Welcome to the Info TEST server!

Skip to content. | Skip to navigation

Sections
Info Services > Computing Guide > Network Access > SSH Pages > SSH Tunneling for Linux & Mac

SSH Tunneling for Linux & Mac

Tunnel, Secure Shell, VPN, Internet, Web Access, Poor Man's VPN,

NRAO Employees: Network access is for use on NRAO-approved machines only. Complete the Permission to Connect non-NRAO Computer to NRAO Network form (PDF) and have it authorized by your local computing division head before attempting any connections except "nraoPUBLIC". Please note that VPN is the preferred remote connection technology.

Visitors: May make use of NRAO public wireless networks where available. For RFI restricted areas, contact the Help Desk.

An alternative to the VPN for Linux (and Mac) users

If you have a Linux or Mac OS/X system, and only need ssh and web access to the inside, the following little trick will work for you.

1. Make a Tunnel

First, Make a tunnel to your SSH login machine. You will need to do this before you start web browsing, and every time after you reboot and/or reconnect.

CV

( ssh -N -L 8080:proxy.cv.nrao.edu:3128 -L8443:proxy.cv.nrao.edu:3128 ssh.cv.nrao.edu )

AOC

( ssh -N -L 8080:proxy.aoc.nrao.edu:3128 -L8443:proxy.aoc.nrao.edu:3128 ssh.aoc.nrao.edu )

 

2. Modify your Browser Proxy Settings

Go to your browser preferences and set the field marked Automatic Proxy Configuration URL to

http://www.nrao.edu/poorvpn.pac

You should be set now, and your browser will be able to see NRAO internal content without further intervention, while non-NRAO content will be obtained directly.

(Optional) Extend to Mail Services

(Experts only!) If we tunnel one service, why not others? It's relatively easy to extend that ssh command to add some extra tunnels so that you can connect directly to mail services. This does entail some extra work though, and should only be tried if you know what you're doing and can change the configuration of your mail client! Something like this would work:

( ssh -N -L 8080:proxy.cv.nrao.edu:3128 \
-L 8443:proxy.cv.nrao.edu:3128 \
-L 8025:smtp.cv.nrao.edu:25 \
-L 8143:mail.cv.nrao.edu:143 \
-L 8110:mail.cv.nrao.edu:110 \
ssh.cv.nrao.edu & )

This will tunnel connections for the web proxy (you'll have to configure your browser to use localhost ports 8080 and 8443 for regular and SSL-encrypted browsing, respectively), outgoing (smtp) mail, and incoming mail on both IMAP and POP3 to the correct host (in Charlottesville; substitute aoc, gb, or tuc as appropriate).

However, you'll need to configure your mail client to connect to localhost port 8025 for outgoing SMTP mail, and localhost port 8143 for IMAP (or localhost port 8110 for POP3) incoming mail. It's actually simpler though for incoming mail to use IMAPS (secure IMAP) as that's has encryption built in and most mailers support it these days.

If the ssh command you use is too long, you can encapsulate it in a small shell script, or use the ~/.ssh/config file (see man ssh_config for the details) and put specific LocalForward directives in for a given hostname.


How does this work?

What step one does is to establish a tunnel through a ssh connection. The ssh session is from your local system to the login machine specified, and the tunnel is from port 8080 on your local system to port 3128 on the proxy server (not the SSH login machine). Think of it as a tunneled connection that takes a sharp turn after it gets to the SSH login system and connects to the proxy.

When activated in your browser, the autoconfigure script will cause any URLs that match nrao.edu to be dispatched to what it thinks is a proxy server on "localhost" (i.e., your local machine). However, we've set up a tunnel between this port and the regular proxy/squid listening port on your proxy server, so the net effect is that all NRAO.EDU urls get served by the proxy, and everything else goes direct to the internet. If you're connected to the net via an ISP, you can now see NRAO's internal web pages.

The author has been using this scheme for some time now when connected at home through a commercial ISP and it works well. The only hassle is the necessary changes to Mozilla Preferences when changing from work (where http://www.nrao.edu/proxy.pac is used) and home each day -- and this could be mitigated by using separate Mozilla profiles for work and home.

For more information on ssh tunneling, see the tunneling section of the Computing Guide SSH page.


Submit a Help Desk ticket and have the Permission to Connect non-NRAO Computer to NRAO Network form approved by your local computing head if you want the VPN software for your non-NRAO computer.

Permission Form for Non-NRAO Computers