Bare-bones SSH Tunneling

This year, I wanted to work remotely for a day or two in the week leading up to Christmas. I went through the trouble of getting an RSA dongle and setting up the terrible VPN software on my machine, only to discover that I couldn’t access some resources that were within my company’s DMZ. When I asked about this, the “official” response was that it was expected for users to connect to an intermediary machine first, then connect to the desired (restricted access) resource. Whiskey Tango Foxtrot! The problem here is that I don’t have an intermediary machine.

This situation can be (mostly) solved by using SSH tunneling, which can take network traffic directed at a local port, and send it to a remote port via a man-in-the-middle server. In my case, I have access to an internal-only webserver, which itself has access to the DMZ. The two tasks that I needed to do on restricted server were HTTPS access (port 443) and SFTP access (port 22).


ssh -L 3000:<inaccessible_server>:443 <your_username>@<accessible_server> -N

The -L option means we want to do local port forwarding, and -N specifies that no command should be executed on the remote server. You could also add -f if you want to put the ssh process in the background. Run this command, and load localhost:3000 in your browser. Unfortunately, you’ll see a “certificate mismatch” error message, because the SSL certificate doesn’t match the URL. A hacky way to fix this is to modify your /etc/hosts file, and add an alias (on a new line): <inaccessible_server_url>

Then you can hit <inaccessible_server_url> as (almost) normal, the only difference being that you have to specify port 3000 instead of the normal HTTPS port 443.


Basically do the same thing as with the HTTPS setup, except change the remote port to be 22:

ssh -L 3000:<inaccessible_server>:22 <your_username>@<accessible_server> -N

Add your hosts alias, then modify your SFTP connection to hit port 3000, and connect as normal.

(Note that adding the DNS alias only matters if you’re accessing the server via URL; if you’re connecting via IP, you’ll have to change the server to localhost.)