Hello folks,
I have been looking at using an SSH tunnel to provide secure access to an SMB share over the internet.
I have managed to make a tunnel on port 139 that will connect to a Samba share on the local server (using a Windows loopback network), but the share I need access to is on a Windows PC.
Is there some way to route the tunnel through to a host (or IP address) on the local network so that I can access the share directly through the SSH tunnel.
Hopefully this makes sense, feel free to ask if I haven't been clear.
Thanks, Fantom.
EDIT: I neglected to mention that the Linux PC is a seperate machine from the Windows PC that the share is on.
ssh -L localport:server_ip_or_hostname:remote_port_you_want_to_connect_to user@machine_with_ssh_on_it -P sshport_if_not_22
so
ssh -L 139:yourfileserver:139 yourusername@yoursshmachine
will tunnel the local port 139 to the port 139 on your fileserver.
more resource http://www.revsys.com/writings/quicktips/ssh-tunnel.html
1 Like
I believe you will need all of these ports to access the SMB share.
137, 138, 139, 445
If that is so, OP will need all these tunnels seperately... I honestly suggest you to use OpenVPN instead. It will tunnel all your traffic to your local network and that way you can just type smb://myfileserver or //myfileserver to access it from the machine thats on the VPN
1 Like
I agree, I would (actually, I do) use openvpn for this.
2 Likes
So do I. I only use ssh tunnel to access phpmyadmin and ispconfig on my remote server, so they are never exposed to the web directly.
1 Like
Thanks very much for all your help.
I managed to get this working on Linux by tunnelling only port 445. It seems to work perfectly and the speed is unreal (admittedly on a leased-line-to-leased-line connection).
The intended client was actually a Windows PC, so I did some further digging.
After much hair pulling I found this article:
http://www.nikhef.nl/~janjust/CifsOverSSH/VistaLoopback.html
It points out that from Windows Vista onwards (in other words NT 6.X) the SMB service binds port 445 on all interfaces when it starts.
Since it is a system service and starts very early, you have to mess with the way it launches to get PuTTY to bind the interface, which in a domain environment is unacceptable.
Thanks again for the help, I have learned a number of useful things from this :)
1 Like
Perfect! That is how it's meant to be =D congrats on solving it!