SSH Tunnels


SSH Tunneling
Bypassing Firewalls Using SSH Tunneling
Connect to MySQL via SSH
Can I secure browse the internet by establish an SSH tunnel with my home computer? This is just to satisfy my curiosity. The tunnel needs to somehow capture all outgoing HTTP(S) traffic, direct it to my home computer, which somehow make the request to the original server. Perhaps I can configure my work computer to use a proxy or a SOCKS firewall. Perhaps I can install a SOCKS firewall on my home computer, configure it to allow all traffic through, and configure my work computer to use that SOCKS firewall through the tunnel.

On your local machine (your laptop), execute:

ssh  -L 8080:intranet_webserver:80 -L 110:mailhost:110 username@ssh_server

This opens a ssh connection to the ssh_server, and set up port 8080 on your local machine to be forwarded to port 80 on your intranet web server. To access your intranet web server, point your browser to http://localhost:8080

The -L options can be specified multiple times to establish multiple tunnels.

If you are using PuTTY, its UI is a bit confusing, so just play with it so that entries in the list of forwarded ports have L in front of local port.

To access the Windows PC at work with remote desktop:

1. disable remote desktop on home laptop
2. establish a tunnel using IP from step 6 (7777:x.x.x.x:3389)
3. on home laptop, go to Start Menu -> All Programs -> Accessories -> Communication -> Remote Desktop
4. put in localhost:7777

Note that you will have to be root on your laptop for this example, since you'll be binding to a privileged port (110, the POP port). You should also disable any locally running POP daemon (look in /etc/inetd.conf) or it will get in the way.

Assuming you have your RSA or DSA keys setup, you can even run this in the background (tack on a &). This sets up the tunnel, and starts forwarding your local ports to the remote end through it. The -N switch tells SSH to not bother running an actual command on the remote end, and just do the forwarding.

Another useful feature of port forwarding is for getting around pesky firewall restrictions. For example, I was recently behind a firewall that did not allow outbound Jabber protocol traffic to With this command:

ssh -f -L home -N

I was able to send my Google Talk traffic encrypted through the firewall back to my server at home and then out to Google. All I had to do was reconfigure my Jabber client to use localhost:3000 as the server.

The trick: instead of directly connect to the remote machine, you connect to the local machine (localhost)

Using SSH Tunnels for testing:

As a developer, I need to test my changes before it get deployed, but sometimes this can be tricky when you have to test the behavior of your javascript code according to the environment it should be executed. For example, on production, my application is accessible via, and on training, it is accessible as, but in development, it is accessible via localhost:7001, and I have javascript that check the URL of the page, and do its thing. To test my changes, I modify my C:\WINDOWS\system32\drivers\etc\hosts so that each of the above URL points to Under normal circumstances, this should be sufficient. However, on my development (Windows) machine, I also run other semi-critical services on port 80 and 443, so I didn't want to interrupt these services. I decided to use SSH Tunneling. I made change to my C:\WINDOWS\system32\drivers\etc\hosts as mentioned. I have SSH access to another Linux box, so I configure PuTTy on my Windows box so that when it connects to my Linux, it also establish a tunnel. It works like this: when I use the browser and go to, it hit my local machine on port 443, which get forwarded to my Linux box on port 22, which then get routed back to my local machine on port 7002. When I am done with my testing, and disconnect from my Linux box, everything go back to normal (after I have to undo the change in C:\WINDOWS\system32\drivers\etc\hosts). Not sure if my semi-critical services were interrupted during this testing process. I also seems to avoid the HTTPS certificate warning somehow. For this to work, my PuTTy is configured:

L443 ->
L80 ->

where is the IP address of my development (Windows) box, and the IP address of my development (Linux) box is In this scenario, the traffic hit my Windows box, forwarded to my Linux box, and then back to my Windows box, which is a bit different from other forwarding scenarios.

After making change to C:\WINDOWS\system32\drivers\etc\hosts, we need to run "ipconfig /flushdns", clear browser cache and restart the browser before testing.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License