are looking at.

With a reverse tunnel it looks similar: Let’s assume you have a server running on your computer, such as a web server – or simply the media center Kodi, which is also accessible via the browser. Now you want to access it from a third computer. But your Kodi computer at home does not have its own IP address, so you can’t easily access it. You can, however, forward Kodi’s browser view to the third computer via the SSH server.

To be more precise: Kodi’s web interface can be found locally in the browser under “127.0.0.1:8080”, or “localhost:8080”. The “127.0.0.1” simply means the local computer and “8080” the port, a kind of house number under which the web interface can be found. This port 8080 is forwarded to (almost) any port of the SSH server. This means: What can be seen under “127.0.0.1:8080” can also be seen under “ssh.meinsshserver.de:9000” for example. And since the SSH server can be reached via the Internet as usual, you can finally access your home server from the third computer via the SSH detour.

It becomes easier with examples. And since not everyone has a correctly configured SSH server, our example works in the home network. You would need: A Windows or Linux computer and another network device with a standard configured SSH server. That would be for example a Raspberry Pi, a NAS, another computer – if necessary simply a virtual machine with Ubuntu. The example uses the following devices: “192.168.69” as SSH server, “192.168.178.75:8080” as NAS web interface for the tunnel and “127.0.0.1:8080” as Kodi interface for the reverse tunnel. The username for the SSH server is “linaro”, the assigned port is “9000”.

Using the SSH tunnel in the terminal

Under Linux the tools are available by default, under Windows 10 as well. Read more about SSH on Windows 10, but on Windows 7 and Windows 8 you would have to upgrade for the command line. This can be done with Git for Windows, which installs a Linux-like terminal.

The first step is to access the Kodi interface on the third computer from the local computer via the SSH server. Enter the following command in the terminal:

ssh linaro@192.168.178.69 -L 9000:192.168.178.75:8080

First, a normal SSH connection is established with the user “linaro” to the SSH server. The option “L” then initiates the tunnel: First the local port “9000” follows, then the address of the NAS web interface “192.168.178.75:8080”. This is followed by the password query. Then you can enter “127.0.0.1:9000” in the browser on the local computer and get to see what is also visible under “192.168.75:8080”. As long as the devices are all in one network, you can of course use any IP address. Over the Internet, you would of course only be able to use the IP address of the SSH server.

Using SSH Tunnel under Windows

But the terminal is not the natural way for Windows users – here you do it with PuTTY. Open PuTTY and simply enter the IP address of the SSH server in the “Host Name” field of the start window, in this case “192.168.178.69”. Optionally, you can give the session a name and save it. Now switch to “Connection/SSH/Tunnels”. Enter the freely selected port “9000” as “Source Port” and the NAS web interface as “Destination”, i.e. “192.168.178.75:8080”.

Then connect via the “Open” button and enter “127.0.0.1:8080” in the browser to access the NAS web interface. Again, the NAS web interface is retrieved from the SSH server and forwarded to your local machine.

Using Reverse SSH Tunnel

In the second example, the local Kodi web interface is to be called from the third computer via the SSH server. The command looks almost the same:

ssh linaro@192.168.178.69 -R 9000:127.0.0.1:8080

The first part with the SSH connection does not change. But then comes the “R” option for the reverse tunnel: Again, the desired port for the SSH server is set to 9000, followed by what is to be forwarded, i.e. the Kodi web interface under “127.0.0.1:8080”. Once the connection is established, you can access the Kodi web interface from the third computer via “192.169.178.69:9000”. With PuTTY this is also possible, you just have to check the box “Remote” under “Connection/SSH/Tunnels”.

Basically, the SSH call is completely identical in both cases: You establish an SSH connection from your local computer to the SSH server. Then either a local tunnel (option L) or a reverse tunnel (option R) is established. This is followed by the port for retrieval via the SHH server. The final step is what you actually want to see, in this case the NAS or Kodi web interface. Admittedly, this doesn’t always sound trivial on paper, but once you’ve tried it at home, it’s easy to figure it out.