User Tools

Site Tools


Tunnelling with OpenSSH

Your goal is to access a service on a dedicated host with everything going through SSH. Why? On a remote machine, the only service accessible from the outside World is the SSH service, but you still want to access other services which are behind the firewall of this remote machine.


From your local machine, you have to open a terminal a type in the following:

$ ssh -f -C -N -L <local port>:<remote host name>:<remote service port> [-p <ssh port>] [<username>@]<remote host outside name>

A quick explanation:

  • -f: make ssh a daemon (a background process)
  • -C: activates compression (saves bandwidth)
  • -N: tell ssh no to receive any command, it is used only for tunnelling
  • -L <local port>:<remote host name>:<remote service port>: create the tunnel by binding a TCP port (service) on the local machine (<local port>) to a TCP port on the remote machine or on a machine on the remote network:
    • <remote host name>: the name of the machine locally or a name of a machine on the LAN
    • <remote service port>: the remote service that one wish to access
  • [-p <ssh port>]: an optional indication on which port SSH server is running on the remote machine.
  • [<username>@]: if your user name is different on the local and remote machine, then you must specify the username that you are using on the remote machine.
  • <remote host outside name>: an IP address or host name that publicly accessible.


So let us say that this remote service is a Windows shared drive (running on port 445), it is running on the same machine that runs the SSH server but it is protected from the outside world by a firewall. You still want to access files. The machine is accessible over Internet at the following address Simply type the following command:

$ ssh -f -C -N -L 11111:localhost:445

Now you can use smbclient to connect to it and get your files:

$ smbclient -L localhost -p 11111

The added value, your connection to the Windows share is encrypted and compressed :-)

Instead of using smbclient, you could decide to mount a directory. A good start is to read the article about manual mounting directory using Samba. We will give here an example using CIFS in the same context as above, it is assume that the network share is named 'network_share':

$ sudo mkdir /mnt/share
$ sudo mount -t cifs //localhost/network_share /mnt/share -o user=huygens,domain=lan,port=11111

One should notice, that, in this context and similarly when using the 'smbclient', the network host name is localhost. This is because SSH is tunnelling the data from the locahost to the remote host.

foss/wikishelf/ssh/tunnelling.txt · Last modified: 2015/05/01 23:32 (external edit)