SSH Tunneling

So, I've made my researches on the internet and I just understood what tunneling actually is but how to accomplish it is still a total mistery to me. I'd like to use this solution to access my Raspberry securely from outside of my network (if this matters in any way). Thanks for the answers.

If you only want to access the rasppery itselve you can just ssh into it.

For that you need a ssh server running on the PI and the port (22) forwarded to the PI by your router;

If you, e.g. want to access port 8080 on the PI you can create a tunnel through SSH that maps that port to your local machine

ssh -L 8080:some-machine-on-the-lan:80 [email protected]
The above comand wil lestablish a SSH connection as user to the thing listening on port 22 of DOMAIN.TLD. Through that SSH connection a tunnel is created from port 8080 on the local machine (Laptop?) to the some-machine-on-the-lan:80.

After that, when you want to access the webserver that is on
you just have to point your browser to
and the traffic will be sent through SSH to the local machine.

If the service you want to access savely is on the same machine as the ssh server is running (RaspberryPI) than you can use
ssh -L 8080:localhost:80 [email protected]
that will tunnel the traffic from your laptops port 8080 to the port 80 of the Raspperypi itselve.

1 Like

The SSH server is running already but if I try to forward the port 22 from my router it says that is a reserverd port and won't allow me to do that.

This is the part I'm most interested in. So following your example I can use that command to open just one port in my router (no need to be the port 80, right?) and bound it to the port I need to access (can be 8080 or can be whatever, right?). Than to access it I'll refer to the port I'm opening (in your example 80) and use my SSH credential to access the network. What if I need to access more services on different ports? I can use the same command to bound different port to the same? Thanks for the answer.

Ok, so your router is - not so good - you can change the SSH servers port; Go into / etc / ssh / sshd_config and change the port to 22000 for example. Then restart the sshd service ssh restart. From now on the SSH server listens on port 22000; Now you can forwart 22000 from the router to 22000 on the raspperry;

This also saves your SSH server from scriptkiddies randomly probing port 22 worldwide.

The ssh tunnel command you must add -p 22000 to tell ssh when connecting that it needs to use 22000 now.

you only open the port used by SSH (standard 22) but for you I would recommend 22000 as that is not a reserved port;

Port 80 is the deffault port assigned to HTTP; You do not need to open that in your router! Only port on your router that needs to be open is the one for SSH;

Step by step:
ssh -L 8080:localhost:80 [email protected] -p22000

ssh = the program we use
-L = tell ssh to forward traffic between ports
8080 = in my excample the local port used on your client (Laptop)
localhost = the rasppery itselve if you want to have one port from it forwarded; can be any other IP or hostname on your local network
80 = in this excample is the port of the machine defined just before (localhost in the excample)
[email protected] = your username + @ + the external IP or DynDNS name, or how you want to access your network from extern
-p 22000 = tells the ssh program to use that port instead of the deffault (can be any, as long as its the same the server is listening on)

Well yes, you can establish several connections; e.g. swap 80 with 443 and you connect to a HTTPS webserver.

1 Like

If 80 is in the example the port I'm going to tunnel to, what's the port 8080 for?

That is the port used on your client machine.

Lets say you want to acces a website that is on the rasppery pi; The webserver on the RPI will be listening on port 80.

so you run ssh -L 8080:1270.0.1:80 [email protected] -p22000 that will create a tunnel starting at port 8080 on your laptop -> send it through SSH to -> port 80 on the RPI;

So on your laptop (that you have with you) you than open a browser and type http://localhost:8080 into the addressbar and it will display what the webserver on the RPI serves on port 80

Oooh okay, now I understand what you meant to say. So, if I want I can use a different port being it 8888 for example. So to tunnel different ports I can't use 8888 for every service but a different one, right? You're always so helpful and patient, thanks a lot!

P.S. these settings will always be set or every reboot I need to set it again?

With ssh you can only tunnel one port to another;

You have to understand that the IP address (or URL) is like the street address of a building with thousands of rooms; but when you want to get in you need the room number.

The URL of this forum actually should be (but as the browser knows that for https the deffault port is 443 its left away)

Which setting?
ssh -L 8080:some-machine-on-the-lan:80 [email protected] -p22000
^ this is not a setting, it is starting the ssh program with the given parameters; the tunnel will be open as long as ssh is running. When you close the terminal or type exit the ssh connection will be terminated and the tunnel is gone.

1 Like

This was clear, but thanks anyway for explaining that.

How can I tunnel more ports into a single one with the same level of security?

Open a terminal on your client machine and type
ssh -L 8080:some-machine-on-the-lan:80 -L 666:some-machine-on-the-lan:1920 -L 6060:some-machine-on-the-lan:443 [email protected] -p22000

All this above creates ONE SSH connection with THREE tunnels in this one connection. The only port that is actually open in your router/firewall is 22000 as we learned earlier that you can not use 22 with your router/firewall =)

1 Like

Man, I should really pay you for all of this. Thanks again a lot for all the help you're giving me. I really appreciate that. Have a good day/night.

1 Like