Setting up SSH tunneling in Windows XP
I read about how Vodafone Germany is blocking VoIP traffic on a thread at Volker Weber’s VOWE blog, having got there from Eurotelcoblog. One or two people asked for some hints on how to set up SSH tunneling for TCP traffic. It’s quite easy, here’s how to do it for SMTP access on port 25 to a particular mail server with a Windows machine and access to an SSH server.
What you will need for this example:
- Windows 98/2000/XP machine (other OSes work too)
- SSH client which allows port forwarding (we use Putty, which is free, on our Windows machine)
- SSH server which has port forwarding configured, running on a remote machine (this example is using OpenSSH sshd on SuSE Linux) - usually you can run this machine at home
- SMTP server name and port number (usually 25) which you use for sending mail. If you’re trying to do VoIP, you can just substitute your VoIP port(s) here.
Step 1 - Set up the SSH server to allow port forwarding
This is as simple as unhashing the following line in your sshd_config (normally either /etc/sshd_config or /etc/ssh/sshd_config) file which controls the configuration of the ssh service on your server:
From:
#AllowTcpForwarding yes
To:
AllowTcpForwarding yes
You then need to restart the ssh daemon - if you’re running SuSE Linux you can usually do that using the YAST configuration tool. The SSH service will now send all traffic forwarded to it off to the correct destination.
Step 2 - set up your SSH client to port forward:
In Putty, this is very simple. Create an SSH session to your ssh server by entering the IP address and port number (usually the default port 22). Now configure SSH tunnels under Connection -> SSH -> Tunnels on the left-hand side of the Putty session configuration screen.
Pick a high port on the local machine which the email client can be configured to connect to - I recommend adding 3000, 4000 or 5000 onto the existing port, giving you 3025, 4025 or 5025 - we will use 3025. Now, enter the port and host in “Add new forwarded port”. For “source port”, enter the high port you have just picked on the local machine, so “3025″. For “Destination”, enter the hostname of the mail (or VoIP) server and the port used on that machine, with a colon between them - e.g. “smtp.example.com:25″. Then click on “Add”, go back to “Session” on the left-hand side of the configuration screen, name your session in the “Saved Sessions” box, and click on Save. It’s also worth reading the Putty help file for port forwarding.
You now have an SSH session which is capable of taking traffic sent to port 3025 on the local machine, forwarding it through the SSH session, and sending it to smtp.example.com port 25 once it reaches the the SSH server. Now you just need to set your Windows PC and email software up to be able to use it.
Step 3 - configure the hosts file on your Windows PC
In order for your PC to know that traffic for a certain destination has to go via a local port, you have to change the hosts file to override the DNS it uses to work out the IP address (e.g. 192.168.23.5) for a particular hostname (e.g. smtp.example.com). In Windows, you do this by editing the hosts file, which is normally C:\WINDOWS\system32\drivers\etc\hosts in Windows XP, and similar in other Windows OSes). Edit this (in Notepad or Wordpad) file to add a “localhost” line entry for your chosen remote machine:
127.0.0.1 localhost smtp.example.com
Now save this file (making sure it doesn’t become “hosts.txt” instead of just plain “hosts”). Your PC now thinks that “smtp.example.com” is a local machine (known as “localhost”) - when you send traffic to it on port 3025 the SSH tunnel will pick it up and forward it to the correct destination.
Step 4 - configure your email program
Now that you’ve configured your PC to think that smtp.example.com is local (or localhost), and Putty to forward all traffic on port 3025 to the remote destination you specified, you can set up your mail client to send traffic for smtp.example.com to port 3025 instead of port 25. Most mail clients will allow you to define the port that your SMTP server uses (I’m using the M2 client which comes with the free Opera browser) - just go in and change the SMTP server entry settings from port 25 to port 3025.
Now you can get everything running - start the SSH session to the SSH server using Putty, and when you send mail your email client will send it to smtp.example.com via your SSH session - great if port 25 access is restricted from where you are, but SSH is open.
The only thing to watch out for is that you can only have port 3025 running once on your PC - if you want to connect to multiple SMTP servers (for example) use other local ports such as 4025, 5025 etc etc.
Enjoy!
52 Comments
