SSH Tunnel from Windows
This is something I have been doing for a while in place of VPN (Virtual Private Network). I didn’t want to go through the headache of setting up a VPN server and having to worry about a VPN client. In my case I mainly send web traffic through, so this is a much simpler way to achieve that goal.
First thing you need is a server/workstation that you can tunnel into. This requires some SSH server software. I was already set up and ready to go. I currently run about four Ubuntu servers and a Debian workstation that all run OpenSSH server. If you read this article and thought I would be using Windows from both ends, you were wrong. But just in case, freeSSHd is a good SSH server for Windows.
Next you will need to set up Dynamic DNS or have a static IP address for your home. I did not have an option for a static address so I am using Dynamic DNS with no-ip.
You will also need a SSH client. Putty is my choice. Others can be found here. Putty is my choice mainly because it is easy, small and doesn’t require an install. It was the first client I found, the one I see the most and I have not come across another that has convinced me to leave it behind.
Lastly, for this setup you will need a browser. This example will user Firefox.
Next we need to set some things up. First, I need to allow SSH traffic into my network. I will do this on my router. This step can be different depending on your router, but should be similar enough to get done with these instructions.
I use a RaspberryPi running IPFire as my router. Unless you have the same setup this will be a bit different for you. Portforward.com may be helpful if you are not sure how to forward a port on your router.
The goal here is to foward certain traffic from the outside to your SSH server internally. It is not a good idea to use the default SSH port (22) externally. I suggest picking something out of the ordinary (ex. 9991). With the port forwarded, external users will hit port 9991 and be directed to your internal host on 22. That way anyone scanning you externally for known ports will not pick up SSH.
To create a forward in IPFire I will need to go to
Firewall > Firewall Rules > New Rule
For the source, I will allow Any. I will enable Destination NAT (Port forwarding). My firewall interface is ‘RED’ and new source IP Address will be ‘GREEN’. My destination is my SSH servers internal IP (10.1.1.3). The protocol is TCP, destination port is 22 and External port for this example is 9991. I will use the additional settings to set a remark, active the rule and log traffic that uses this rule. I will now save these settings.
Dynamic DNS allows you to use a domain name instead of an IP address, and is also kept up to date when your IP address changes. There are multiple services that you can use to achieve this, some free, some not. It is best to see if your router supports Dynamic DNS and choose a provider from that supported list.
Luckily for me IPFire supports numerous services. You cann access these settings in IPFire by going to
Services > Dynamic DNS
Choose a service from the provided list, enter the hostname you registered with that service, and enter the username/password that you use for the service.
* If you are new to Dynamic DNS I would suggest Namecheap as a provider. They have lots of useful documentation in their knowledgebase. *
Now we configure Putty. In the Host Name (or IP Address) field you will enter your dynamic DNS address or static IP. Enter 9991 in the Port field. At this point you can make a SSH connection to your server. But we want to forward some web traffic. To do that we need to add the tunnel.
Select the plus next to SSH from the Category pane. Then select Tunnels. For Source port enter 8080, this actually be whatever you want. Select the Dynamic radio button below the Destination field. Click the Add button.
Now select Open and you will probably receive a warning about the security certificate. Select Yes or No and continue past. Now you should see a command prompt for your SSH server. Log in using your credentials and now you can minize this window. Keep in mind that it must stay running at all times to keep the tunnel open.
Now the magical part. Once you have connected to your SSH server using Putty you need to configure your browser to use this tunnel for traffic. In this example I am using Firefox, the location of the proxy settings will be different for each browser.
To set the proxy settings in Firefox you will go to
Options > Network > Settings
Select the Manual proxy configuration radio button. For SOCKS Host: enter localhost, for Port enter 8080 and then select the box for Remote DNS.
That is then end. This can be extended into all types of things, and can tunnel all kinds of different traffic. I have used tunneling for HTTP, VNC and even tunneled my VMWare Esxi client. This is a great alternative to VPN as it is fast, reliable and secure.