SSH tunneling: how much can it help against firewall?

English Network/Internet
#1

I have the following problem, and wonder whether one or two SSH tunnels can help.

Computers A and B are on different networks, far from each other. I have control of both (root access). Both run Leap.

Computer A is behind a firewall, which likely does not forward ports. I don’t have control over that firewall.

Computer B is in “free Internet”, and, although behind a firewall, ports can be forwarded through it, since I have control over the router that creates the firewall. Normally, I sit in front of B.

The question: Can I login from B to A, or can clients running in B connect to servers running in A, for example, to VNC server or sshd, so that I get control of A from B?

Any commands can be issued in A and B for this.

I am wondering whether some commands like

 
 ssh -L ...
 ssh -R ...
 ssh -D ...
 x11vnc -rfbport ...
 ssh -X ...

issued in A or B could help? Are there bi-directional ssh tunnels?

I know that the task can be accomplished by TeamViewer or similar commercial software, but I would like to use ssh or vncviewer.

#2

You want to set up a special VPN configuration called a “callback”

The idea is that although you can’t connect directly to Computer A, there is usually <some> way you can execute something on that machine. Maybe it’s monitoring a mail account. Or, it’s periodically checking for something on the Internet. When the condition is satisfied, then Computer A will initiate a VPN to Computer B and then you can access Computer A from Computer B for anything you want to do.

You can also set up VNC this way (do an Internet search for a guide).

TSU

#3

Depends on the firewall configuration.

If port 22 is allowed out, then sure, it can help with TCP traffic at a
minimum.

There are lots of options for firewall piercing - but that does get into
the realm of hacking - and doing so without permission of the owner of
the network in question is generally not a good idea, because you’re
creating weaknesses in their network in order to circumvent controls and
could be held liable if their network were compromised.

So the easiest solution is to talk to the network owner about getting the
ports opened that you need, or collaborating with them on a solution.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

#4

On 08/09/2017 09:06 PM, ZStefan wrote:
>
> I have the following problem, and wonder whether one or two SSH tunnels
> can help.

SSH tunnels allow you to have TCP data go in a socket on one machine and
come out of a socket on the other machine, going through an established
SSH connection. If you can SSH from one box to another then you can
tunnel data between those two boxes or networks, assuming the SSH
configuration on either side does not somehow prevent SSH tunnels (allowed
by default, they are).

> Computers A and B are on different networks, far from each other. I have
> control of both (root access). Both run Leap.
>
>
> Computer A is behind a firewall, which likely does not forward ports. I
> don’t have control over that firewall.
>
> Computer B is in “free Internet”, and, although behind a firewall, ports
> can be forwarded through it, since I have control over the router that
> creates the firewall. Normally, I sit in front of B.
>
> The question: Can I login from B to A, or can clients running in B
> connect to servers running in A, for example, to VNC server or sshd, so
> that I get control of A from B?
>
> Any commands can be issued in A and B for this.

SSH from serverB to serverA using the following command, and setup a
tunnel from TCP 5900 on serverB to go to the “localhost” TCP 5901 on serverA:


ssh root@serverA.goes.here -L 5900:localhost:5901

Once done, you can connect vncviewer to 127.0.0.1:5900 on serverB in orer
to access localhost:5901 on serverA, which may be what you want.

Reverse tunnels are also possible, so if you can SSH from serverA to
serverB, you can then forward traffic from serverB back to serverA. See
the ssh manpage for specifics, or ask follow-up questions here.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

#5

How about an openVPN server on B (or on the router for the network B is connected to)? With A connecting, both can interact as on the same network…

#6

Hey guys,
The original description regarding Computer A

Computer A is behind a firewall, which likely does not forward ports. I don’t have control over that firewall.

So, no inbound connections. No SSH. Nothing.

So,

  1. Computer A has to initiate any connections, assuming outbound connections are not blocked.
  2. Something needs to trigger initiating the outbound connection. I suggested an email message, since email is commonly supported in networks by way of an on-site mail server. Or, permitted through the firewall. The idea is a machine somewhere on the network that acts to proxy or forward a communication of some sort. Or, if that isn’t possible, then simply run a CRON job periodically testing for a sign to initiate the outbound VPN (can be something simple like whether a file exists on an Internet website).

TSU