It's 2024! Please avoid writing SSH commands like that.
Instead, configure your ~/.ssh/config with LocalForward, RemoteForward, and ProxyJump. This can save you a significant amount of time, especially when using ssh, scp, or rsync to transfer data from a remote server that requires multiple intermediate SSH connections.
e.g:
Host jump-host-1
HostName jump1.example.com
User your_username
IdentityFile ~/.ssh/id_rsa
Host jump-host-2
HostName jump2.example.com
User your_username
IdentityFile ~/.ssh/id_rsa
ProxyJump jump-host-1
Host jump-host-3
HostName jump3.example.com
User your_username
IdentityFile ~/.ssh/id_rsa
ProxyJump jump-host-2
Host target-server
HostName target.example.com
User your_username
IdentityFile ~/.ssh/id_rsa
ProxyJump jump-host-3
LocalForward 0.0.0.0:8080 0.0.0.0:80
RemoteForward 0.0.0.0:9022 0.0.0.0:22
# after this:
# - you can ssh/scp/rsync to your target-server via an alias
# - forward traffic FROM port 80 on your target-server to port 8080 on your local machine
# - forward ssh requests TO port 9022 on your target-server to port 22 on your local machine
# - remember, for LocalForward & RemoteForward :
# + left is target-server
# + right is your local
# + use 0.0.0.0 instead of localhost or 127.0.0.1
SSH tunnelling is an utter necessity in the ridiculous corporate environment I work in. Incredible amounts of bureaucracy and sometimes weeks of waiting to get access to stuff, get ports opened, get some exception in their firewalls and vpn so someone can access a thing they need to do their job.
This guide mentions -D but doesn't really articulate quite how powerful it is if you don't know what it does.
ssh -D 8888 someserver, set your browser's SOCKS proxy to localhost:8888 (firefox still lets you set this without altering system defaults). Now all your browser's traffic is routed via someserver.
I find that to be incredibly useful.
The filthiest SSH tunneling hack that I've ever done was at 3AM while in a three-way... datacenter connection. The interesting part of that, while the three facilities, spaced out over a single metro area had upstream transit connectivity to the rest of the net, only two pairs were able to reach the other due to some odd routing policies that weren't able to be resolved in time.
That meant that A could connect to B, and only B could connect to C. The data I had to move from facility A to facility C via B in the most ridiculous rsync+ssh tunnel+keys+routing shenanigan mashup I've ever done. It took a few tries to get the incantation exactly right, but it was magical seeing it all move as one.
Looking back it is super obvious how I'd do it now, but back then being green, was a huge accomplishment. I still remember the exhilaration when I confirmed everything was synced up.
I love the extra detail in the visualizations. My wish is for networking to have much more visual representation of traffic, especially at lower level connections.
Shameless plug:
What to do when you want to ssh to your linux server or IoT device but they are behind the firewall and without a static IP? You can use a tunneling service like https://sshreach.me.
I've used tunneling quite a lot over the years but never knew about -J option.
What I'd really like is just some visual tool to configure my tunnels instead of spending 30 minutes very few months when I need to use a tunnel.
> TCP-over-TCP
> It lowers the throughput due to more overhead and increases the latency. On connections with packet loss or high latencies (e.x. satellite) it can cause a TCP meltdown.
This actually isn't a problem with SSH tunnels unless you're using TAP/TUN, because It unpacks and forwards the TCP streams. But you can still get reduced performance with multiple channels due to head of line blocking.
I learned how to use ssh tunnels when wanting to bypass a firewall in my university network around 15 years ago, had to change the default port to 443.
Been using it ever since for so much more than just bypassing firewalls.
sshuttle go have a read much nicer for tunnelling... sshuttle -r user@host 10.0.0.0/8
Anything on 10/8 automatic tunnel it's pretty much a vpn over ssh
Kind of related, but I was wondering if there is some kind of redirect functionality in SSH itself. Something like:
- A wants to SSH into B
- B tells A that it must connect to C instead
- A transparently connects to C directly
- B is not a part of the critical data path anymore
Does something like this exist?
I've found VS Code can setup port forwarding tunnels if you remote into a host and its been very useful. Its graphical, no command line incantations to remember and I usually have it running anyways.
See also:
A Visual Guide to SSH Tunnels: Local and Remote Port Forwarding https://iximiuz.com/en/posts/ssh-tunnels/
Bookmarked, thank you.
SSH tunnels are an excellent tool, but nowadays you often want TLS and reverse proxy functionality built in. I maintain a list of such tools here: https://github.com/anderspitman/awesome-tunneling