[opensuse] I want to learn about tunnels - I think
Hi, I want to know how to do this. I have a server that is currently remote to me. Ie, I have to connect via internet. In order to have access to its local network I do: firefox --no-remote & in a remote terminal via ssh -X. It works. Responsiveness is slow, though, network delays I guess. And having to paint the entire firefox remotely. I think there is some other way. Somehow connecting the local network there to my laptop, perhaps a tunnel via ssh. Not a vpn, I think. Where can I read about this? A nice document for dummies would be nice, I'm not asking for someone to start typing the full explanation :-) Even the right string for a search in google or elsewhere is nice ;-) -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 02/20/2017 10:04 AM, Carlos E. R. wrote:
Even the right string for a search in google or elsewhere is nice ;-)
Did you try "ssh tunnel"? That produces several hits. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-02-20 16:12, James Knott wrote:
On 02/20/2017 10:04 AM, Carlos E. R. wrote:
Even the right string for a search in google or elsewhere is nice ;-)
Did you try "ssh tunnel"? That produces several hits.
Thanks, no :-) Starting reading now. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 2017-02-20 16:16, Carlos E. R. wrote:
On 2017-02-20 16:12, James Knott wrote:
On 02/20/2017 10:04 AM, Carlos E. R. wrote:
Even the right string for a search in google or elsewhere is nice ;-)
Did you try "ssh tunnel"? That produces several hits.
Thanks, no :-)
Starting reading now.
According to the first hit, http://www.revsys.com/writings/quicktips/ssh-tunnel.html it is very simple: «ssh -f user@personal-server.com -L 2000:personal-server.com:25 -N» «The -f tells ssh to go into the background just before it executes the command. This is followed by the username and server you are logging into. The -L 2000:personal-server.com:25 is in the form of -L local-port:host:remote-port. Finally the -N instructs OpenSSH to not execute a command on the remote system.» «This essentially forwards the local port 2000 to port 25 on personal-server.com over, with nice benefit of being encrypted. I then simply point my E-mail client to use localhost:2000 as the SMTP server and we're off to the races.» So I have tried: ssh -X cer@home.server -L 60000:home.server:80 -N Then I point my local firefox to <http://127.0.0.1/:60000> and I get the response: "Unable to connect" I then thought that it might be: ssh -X cer@home.server -L 60000:127.0.0.1:80 -N but I get the same error. I must be doing it wrong... :-? Also (as (client) user and root): ssh -X cer@home.server -L 127.1.0.1:60000:127.0.0.1:80 -N then browsed to: http://127.1.0.1/:60000 So it is not that simple as that doc says :-? -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 02/20/2017 10:04 AM, Carlos E. R. wrote:
Where can I read about this? A nice document for dummies would be nice, I'm not asking for someone to start typing the full explanation :-)
Even the right string for a search in google or elsewhere is nice ;-)
I have two pertinent books on my nearby shelf. Both by O'Reilly. "SSH, the Secure Shell" has a section on setting up a SSH tunnel. "Virtual Private networks" has a more general section on SSH and also such techniques as SSH+PPP, as well as VPNs though firewalls, layer 2 VPNs, as well as the basic principles of identification, authentication and encryption. It touches on but doesn't drill down on IPSec and S/WAN. Both have pages of resource lists. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-02-20 16:17, Anton Aylward wrote:
On 02/20/2017 10:04 AM, Carlos E. R. wrote:
Where can I read about this? A nice document for dummies would be nice, I'm not asking for someone to start typing the full explanation :-)
Even the right string for a search in google or elsewhere is nice ;-)
I have two pertinent books on my nearby shelf. Both by O'Reilly.
"SSH, the Secure Shell" has a section on setting up a SSH tunnel.
"Virtual Private networks" has a more general section on SSH and also such techniques as SSH+PPP, as well as VPNs though firewalls, layer 2 VPNs, as well as the basic principles of identification, authentication and encryption. It touches on but doesn't drill down on IPSec and S/WAN.
Both have pages of resource lists.
Apparently, the thing is very easy, according to two pages I read: http://www.revsys.com/writings/quicktips/ssh-tunnel.html http://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forward... «Another good example is if you need to access a port on your server which can only be accessed from localhost and not remotely.» «An example here is when you need to connect to a database console, which only allows local connection for security reasons. Let’s say you’re running PostgreSQL on your server, which by default listens on the port 5432.» «$ ssh -L 9000:localhost:5432 user@example.com» «The part that changed here is the localhost:5432, which says to forward connections from your local port 9000 to localhost:5432 on your server. Now we can simply connect to our database.» «$ psql -h localhost -p 9000» I understand that explanation, it is very simple! Plain as water! But it doesn't work for me... I do: ssh -X cer@home.server -L 60000:localhost:80 -N or ssh -L 60000:localhost:80 -N cer@home.server which connects, of course (no error messages); then I browse on the client to: http://localhost/:60000 and get: +++------------------------ Unable to connect Firefox can’t establish a connection to the server at localhost. The site could be temporarily unavailable or too busy. Try again in a few moments. If you are unable to load any pages, check your computer’s network connection. If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web. ------------------------++- -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
20.02.2017 19:30, Carlos E. R. пишет:
and get:
+++------------------------ Unable to connect
URL is wrong; slash is misplaced. Where have you got it from? http://localhost:60000/
On 2017-02-20 17:43, Andrei Borzenkov wrote:
20.02.2017 19:30, Carlos E. R. пишет:
and get:
+++------------------------ Unable to connect
URL is wrong; slash is misplaced. Where have you got it from?
Bingo! Thanks. I didn't see the obvious... Where did I got it from? My memory, where else? X'-) Curious. I get access denied on some of my pages. Apparently localhost translates to ::1 and apache or apparmour dislikes it. I have to use -L 60000:192.168.1.16:80 instead: works fine. :-)) -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On Mon, Feb 20, 2017 at 10:04 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
Hi,
I want to know how to do this.
I have a server that is currently remote to me. Ie, I have to connect via internet. In order to have access to its local network I do:
firefox --no-remote &
in a remote terminal via ssh -X. It works. Responsiveness is slow, though, network delays I guess. And having to paint the entire firefox remotely.
I think there is some other way. Somehow connecting the local network there to my laptop, perhaps a tunnel via ssh. Not a vpn, I think.
Where can I read about this? A nice document for dummies would be nice, I'm not asking for someone to start typing the full explanation :-)
Even the right string for a search in google or elsewhere is nice ;-)
If the destination server is protected by firewall that blocks SSH connections, you will want a reverse tunnel. I use reverse tunnels to connect to the machines in my lab. The basic concept is I have server in the cloud (a VM instance I pay for). The firewalls related to my cloud VM are on my server, so I have 100% control of the open ports. At my office, my ISP blocks a lot of ports. My lab machines use autossh to maintain an outbound connection to the VM. The VM in turn opens ports and forwards all new connections back to my servers in my lab. I have 5 PCs in my lab that I can access that way. For each one I have a dedicated, non-standard, port on the VM server that allows access to my machines. It's a little complicated to setup, especially if the lab machines are Windows based. I wrote a tutorial on how to do it. Even if I'm the only user of the tutorial, it is good to have. https://lizards.opensuse.org/2015/04/20/using-opensuse-as-a-reverse-tunnel-s... Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-02-20 16:41, Greg Freemyer wrote:
On Mon, Feb 20, 2017 at 10:04 AM, Carlos E. R. <> wrote:
If the destination server is protected by firewall that blocks SSH connections, you will want a reverse tunnel.
No, not the case. In fact, ssh is the only port I opened on the home server.
I use reverse tunnels to connect to the machines in my lab.
The basic concept is I have server in the cloud (a VM instance I pay for). The firewalls related to my cloud VM are on my server, so I have 100% control of the open ports.
At my office, my ISP blocks a lot of ports.
My lab machines use autossh to maintain an outbound connection to the VM.
The VM in turn opens ports and forwards all new connections back to my servers in my lab.
I have 5 PCs in my lab that I can access that way. For each one I have a dedicated, non-standard, port on the VM server that allows access to my machines.
It's a little complicated to setup, especially if the lab machines are Windows based.
Interesting... but I don't think I need that complication :-)
I wrote a tutorial on how to do it. Even if I'm the only user of the tutorial, it is good to have.
https://lizards.opensuse.org/2015/04/20/using-opensuse-as-a-reverse-tunnel-s...
Thanks, I'll have a look. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 02/20/2017 08:03 AM, Carlos E. R. wrote:
No, not the case. In fact, ssh is the only port I opened on the home server.
Also read up on sshuttle https://www.unixmen.com/sshuttle-poor-mans-vpn-ssh/ I use that quite often to access the office computer from home. -- After all is said and done, more is said than done.
On Mon, 20 Feb 2017 16:04:21 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
I have a server that is currently remote to me. Ie, I have to connect via internet. In order to have access to its local network I do:
firefox --no-remote &
in a remote terminal via ssh -X. It works. Responsiveness is slow, though, network delays I guess. And having to paint the entire firefox remotely.
Firstly, I think the option should have a single hyphen preceding it, although I presume it works with two as well. Secondly, and more importantly, if you don't use that option, or use -remote, then it will use your local firefox display and avoid painting over the network. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-02-20 17:42, Dave Howorth wrote:
On Mon, 20 Feb 2017 16:04:21 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
I have a server that is currently remote to me. Ie, I have to connect via internet. In order to have access to its local network I do:
firefox --no-remote &
in a remote terminal via ssh -X. It works. Responsiveness is slow, though, network delays I guess. And having to paint the entire firefox remotely.
Firstly, I think the option should have a single hyphen preceding it, although I presume it works with two as well.
Secondly, and more importantly, if you don't use that option, or use -remote, then it will use your local firefox display and avoid painting over the network.
But then, without that option, browse to localhost fails, because it tries my local client page, not my remote server apache. I just tried. With "--remote" nothing happens, just exits. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
Carlos E. R. wrote:
Hi,
I want to know how to do this.
I have a server that is currently remote to me. Ie, I have to connect via internet. In order to have access to its local network I do:
firefox --no-remote &
in a remote terminal via ssh -X. It works. Responsiveness is slow, though, network delays I guess. And having to paint the entire firefox remotely.
Which problem are you trying to solve Carlos? -- Per Jessen, Zürich (8.8°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-02-20 17:54, Per Jessen wrote:
Carlos E. R. wrote:
Hi,
I want to know how to do this.
I have a server that is currently remote to me. Ie, I have to connect via internet. In order to have access to its local network I do:
firefox --no-remote &
in a remote terminal via ssh -X. It works. Responsiveness is slow, though, network delays I guess. And having to paint the entire firefox remotely.
Which problem are you trying to solve Carlos?
Just connect to the Apache on my remote server, which is not accessible from Internet, only on the LAN. I only have ssh accessible from outside (intentionally). James helped me find the documents, and Andrei discovered the error I was making, so the problem is solved :-) I can this way also access my router access page from "inside", if I want. Wonderful! :-)) -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 02/20/2017 07:04 AM, Carlos E. R. wrote:
Hi,
I want to learn about tunnels - I think
Tunnels are deep wells dug up and laying on their side. Sorry, could not resist, you know me! :-) -- -Gerry Makaro aka Fraser_Bell on the forums, IRC, and mail at openSUSE.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-02-21 01:58, Fraser_Bell wrote:
On 02/20/2017 07:04 AM, Carlos E. R. wrote:
Hi,
I want to learn about tunnels - I think
Tunnels are deep wells dug up and laying on their side.
Sorry, could not resist, you know me! :-)
:-) I thought they would be more complicated things to learn about than what they were. Did not occur to me to do a plain google "ssh tunnel" to find out! -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 02/20/2017 07:04 AM, Carlos E. R. wrote:
I think there is some other way. Somehow connecting the local network there to my laptop, perhaps a tunnel via ssh. Not a vpn, I think.
Why not a VPN? You don't want firefox running its core on the other end, and sending all of its display to the Xserver on your end. Thats slow. If you just want to the web pages firefox is showing to be from the other end then a vpn is exactly what you want. All the processing is done on your end and only the web traffic data comes across the wire. -- After all is said and done, more is said than done.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Content-ID: <alpine.LSU.2.20.1702210304470.25986@zvanf-gvevgu.inyvabe> El 2017-02-20 a las 17:30 -0800, John Andersen escribió:
On 02/20/2017 07:04 AM, Carlos E. R. wrote:
I think there is some other way. Somehow connecting the local network there to my laptop, perhaps a tunnel via ssh. Not a vpn, I think.
Why not a VPN? You don't want firefox running its core on the other end, and sending all of its display to the Xserver on your end. Thats slow.
That's what I was doing initially. A tunnel is fast, I use the local FF.
If you just want to the web pages firefox is showing to be from the other end then a vpn is exactly what you want. All the processing is done on your end and only the web traffic data comes across the wire.
A tunnel is simpler in my case, I don't need full access: Client: ssh -L 60000:localhost:80 -N cer@home.server browse to: http://localhost:60000 And I'm guessing that it can do more than what I use it for. What if I specify a local IP, no port? - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAliroYcACgkQja8UbcUWM1zu6AEAoDGbbK0KnVmTeUz7WOF/031l ztY5L11KntEOun+5Cp8A+gMar4GolFahEQk5w3+l5W9GlGMRP/AXeVlpVLlHK3Ya =U46d -----END PGP SIGNATURE-----
21.02.2017 05:10, Carlos E. R. пишет:
ssh -L 60000:localhost:80 -N cer@home.server
browse to:
And I'm guessing that it can do more than what I use it for. What if I specify a local IP, no port?
It is invalid syntax. You spend more time asking "what if" than actually trying it.
On 2017-02-21 04:22, Andrei Borzenkov wrote:
21.02.2017 05:10, Carlos E. R. пишет:
ssh -L 60000:localhost:80 -N cer@home.server
browse to:
And I'm guessing that it can do more than what I use it for. What if I specify a local IP, no port?
It is invalid syntax. You spend more time asking "what if" than actually trying it.
LOL. Because I'm watching TV, I was going to try in the morning :-) Reading a bit of the manual, it would be ssh-based vpn. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
participants (9)
-
Andrei Borzenkov -
Anton Aylward -
Carlos E. R. -
Dave Howorth -
Fraser_Bell -
Greg Freemyer -
James Knott -
John Andersen -
Per Jessen