Poor man’s VPN with SSH | Setting up an SSH tunnel with PuTTY

Standard

Article #1 From: http://fnord.no/sysadmin/security/vpn-with-ssh
Article #2 From: http://realprogrammers.com/how_to/set_up_an_ssh_tunnel_with_putty.html


Poor man’s VPN with SSH

SSH has port forwarding, dynamic forwarding, and now also IP forwarding. This allows you to create connections out through a firewall, and allow other connections in and out through your SSH-connection, originating at your SSH server. Read on for a few examples of use, and make sure you have the blessing of your security team.

Local forwarding

With local forwarding, you open a local port, and forward it to another host and port from the remote server.

Often used with forwarding to single webservers, proxies, Citrix ICA servers, VNC servers, and Windows Remote Desktop (RDP).

Example with local forwarding

Connect to a server at work, forwarding a connection from port 10080 on my laptop to important.server.example.org.

I can then open my browser to http://localhost:10080, and do my stuff. Some web applications, though, can be tricky enough to expect a hostname, and for that you need to edit /etc/hosts or equivalent, or you can read on for dynamic forwarding.

Remote forwarding

With remote forwarding, you open a listening port on the remote side, and forward it to another host and port from the local server.

Example with remote forwarding

One useful scenario is to help family members who have PC trouble. For instance: Mom has a problem, calls me, and wonders if I can help, and then clicks an icon on her desktop that does the following thing:

  • Starts Remote Desktop or VNC
  • Connects to my SSH server, with remote forwarding from <vncport1> on the SSH server, to localhost:<vncport1> on her PC.

What I do, is:

  • Connect to my SSH server, with local forwarding from <vncport1> on my laptop, to <vncport1> on the SSH server, which again connects through the remote forwarding to localhost:<vncport1> on mom’s PC.
  • Start a VNC client, and connect to my localhost:5801 on my laptop. This port is now connected through my ssh session, to mom’s ssh session, to her PC.

Dynamic forwarding with SOCKS

OpenSSH’s client has the ability to do dynamic forwarding to act as a local SOCKS server, both for SOCS4 and SOCS5.

Many programs have built-in SOCKS support, so if you enable this, and configure it to use localhost:<socksport> as a SOCKS proxy.

For programs with no built-in SOCKS support, you can use “tsocks”, to intercept networking calls, and work through the SOCKS server.

Example with dynamic forwarding

Then I configure Firefox, for instance, to use the SOCKS server at localhost port 1080, and all my web connections will go through the SSH connection, and appear to be initiated from myserver.example.com. Much easier than with local forwarding, and works great for remote administration of things from home where you use different hostnames and ports, and perhaps also unroutable IP addresses.

IP forwarding with TUN

Now we’re talking. This is the real thing, we get IP forwarding through a point-to-point interface. This exists only in newer versions of OpenSSH, and is not very well documented yet. Unfortunately, this also includes this document until I have more time to research further.

Example with IP forwarding

Where ‘0’ is the local device tun0, and ‘1’ refers to the remote device tun1. On each side, one needs to set an IP address for host-to-host contact, and add routing and perhaps also NAT for network access.

Beware, as careless use of IP forwarding between sites may have a serious impact on network security, and may make others very angry if used without permission.


realprogrammers.com

Setting up an SSH tunnel with PuTTY

What follow is how to set up as SSH tunnel using PuTTY with the MySQL port (3306) forwarded as an example. After completing this how-to you’ll have port 3306 on your local machine listening and forwarding to your remote server’s localhost on port 3306. Thus effectively you can connect to the remote server’s MySQL database as though it were running on your local box.

Prerequisites

This how-to assumes your MySQL installation has enabled listening to a TCP/IP connection. Only listening on 127.0.0.1 is required (and the default as of MySQL 4.1). Although beyond the scope of this how-to, you can verify the server’s listening by using

on the server. Look for

and

in your

. Also, a trouble-shooting guide.

To achieve the same with PostgreSQL simply use PostgreSQL’s default port, 5432.

to test;

and the manual as pointers for configuration.

Set up the tunnel

Create a session in PuTTY and then select the Tunnels tab in the SSH section. In the Source port text box enter 3306. This is the port PuTTY will listen on on your local machine. It can be any standard Windows-permitted port. In the Destination field immediately below Source port enter 127.0.0.1:3306. This means, from the server, forward the connection to IP 127.0.0.1 port 3306. MySQL by default listens on port 3306 and we’re connecting directly back to the server itself, i.e. 127.0.0.1. Another common scenario is to connect with PuTTY to an outward-facing firewall and then your Destination might be the private IP address of the database server.

Putty Tunnel

Add the tunnel

Click the Add button and the screen should look like this,

Putty Tunnel Added

Save the session

Unfortunately PuTTY does not provide a handy ubiquitous Save button on all tabs so you have to return to the Session tab and click Save,

Putty Session

Open the session

Click Open (or press Enter), login, and enjoy!

Here for reference is an example connection using MySQL Adminstrator going to localhost: note the Server Host address of 127.0.0.1 which will be transparently forwarded.

Mysql Administrator Login

2,274 total views, 1 views today

Set Up Your Loved Ones with the Best Tech Tools for Keeping in Touch [Family Hacks]

Standard

Why do you almost never send hand-written letters to loved ones? The effort—locating pen and paper, writing, addressing, and stamping—can seem colossal on any given, always busy, day. But keeping in touch is easier than you (and they) may think.

Photo by el monstrito.

Want to do something nice for your loved ones? Keep in touch with them more often. If you’ve got friends or family members who aren’t so good about online communication, these apps and tips make video chat, simplified email, and photo sharing easier to do on a regular basis.

Making a web connection isn’t about “fixing” a relative’s computer—though that’s not a bad idea, next time you’re visiting. It’s about lowering the barriers for communication, for both yourself and the person on the other end, so you can get used to keeping in touch through the easiest available methods.

If it’s that hard for you, it’s doubly hard for a person who didn’t constantly have a computer in front of them their whole careers. There are, thankfully, solutions that don’t require either side to invest far too much time and effort to get started with. The reward is time well spent with far-off family members, which will certainly pay dividends for a long time to come.

Set up their computer

The apps we want to use to connect are pretty easy to install, for the most part. But if sending a bunch of download links over email to a relative isn’t a realistic option, you can do the setting up yourself, from nearly anywhere in the world, with minimal pain. We’ve previously provided an in-depth list of tools for giving tech support or grabbing files from any system, but below are the two easiest solutions. (We’re not even going to pretend your relatives are using Linux, but, if they are, see if you can walk them through connecting to your reverse VNC setup.)

CrossLoop: (Windows) The How-To Geek loves this little remote-control app, and for good reason: It’s a VNC remote control app without all the back-end fiddling (“Do you know your IP address, Uncle Robert? Okay, type ‘cmd’ into the start bar …”). The client only has to install the software and tell you their access code, and you run the same app and connect from your end. The Geek’s site detailed the connection in a screenshot tour. It’s secure enough for a one-shot Skype setup or settings fiddling, because it requires a fairly complex code and doesn’t persist on the computer beyond your session and the next time they shut down.

LogMeIn Free: (Windows/Mac) It’s another fancy, all-in-one VNC client, but it works between PCs and Macs. Doesn’t offer the remote file transfer of CrossLoop, and is just a little more complicated for the relative you’re having install it to get going with it. Still, it claims and (generally) delivers “two-minute setup,” and, though intended for accessing your own home computer at the office and elsewhere, it’s still works as a tech support tool. There’s also LogMeIn Express, which is even more simple, fast, and support-oriented.

Make their system more accessible

If you’ve got remote access to a relatives’ computer, you can also make it easier for them to use. Bigger type, screen magnification, higher contrast themes, and other tools can make the computer an easier place to navigate for older relatives, but they might never discover those options on their own.

You can read up on the built-in accessibility tools inside OS X, in Windows 7, Windows Vista, and Windows XP.

Set up video chat

These days, nearly every laptop has a webcam and microphone built in, and USB-connected webcams are cheap and easy to set up. Video chat is a lot more personal than a phone call, and feels like the next best thing to jumping in your car and visiting. (It’s especially good for keeping up with the grandkids, nieces, and nephews as they continue to grow up so fast.)

Skype is the go-to pick for video chat—it works on Windows, Mac, and Linux, and it’s been designed to be fairly easy to install and get started without having to dive into the preferences and configuration settings. If you’re not there, either in-person or remotely, most computer users can set up Skype just by clicking Next, Next, OK all the way through the installation process, minus one pause to set up an account. They’ll end up with Skype automatically starting and logging them in when their computer boots into Windows, but that’s something you can undo later, or not worry too much about if they’ve got a decently new system.

If most of your relatives have Macs, iChat is probably easier to set up and use than Skype. It is, however, limited to Macs, and so a fairly limiting option for families not entirely descended from typeface designers (Kidding!).

If Skype isn’t going to work for your relatives, in terms of software setup, try the web-based TokBox. It’s free for both parties, it’s one of our readers’ favorite video chat applications, and the quality is surprisingly good for a web-based client. You can sign up your relative for an account ahead of time, then simply email them a link to the chat you’re initiating with them, along with their username and password.

Last, Gmail’s video chat functionality installs via a browser plug-in and works surprisingly well, too—provided everyone involved has a Gmail account.

Better email for everyone

You don’t always have time, or the right hair, to jump into a video chat. Sending an email is probably second nature to you, but some relatives hate their email—and you would, too, if you had it their way. Help them reconnect with the (type)written word.

The New York Times recommends a stripped-down email service called PawPawMail for computer unsavvy relatives, which any more tech-patient relative can set up for the email account that they’ve likely received from their cable, DSL, or other internet provider. It’s a nice, simplified interface for email, and probably far easier to use than Outlook Express, Windows Live Mail, or even Mail.app for Mac—the picture aggregation is a nice touch. Then again, it’s also $5 per month, so you’ll want to test it out before committing.

My own mother also grew to loathe desktop email clients, especially when Verizon tech support would have to talk her through SMTP setup when she spent time at our summer camp. The Verizon webmail interface just wasn’t cutting it, either. So, using Gina’s guide to consolidating multiple email addresses with Gmail, and Gmail’s mail and contact importer, I set her up with a Gmail account that used her same password and, more importantly, sent and received email transparently through Verizon.net. Her friends didn’t have to update their address books, and once she saw the magic of auto-complete, as-you-type contact names, she was hooked. I also set up sidebar labels, hooked to filters, that show her emails from her children, automatic notices of bills due, Netflix updates, and so on.

Photo sharing

My in-laws have a desktop computer in the living room, as well as a laptop. My wife and I would only occasionally receive digital photos from them, and they’d either be gigantic, 3 MB-each files, or tiny thumbnails forwarded from a photo developing service. While at their house at Thanksgiving, I showed them the Picasa desktop software (available on Windows and Macs), particularly the clever facial recognition and easy collage features. I set it up on their system, set it to always watch their desktop, downloads, and pictures folder, and returned home.

When we returned for the holidays, they had a special gift prepared for a son of theirs: a T-shirt featuring a photo collage of family members, assembled and ordered right from Picasa. I was pretty floored; these were folks I’ve long been the Computer Explainer for, but Picasa was intuitive enough for them to manage on their own, even into the advanced features. The main thing that required a little explanation was the somewhat quirky “holding”/thumbtack system, and its difference from “Starred” photos, but other than that, it’s a perfect photo simplifier: the left-hand folders are albums that show up automatically, the main window is filled with pictures, and photos are automatically knocked into manageable but visible size for emailing—and it’s even easier if you set up a Gmail holder account for the user.


That’s one editor’s take on making computer computer connections easier to keep up with, across long distances and different levels of tech savvy. What tools have you used to stay in touch with your less computer-friendly relatives? We’d love to hear the recommendations in the comments.





779 total views, no views today