How to create an SSH tunnel between a Linux server and a Windows client

Alejandro (a.k.a KZKG^Gaara)

6 minutes

 The idea of ​​building a SSH tunnel is to encrypt all connections (regardless, for example, if you go to an https or http page) and connect to Internet through a secure channel. This "safe" channel is nothing more than a server configured for this purpose. This server could be, for example, in your home.


The "disadvantage" of this method is that you always have to have this machine turned on and configured correctly to function as an SSH server, but it allows you to substantially improve the security of your connection and even evade the connection restrictions imposed by network administrators ( for example, your job).

I hear you ask: can this really help me? Well, let's assume the following scenario: you are in an internet cafe or restaurant with free Wi-Fi and you need to make a bank transfer or other important operation. Of course, it is always recommended to carry out these types of transactions in a safe environment. However, there is a solution: an SSH tunnel. In this way, we can connect to the Internet through our "secure" server.

This method is also useful for circumventing the restrictions imposed on the connections of many work environments. Can't access YouTube from work? Well, an SSH tunnel may be the solution, as all requests will be made through your "secure" server. In other words, as the IP of your secure server is not blocked (yes, on the other hand, YouTube's) you will be able to "evade" this restriction (not being able to access YouTube) since for the administrator of your company's network your machine was only chatting with your "secure" server and has no idea that through it you are actually browsing a lot of pages.

In this tutorial we are going to explain the "typical" case: Linux server, Windows client.

Configure Linux server

1.- Install the SSH server. To do this, I opened a terminal and ran:

En Ubuntu:

sudo apt-get install openssh-server

En Arch:

pacman -S openssh

En Fedora:

yum -y install openssh-server

Ready. You will now be able to access the Ubuntu (SSH server) with an SSH client.

2.- Once installed, it is useful to review the configuration file:

sudo nano / etc / ssh / sshd_config

From this file you will be able to configure your SSH server at ease. My recommendation is to modify only 2 parameters: port and allowusers.

To avoid possible attacks it is advisable to change the port that SSH will use. By default it comes with the value 22, you can choose another that suits you best (for the purposes of this tutorial we chose 443 but it can be any other).

The Allowusers parameter allows you to restrict access by user and, optionally, the host from which you can connect. The following example restricts access to the SSH server so that only so-and-so users can do so from hosts 10.1.1.1 and 10.2.2.1.

AllowUsers so and so@10.1.1.1 mengano@10.1.1.1 so and so@10.2.2.1 mengano@10.2.2.1

Configure the router

In case your server is behind a router, it is necessary to configure the latter so that it does not block incoming connections. More specifically, you have to configure.

Before going to the point and showing the necessary configuration it seems prudent to explain a little what port-forwarding consists of.

Suppose you have a local network of 3 machines, all of them behind a router. How does an incoming connection (from SSH, as would be our case) to communicate with machine 1 of our local network? Don't forget that "from the outside" the 3 machines, although they have local IPs, share a single public IP through which they connect to the Internet.

The solution to the aforementioned problem is port-forwarding. In this way, when incoming connections are received to port X of our public IP, the router will refer it to the corresponding machine. In this way, whenever we connect through that port, we know that the router is going to redirect us (hence port-forwarding) to the corresponding machine. All this, obviously, must be configured in the router.

The port-forwarding configuration varies a bit according to the router you are using. The most practical is to visit portforward.com, choose the router model you are using and follow the steps described there.

Configure the Windows client

To connect from Windows, it is practical to use the PuTTY tool as an SSH client.

1.- The first step is to download PuTTY

As you can see on the PuTTY download page, there are several versions available. I recommend downloading the portable version of the program: putty.exe. The advantage of choosing the portable version is that you can always carry it with you on a pendrive and run the program from any computer, wherever you are.

2.- Open PuTTY and specify the IP (public) and port of the server to which the SSH client should connect. How to find out the public IP of your server? Easy, just google "what is my public ip" to find thousands of pages that offer this service.

3.- In case the "client" is behind a proxy, don't forget to configure it correctly. In case you are not sure what data to enter, open Internet Explorer and go to Tools> Connections> LAN Settings> Advanced. Copy and paste the data that appears there in PuTTY, as seen in the image below. In some cases, you may need to enter a username and password.

4.- It is necessary to enter the "local" port-forwarding data to build the SSH tunnel. Go to Connection> SSH> Tunnels. Here the idea is the following, we have to tell PuTTY which connections to "divert" to our secure server. To do this, we must choose a port.

My recommendation, especially if the machine is behind a proxy, is that you choose port 443 since it is the one used by SSL to make secure connections, which will make it difficult for the administrator to discover what you are doing. On the other hand, port 8080 is the one used by HTTP (which is not a "secure" connection) so an experienced network administrator may be suspicious and may even have blocked the port for other types of connections.

In Destination, re-enter the IP of the secure server, followed by a colon and the port you opened in the dot titled "Configure the router" and in the ~ / .ssh / config file. For example, 192.243.231.553:443.

Select Dynamic (which will create a SOCKS connection, which we will use in the next point) and click Add.

5.- I went back to the main PuTTY screen, clicked Save and then Open. The first time you connect to the server, an alert message like the one below will appear:

6.- Then, it will ask for your username and password with access to the server.

If everything went well, once the login is done, you should see something like what you see below ...

7.- Finally, without closing PuTTY, open and configure Firefox (or your favorite browser) to connect to the Internet through PuTTY.


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Jose daniel rodriguez said
    ago 11 years

    a question in step 6 which username and which password should I put

    Reply to Jose Daniel Rodriguez
  2.   jose said
    ago 11 years

    excellent, I will try to configure it with my house

    Reply to jose
  3.   Al said
    ago 11 years

    to access the internet from my home:
    dial-up connection by 56k modem,
    I run a .bat file that has this configuration:
    @Echo Off
    C:
    Cd C: \ Windows
    putty -N -C -D 1080 -P 443 -ssh user @ 00.00.000.000 -pwpass
    Exit
    and what is related to the putty which is configured in this
    form: in options controlling proxy usage I put it in http, in proxy
    hostname I put my proxy and port 3128 and username and password
    I put my data leaving everything else untouched and saving this
    configuration a first time as default settings
    and in order to use mozilla, yahoo messenger, etc, I have to proxify
    applications with the proxifier version 3 configured in this way:
    in proxy server with the address 127.0.0.1 port 1080 sock version 5,
    in proxification rules I add the putty application and in actions I put
    direct, so that all programs come out through it.
    I need to know how I can achieve it on my android phone that
    I connect to my pc through connectify and it shares my connection from
    telephone access. I need tutorial and apks to solve this for me
    dilemma. Greetings and thanks in advance

    Reply to Al
  4.   Clint Eastwood said
    ago 11 years

    It was necessary to explain how the SSH server will magically attend to the HTTP requests that the client makes ... weak the tutorial ...

    Reply to Clint Eastwood
    1.    Errol Flynn said
      ago 10 years

      Wrong Clint Eastwood.

      With what was explained in the tutorial, "magically", it works!

      Not at all weak, rather I would say fair and concrete.

      Very well explained for the inexperienced.

      regards

      Reply to Errol Flynn
      1.    let's use linux said
        ago 10 years

        How good that it has served you! A hug! Paul.

        Reply to usemoslinux
  5.   DumasLinux said
    ago 9 years

    It works very well.

    As below, SSH tunnel with WinSCP:

    http://www.sysadmit.com/2014/05/linux-tuneles-ssh-con-winscp.html

    Reply to DumasLinux
  6.   JEAMPIERRE ZAMBRANO-CAVE said
    ago 9 years

    great very well explained 5 * thanks

    Reply to JEAMPIERRE ZAMBRANO-CUEVA
  7.   Rodrigo said
    ago 8 years

    A question…
    What if what I want is a tunnel between two Linux machines? I have the following situation: At my work we are fiddling with a pc, we want to test video conferencing software, so we had to install a server on an avandonado pc. The problem is that when installing the software (bigbluebutton) the installation fails ... we discovered that the problem is that the download of a component of the installation is being blocked (I am not a computer scientist, I am a teacher in constant learning) ...
    As the Company is great, the possibilities of helping us from networks are less than nil ...
    So, I was thinking of connecting the server (ubuntu server) through an ssh tunnel with my home pc (that has ubuntu) and then installing the software ...
    It's possible? They help me?

    Reply to Rodrigo
  8.   suan said
    ago 8 years

    Hello good, I have a query, I want to connect to an application that I have on my Debian server that is in a virtual machine, which I have mounted on Windows and I want to access that application from another network, someone guide me please.

    Reply to Suan
  9.   anony said
    ago 7 years

    How to Install and Configure an SSH Server
    https://www.youtube.com/watch?v=iY536vDtNdQ

    Reply to anony
  10.   Tosko said
    ago 7 years

    Hello good, I have a question that is bothering me a lot and I have decided to go to consult the community .. well here I am, to see if you can help me .. I am "new" in the world of virtualization, linux.

    The case is the following I have installed a virtual machine with linux server 14.04.5 LTS, I have configured the network in Vbox as a "bridge adapter" by selecting my network adapter. Once inside my server, I have installed several things, that is, I have internet access .. among those things I have installed the SSH service, leaving port 22 by default and the ftp service "vsftpd".

    When consulting the command «ifconfig» it answers me:
    Link encap: Ethernet address HW 08: 00: 27: d5: 2c: 88
    Address inet: 192.168.0.13 Diffus.:192.168.0.255 Masc: 255.255.255.0
    ……

    Now, to connect from my computer (Windows 10) with Putty to my virtual server using ssh (port 22) I use the ip "192.168.0.13", and the same with FTP, but if I want a friend from home to connect to my server either through SSH or FTP it is impossible for us to use the IP that I use on my computer.

    I would like to know why this is because the ip "192.168.0.13" I think works locally, that is, should I configure something else, modify / etc / network / interfaces, modify something in iptables?
    Well, I want my server to work as a public IP to which anyone can connect with access.

    Thanks in advance!

    Reply to Tosko