SSH Tunneling?

RomeoS · 19 Oct 2007 at 16:51

Been looking into SSH Tunneling for the most part of today and I have a few questions.

What I am trying to achieve is have port xxx,xxxx etc forwarded locally to port 23 which would then securely connect to a ssh server which would then translate those ports into the correct ones and establish the connection.

Digram below should illustrate it better:

Remote PC would forward any request from Local PC back via the secure tunnel.

My questions are:

1) Is it possible to set this up on a windows based PC? Local PC would be running Windows XP Professional SP2 64bit and Remote PC running Windows 2003 Enterprise Server

2) Would the delay in communicating via this method be noticeable? Pings to Remote PC from Local PC are roughly 11ms and pings from Remote PC to jolt.co.uk are 3-5ms

3) Would it be possible for the Remote PC to handle 5-10 clients connected via this method?

Details on Remote PC are as follows:

Windows 2003 Enterprise Server 64bit (fully patched)
8GB RAM
4TB RAID 5 Storage
2X 24Mbit Download with 2X 2.5Mbit Upload

NOTE: Found a piece of software called putty which seems to be able to establish ssh connections. Reading up on that now, any pointers would be helpful.

Vai · 19 Oct 2007 at 17:21

RomeoS said:
NOTE: Found a piece of software called putty which seems to be able to establish ssh connections. Reading up on that now, any pointers would be helpful.

Look into OpenSSH on Cygwin with PuTTY

RomeoS · 19 Oct 2007 at 17:28

Vai said:
Look into OpenSSH on Cygwin with PuTTY

Just came across that. Cheers

Got any idea on performance when it comes to browsing / checking mail etc via a tunnel?

Vai · 19 Oct 2007 at 18:21

RomeoS said:
Just came across that. Cheers

Got any idea on performance when it comes to browsing / checking mail etc via a tunnel?

I sometimes use SSH with danted (on Gentoo), it only has me on it, it is slower, but still perfectly acceptable, I am sure it is just down to running it from my home connection.

I really can't see there being any problem with 10 people on the machine in your original post, the only issue might be because it's running on Windows when it was designed for linux.

From the spec in the OP can I assume this is a work setup? What are you trying to achieve (I can't see your picture), a VPN might be a suitable solution if you are just trying to link into a network. Also using PuTTY might scare users, they have a program called "plink" which is a command line version which would let you hide away the interface.

RomeoS · 19 Oct 2007 at 18:46

Main reason for the setup is to provide a secure way to communicate with the server for anyone using a laptop.

For example person A might decide to check his/her email for a local cafe's free wireless access point.

Anyone with a bit of know-how can "see" what is being transfered.
The problem being with everyone using laptops is that they are often using it from unsecured locations or access points where only the basic ports are available (80, 21, 443 etc).

Using this system, I am hoping to let them have secure access to the internet / check emails / remote desktop / secure video conferencing from any location etc.

EDIT: Updated OP with image

Hodders · 19 Oct 2007 at 19:43

It seems as though what you are trying to do may be better over a VPN - easy to set up and makes sure that all your traffic is secure.

SSH is great for 'telnet' and also secure file transfers (winscp for the win here). VPNs do the whole end-to-end secure thing for all traffic.

Vai · 19 Oct 2007 at 20:02

As said, VPN is what is normally used in those situations, which is great for homeworkers, but does need extra ports open which could be a problem depending on where they are connecting from. I don't know if you can change the port Microsoft's VPN solution uses, but I think OpenVPN can be set to run over TCP port 443.
If you are using Exchange you could set up Outlook Web Access to use SSL, or Outlook using RPC over HTTP can be set up with SSL which should be secure for emails.
At work we have a web based VPN system as well using some piece of Cisco hardware, which lets you log in using a web browser, then starts a Java application which redirects ports from your local machine to the remote system.

beh · 20 Oct 2007 at 19:53

I used ssh tunnelling a fair bit while at uni. Performance obviously largely depends on your connection and that of the remote pc. So at uni, ja.net > server in docklands > internet, was plenty swift. From the pings you've said it should be suitably fast too.

For ssh tunnelling with putty you'd basically setup a tunnel with forwarding on whatever local port, say 1080, and with a dynamic destination. Then you setup something like Freecap to use the tunnel and launch programs from there. Or you can individually configure programs, e.g. for firefox, connection options > manual proxy config > and setting a socks host on "localhost" and port 1080. Pretty easy really and works well. I'll happily set you up with a shell to play around with for a bit if you want.

VPN perhaps more effort initially to setup (I never bothered myself) but would be a lot simpler to use. As others have suggested, probably the better option.

NathanE · 20 Oct 2007 at 20:00

If all you want is a quick and easy VPN that "just works" try out Hamachi

https://secure.logmein.com/products/hamachi/vpn.asp

I use this a lot and it really is a brilliant piece of software. You could setup 5 PC's on the same VPN within 5 minutes.

beh · 20 Oct 2007 at 20:03

Aye, hamachi is lovely to use and setup.

RomeoS · 21 Oct 2007 at 11:53

Thanks for all your replies.

Vai, I will definitely be looking to move the mail to secure ports. Thanks.

Beh, Sounds like exactly what I'm trying to achieve. Setting up a couple of VM's on the server to play around with. Did you follow a guide of some kind or just tried it and hoped it worked?

NathanE, Had a go with hamachi, the lights come on green but none of the machines can actually see each other online. Possibly due to port blocking?

VPN would be an ideal solution but because of the additional ports it uses, it would be hit n miss whether it would from one location to another.

NathanE · 21 Oct 2007 at 11:57

Hamachi uses UDP and a few tricks of the trade to punch a hole through almost any NAT firewall

If it's not working then the network you're on is too heavily firewall I'm afraid - in which case SSH Tunneling is possibly the only alternative. Although you could punch a hole with a SSH Tunnel and then run Hamachi over it

RomeoS · 21 Oct 2007 at 12:09

NathanE said:
Hamachi uses UDP and a few tricks of the trade to punch a hole through almost any NAT firewall If it's not working then the network you're on is too heavily firewall I'm afraid - in which case SSH Tunneling is possibly the only alternative. Although you could punch a hole with a SSH Tunnel and then run Hamachi over it

Now that sounds like a fun way to spend a Sunday

VM's are almost up, setting up 2x Windows 2003 Servers, 5X XP SP2 clients and 2X Vista Business clients.

beh · 21 Oct 2007 at 13:48

RomeoS said:
Beh, Sounds like exactly what I'm trying to achieve. Setting up a couple of VM's on the server to play around with. Did you follow a guide of some kind or just tried it and hoped it worked?

Combination of reading a few guides and a bit of trial and error. As NathanE suggests, quite handy for getting past a NAT firewall.