Mac OS X VPN Solutions, Part 3: Using SSH Port Forwarding
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
The first two articles in this series looked at what Virtual Private Networks (VPN) technologies are available for Mac OS X and Mac OS X Server. Part 1 talked about how to configure Mac OS X computers to connect to remote networks using VPN. In part 2, we talked about how to configure the VPN service in Mac OS X Server. In this final piece, we look at how to use SSH’s port forwarding feature (also called port tunnelling) to achieve some of the benefits of VPN access without the need for a VPN server.
SSH (secure shell) is a technology for securely connecting to a remote computer. As you might suspect from shell being in the name of the technology, SSH is primarily intended to allow shell login and command-line access to remote Unix or Linux computers (though SSH clients exist for Windows as well). This allows for administration and use of the remote computer as if you were entering commands from a keyboard attached to it. SSH uses encryption technology to establish secure connections between the two computers, which enables it to be far more secure than previous remote command-line features such as telnet.
The SSH protocol includes a number of other features besides basic login. One of them is port forwarding, which forwarding enables you to establish an SSH connection to a remote computer and then to forward specific types TCP/IP network traffic to that secure connection instead of to your computer’s network port, based on the port numbers associated with protocols used for that type of traffic. The result is that when you make requests for specific types of network resources, such as file sharing, your computer will forward those requests through the SSH connection instead of attempting to locate the resources on the local network to which your computer is connected.
Why Use Port Forwarding?
Port forwarding provides two main uses. First, it enables you to establish secure tunnels between two computers (much like VPN). You can securely connect to another computer through the Internet to securely transfer data that you might otherwise not be able to do. Any Internet or network protocol can be forwarded, including things like file sharing, web browsing, email, and remote management tools (such as Mac OS X Server’s Server Admin or the multiplatform VNC).
Second, you can use port forwarding as a way to allow secure access through a firewall. When you implement a firewall, one of the primary ways it secures your network or computer is by limiting what types of traffic can pass into the network. For every type of network or Internet protocol you allow, you need to open ports on the firewall. Each newly opened port exposes your network or computer to more potential security risks. This can be especially dangerous when you start opening ports used for remote management protocols such as Apple Remote Desktop, VNC, or the Mac OS X Server management tools. Port forwarding mitigates these risks because you need to open only a single port that SSH will use to forward all the other traffic through. You even get to choose the port that SSH uses, meaning that you can choose a port that is traditionally unused for network or Internet traffic.
VPN provides much of the same functionality by encrypting data and transmitting it through set ports the same way. However, implementing a VPN server can be expensive and require some amount of effort. There can be many situations in which you only want to establish a secure connection to transfer a handful or files, manage a remote server or workstation, or perform some other task very infrequently. A great example is when you’re at work and need access to a file from home (a situation opposite of the ones in which VPN is typically used), or if you want to control a friend’s computer securely using VNC to help them work on a project or resolve a problem.