create new tag
, view all tags
%SECTION{summary}%Creating an SSH tunnel between two computers, even over the Internet and through a firewall.


  • %DATE% —

Refactoring started, still much in Linc's original words.




While doing some reading at NCCAC today (where I don't (can't?) run Linux, and thus can't (easily) test this, I realize that I've been reading Linc's notes wrong. Apparently he runs the ssh command at work and then runs the telnet localhost command at home. I'm not sure that's required, but I'll test it that way next time I'm at home.



Maybe move to (or combine this page with) the SSH page.

I, at least, am a little confused about terminology. I'm going to describe a few "use cases" for ssh, and later try to associate the "correct" terminology with each. (In a way, I think tunnel could be applied in each case, but I'm not sure that matches the "traditional" usage.)

  • Connect two computers together (call them "server" and "client"), such that you can run applications on the server, from the client, and everything seems as if you are sitting at the server, but all communication betweeen the two is encrypted by ssh. Although I think you could think of the link as a tunnel, at least in some documents this seems to not be considered a tunnel. (Citations later). Give a few examples.

  • Same as above, but there is a (or more) firewall(s) between the client and server. Now, at least some people (Linc) start to use the term tunnel. If I buy into not using "tunneling" for the first example (use case) above, I'd tend not to use "tunneling" to describe this use case. Why? I'm not 100% sure, but one of the reasons is that I don't see much difference between this and the previous case, and just getting through a firewall I don't think I've heard as "tunneling through" a firewall, you simply open up a port on the firewall (I may have oversimplified that), and that action occurs on the firewall. You can't, AFAIK, "tunnel through" that firewall only by doing things with SSH on the client or server, you must take action at the firewall. Now, maybe, the action of opening a port on the firewall can accurately be described as "tunneling", but I don't think it would be particularly accurate (or meaningful)) to describe that as "SSH tunneling", if you did, would you describe similar action for SMTP, HTML, POP, IMAP, or whatever as "<whatever> tunneling".

  • The documentation I've read most recently on SSH tunneling (citations later) does describe SSH tunneling as involving three computers, but none of them particularly acting as a firewall. What terminology do they use? — off to do some reading.

OK, SSH Tunneling (Port Forwarding) talks about:

  • the user's machine (what I'd call the client)
  • the gateway (not like my Internet gateway, more like what I call the server, above)
  • the target machine

The sketch (I should make one) shows the Internet between the user's machine and the gateway, but if you read the document, the Internet might also exist between the gateway and the target machine (and, IMHO, a firewall could exist in either or both of those locations — but maybe not).

Using that terminology, they issue a command like this on the user's machine:

ssh -l myuserid -L 7777:work:22 gate cat -

Which means (their words) open as ssh connections as user myuserid to host gate and execute the command cat -. While the session is open, redirect all connections to port 7777 on the local machine to port 22 on machine work.

(This confuses me at least a little bit, because it's not immediately clear (to me) how much of the redirection is due to the ssh command, and how much is due to the cat - command. Suppose the command was ls (or pwd, whoami, or similar) instead of cat - — which machine is that command actually run on??) (An experiment to run when I'm home again.)

(Another confusing thing in the examples various people use is when they use the same port number on two of the machines. In this case, they use port 22 on both gateway and target.)

L and R


Let's say I'm at a local computer named and want to communicate securely to a remote computer named with IP address

I can run these two commands:

ssh -R 11000: -f -g telnet localhost 11000

And my telnet connection will be to the remote computer ( and be secure as it is encrypted via ssh. (Secure is relative here, but you (I) might as well start off on the right foot, i.e., knowing what security it provides and what it doesn't.

Some commands that almost worked:

rhk@system5:~$ ssh -l alex -R 11000: -f -g -N
alex@'s password:
rhk@system5:~$ Warning: remote port forwarding failed for listen port 11000

In the above, I'm on system5, and I want to talk to system1, and I think I have the command right (as opposed to interchanging those two ip addresses.

Trying to put that SSH command into english, "connect to"?? (ignoring the -l, -f, -g, and -N switches for the moment).

What It Accomplishes

You can set things up to work on a remote machine (at work, for example) from a local machine (at home) over a secure (encrypted) connection.

Basically you use ssh to bind 2 ports together (1 on each machine). Linc has port 11000 forwarded through an ssh tunnel to 23 on a machine in his office (on the other (safe) side of a firewall).

When he types "telnet localhost 11000" on his machine at home, it actually telnets to his machine at work through the ssh tunnel.

How to Do It

On the server machine:

ssh -R $port_on_workstation:$server_ip_address:$port_on_server -f -g -N $workstation_ip_adress

For example:

ssh -R 11000: -f -g -N linc.homeunix.org

I (rhk) am a little confused at this point, if his server is at work, and he is at home, he runs this at work (before leaving), then when he's home he types "telnet localhost 11000" and it connects to the computer at work??? No, can't be (how does the computer at home have any knowledge of the computer at work?? Am I confused, is Linc, is he playing with me (on a variation of the old X client/server confusion?? Must be that he types "telnet localhost 11000" at work and connects to the computer at home. Read this again, and try again (to refactor).

I start this on my server (which is the computer I want to connect TO at work) whose local (not internet) ip address is ssh creates a tunnel from port 11000 on linc.homeunix.org to port 23 (telnet) on the server machine (

ssh -R 11000: -f -g -N linc.homeunix.org

You can look the options up on the man page for ssh, but that's how I do it. A couple more notes: Make sure that using the above example, that one machine can directly see the other (my server is past a firewall on an internal network but linc.homeunix.org is publicly accessable). Best advice is to set up authentication for ssh so you don't have to type in the password. You can find reference to this on http://linc.homeunix.org:8080/blog/archives/monthly/2003-10.html#2003-10-16T00_00_37.htm


  • Linc Fessenden, via posts to lvlug@thelinuxlinkPLEASENOSPAM.net ca. 5 Feb 2004
  • () RandyKramer - 07 Feb 2004
  • If you edit this page: add your name here; move this to the next line; and if you've used a comment marker (your initials in parenthesis), include it before your WikiName.

Revision Comment

  • %DATE% —

Page Ratings

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2004-02-17 - RandyKramer
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by PerlCopyright 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding WikiLearn? WebBottomBar">Send feedback
See TWiki's New Look