Poor man's VPN with SSH
SSH has port forwarding, dynamic forwarding, and now also IP forwarding. This allows you to create connections out through a firewall, and allow other connections in and out through your SSH-connection, originating at your SSH server. Read on for a few examples of use, and make sure you have the blessing of your security team.
With local forwarding, you open a local port, and forward it to another host and port from the remote server.
Often used with forwarding to single webservers, proxies, Citrix ICA servers, VNC servers, and Windows Remote Desktop (RDP).
Example with local forwarding
Connect to a server at work, forwarding a connection from port 10080 on my laptop to important.server.example.org.
ssh -L 10080:important.server.example.org:80 email@example.com
I can then open my browser to http://localhost:10080, and do my stuff. Some web applications, though, can be tricky enough to expect a hostname, and for that you need to edit /etc/hosts or equivalent, or you can read on for dynamic forwarding.
With remote forwarding, you open a listening port on the remote side, and forward it to another host and port from the local server.
Example with remote forwarding
One useful scenario is to help family members who have PC trouble. For instance: Mom has a problem, calls me, and wonders if I can help, and then clicks an icon on her desktop that does the following thing:
Starts Remote Desktop or VNC
Connects to my SSH server, with remote forwarding from on the SSH server, to localhost: on her PC.
ssh -R 5801:localhost:5801 firstname.lastname@example.org
What I do, is:
Connect to my SSH server, with local forwarding from on my laptop, to on the SSH server, which again connects through the remote forwarding to localhost: on mom's PC.
ssh -L 5801:localhost:5801 email@example.com
Start a VNC client, and connect to my localhost:5801 on my laptop. This port is now connected through my ssh session, to mom's ssh session, to her PC.
Dynamic forwarding with SOCKS
OpenSSH's client has the ability to do dynamic forwarding to act as a local SOCKS server, both for SOCS4 and SOCS5.
Many programs have built-in SOCKS support, so if you enable this, and configure it to use localhost: as a SOCKS proxy.
For programs with no built-in SOCKS support, you can use "tsocks", to intercept networking calls, and work through the SOCKS server.
Example with dynamic forwarding
ssh -D 1080 firstname.lastname@example.org
Then I configure Firefox, for instance, to use the SOCKS server at localhost port 1080, and all my web connections will go through the SSH connection, and appear to be initiated from myserver.example.com. Much easier than with local forwarding, and works great for remote administration of things from home where you use different hostnames and ports, and perhaps also unroutable IP addresses.
IP forwarding with TUN
Now we're talking. This is the real thing, we get IP forwarding through a point-to-point interface. This exists only in newer versions of OpenSSH, and is not very well documented yet. Unfortunately, this also includes this document until I have more time to research further.
Example with IP forwarding
ssh -w 0:1 email@example.com
Where '0' is the local device tun0, and '1' refers to the remote device tun1. On each side, one needs to set an IP address for host-to-host contact, and add routing and perhaps also NAT for network access.
Beware, as careless use of IP forwarding between sites may have a serious impact on network security, and may make others very angry if used without permission.