Note:

Configuring SSH Tunnels in Oracle Linux

Introduction

This tutorial provides step by step procedures to configure SSH tunnels for network traffic. SSH tunnels or SSH forwarding encapsulates specific TCP traffic and enables it to traverse the network through an SSH connection.

Objectives

This tutorial teaches you how to configure the following types of SSH tunneling:

What Do You Need?

The next section describes hands-on exercises you can perform in a lab environment to test SSH tunneling. To access the lab, click Launch lab next to the tutorial title.

Configuring SSH Tunneling

Note: This section is specific to the Oracle provided free lab environment. It assumes that you have successfully logged in to the Oracle Cloud console page and can view your instances on the Instance page. Also, for the purpose of this lab exercise, the remote system is the cloud instance called ol8_server, while the local (client) host is lunabox.

Testing your connection to the instance

Even though your instance is already listed in the Instance page, the deployment of the lab environment might take a while longer to complete, depending on the number of resources and provisioning steps that are required. This section helps you to test and ensure that the lab environment is ready for use.

  1. From the Instance page, copy the Public IP to a temporary location, such as a text file, on your computer.

    copy public ip

  2. Open a terminal window.

    Minimize the browser, right-click the virtual desktop, and select Open Terminal Here. As an alternative, click Applications at the bottom left corner, then select Terminal Emulator.

  3. Connect to the instance.

    The is the IP address that you copied from the Instance page of the Oracle Cloud console.

    ssh oracle@<ip_address>
    
  4. Accept the ECDSA key fingerprint by typing yes at the prompt.

You are now connected to the compute instance for this lab.

If the connection fails with the Permission denied (publickey,gssapi-keyex,gssapi-with-mic) message, then the processes to deploy the lab might still be ongoing. Wait a while longer for the provisioning operation to complete. Then try to make the SSH connection again.

Configuring SSH dynamic port forwarding

Dynamic port forwarding enables communications across a range of ports by making SSH act as a SOCKS proxy server.

Note: Unless instructed otherwise, you must run all the commands in this section from lunabox.

  1. If you are currently connected to ol8_server in a terminal window, type exit to disconnect from the instance.

    Alternatively, open a new tab for a separate terminal window.

  2. Open an ssh connection to ol8_server while using the -D option and specifying a port number to use locally.

    The -D option indicates that the connection uses dynamic port forwarding.

    ssh -D 8080 oracle@<ip_address>
    

    You can use optional arguments in the command syntax, such as the following:

    • -N prevents the execution of remote commands.
    • -f indicates that the connection is forked into the background.
    • sleep <n> specifies a waiting period in seconds that the tunnel waits for a connection before the tunnel closes.
  3. Use the service at http://ifconfig.me to obtain the local host’s IP address.

    curl -w '\n' ifconfig.me
    

    Note that the IP address provided for lunabox does not match the IP address for ol8_server.

  4. Type the curl command but specify the --socks5 option.

    The option specifies for curl to use a SOCKS proxy on the localhost at port 8080, which you specified when you previously created the ssh connection.

    curl -w '\n' --socks5 localhost:8080 ifconfig.me
    

    Note that this time, the displayed address is the public IP address of ol8_server.

By using the dynamic port forwarding service, you can redirect or forward TCP traffic from one system to another over a secure connection. This service functions as a rudimentary VPN. Thus, you can configure a local web browser to use the SOCKS proxy for forwarded browsing. Or, as an alternative, you can configure SOCKS proxy settings by defining a variable as follows, and then retest with the curl command.

export {http,https,ftp}_proxy="socks5://localhost:8080"
curl -w '\n' ifconfig.me

Other mechanisms can be used to force all TCP traffic through your SSH connection. However, these are beyond the scope of this tutorial. In addition, alternative methods might be preferable than using SSH tunnels for this purpose.

Configuring SSH local port forwarding

Local port forwarding over SSH maps a local port on the client system to a remote port on the server system. This configuration enables you to access services on the remote system that are otherwise inaccessible because the services might be running behind a firewall or might not be listening on a public network interface.

Cockpit is a good example of such a service. Typically, if you want to run the Cockpit web console for a system that is connected to the Internet, the service would be exposed on a public facing network, which is not advisable.

For this demonstration, the ol8_server is configured for security as follows:

Note: Unless instructed otherwise, all the commands must be typed from lunabox.

  1. If you are currently connected to the ol8_server in a terminal window, type exit to disconnect from the instance.

    Alternatively, open a new tab for a separate terminal window.

  2. Verify the inaccessibility of the Cockpit service.

    On a browser, open the Cockpit web console to ol8_server through its IP address. Note that the connection does not succeed.

    http://<ip_address>:9090/

    The connection does not succeed.

  3. On the terminal window, open an SSH connection to ol8_server by using local port forwarding.

    The -L option maps a port on the local host to a port on the server.

    ssh -L 9090:localhost:9090 oracle@<ip_address>
    

    You can use optional arguments in the command syntax, such as the following:

    • -N prevents the execution of remote commands.
    • -f indicates that the connection is forked into the background.
    • sleep specifies a waiting period in seconds that the tunnel waits for a connection before the tunnel closes.
  4. Return to your browser and change the URL to access ol8_server’s Cockpit service as if you were accessing it locally.

    http://localhost:9090/

    This time, the Cockpit login screen appears for the ol8_server instance.

  5. Log in by using oracle as the user name and password.

    The ol8_server’s Overview page is displayed.

By using the Cockpit web console, you can remotely manage the instance even though the service itself is not exposed on any public facing network.

Video Demonstration

The video tutorial Using SSH Tunnels With Oracle Linux 8 gives more examples for configuring different types of SSH tunnels. Note that while the lab exercises demonstrated SSH tunneling by using the Cockpit service, this video uses VNC and web services for its examples. All of them together show how, through SSH port forwarding, you can access and avail of a remote system’s services.

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.