Mohza
Posts: 6
Joined: Thu Jan 18, 2018 9:20 pm

SSH Tunnel and port forwarding question

Tue May 22, 2018 5:43 pm

Hi!
First of all I'm a bit of a noob.
I have a samba share setup, wich works fine locally, and I'm trying to set a SSH tunnel up to acces my Raspi remotely (not from the same LAN I mean) with a windows computer while keeping everything secure.
I've followed this great step-by-step tutorial : https://www.nikhef.nl/~janjust/CifsOver ... pback.html
but I'm having trouble adapting it to my setup (and understanding the concept of SSH tunneling actually, despite reading about it).

My Raspberry is connected to the internet through a router.
What I understand from the tutorial is that I'll remotely connect to the 445 port of my router, but what puzzles me is that I'll have to forward this port from my router to my Raspi, yet I've read a lot that forwarding this one is not secure at all.

I'm obviously missing a point here, or multiple ones. I'm not even sure I'm providing enough details to get help, but I guess my question is : is it necessary to forward my 445 port to make this tutorial work (which sadly I'm unable to summarize), and is it safe to do so ?
Thanks for reading, and I'll deliver necessary details as they are asked, I just don't know which ones yet.

ras07
Posts: 6
Joined: Tue May 22, 2018 4:04 am

Re: SSH Tunnel and port forwarding question

Wed May 23, 2018 12:49 am

Short answer: it's secure.

Longer explanation: everything over SSH is encrypted. If you think of protocols are tubes that connect the internet together, think of SSH tunneling as a smaller tube inside a larger tube. To extend the analogy, think of encryption as paint that makes a normally clear tube (one in which you can see the contents) opaque. Even if the inner tube (SMB) is clear, you can't see the contents of it, because the outer tube (SSH) is painted.

IMHO, there's easier ways to accomplish what you want to do, though. You might take a look at OpenVPN.

ras

leiptrstormr
Posts: 60
Joined: Mon May 18, 2015 12:33 pm

Re: SSH Tunnel and port forwarding question

Wed May 23, 2018 3:30 am

If you have sshd enabled on your Raspberry Pi, why not use an sftp client like Filezilla to connect to it?
Host: LAN or WAN ip address
Username: pi
Password: notraspberry
Port: 22

Mohza
Posts: 6
Joined: Thu Jan 18, 2018 9:20 pm

Re: SSH Tunnel and port forwarding question

Wed May 23, 2018 8:05 am

Thanks for your answers!
ras07 >> if I unterstand well, opening ports is not the problem, it's how we use them that can be ?

So I've opened the 445 port, but still no luck connecting.
Anyway I think I should first try to have a connection through sFTP, as leiptrstormr suggested, and maybe work on the tunnel, or the OpenVPN possibility later.
I entered the wan IP adress, the right user and password, port 22, SSh enabled on the Pi but I have this message on filezilla

Response: fzSftp started, protocol_version=8
Command: open "user@IPadress" 22
Error: Connection timed out after 10 seconds of inactivity
Error: Could not connect to server

(I changed the values, never sure of what's safe to share, but I verified them they are the right ones)
should I open a port (22?) for sFTP too ?

procount
Posts: 1083
Joined: Thu Jun 27, 2013 12:32 pm
Location: UK

Re: SSH Tunnel and port forwarding question

Wed May 23, 2018 10:01 am

You need to close port 445 on your router, otherwise you are vulnerable.

I assume you have sshd running on your Pi and configured for port 22.
As you need to open this to the internet, make sure you have a really strong password, because many automated bots will be trying to connect to it and gain access to your RPi!
Configure your home router to map its external port 22 onto port 22 of your Raspberry Pi's IP address.
Now see if you can connect to your raspberry pi from an external network with ssh (PuTTY), using your router's IP address and port 22.
(Once you have this working, you should consider disabling password access and using secure ssh_keys instead. You can also consider changing from using external port 22 to another port (2222?) and port-forwarding that to your RPis port 22 instead, which may reduce the number of potential attacks you will get - it's only additional "security by obscurity", it's up to you).

You can now use your Putty connection to tunnel other protocols through it.
Even though CIFS uses port 445, you don't open port 445 in your Router's firewall, because the protocol is going transparently through the tunnel over port 22 to your Pi, where it is then mapped to port 445 of your RPi.
PINN - NOOBS with the extras... https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=142574

Mohza
Posts: 6
Joined: Thu Jan 18, 2018 9:20 pm

Re: SSH Tunnel and port forwarding question

Wed May 23, 2018 6:35 pm

Thanks for the advices and informations Procount!
I've closed the 445 and followed your instruction for port 22, I'll try to connect remotely tomorrow.

Mohza
Posts: 6
Joined: Thu Jan 18, 2018 9:20 pm

Re: SSH Tunnel and port forwarding question

Thu May 24, 2018 12:53 pm

Ok that works great, thanks again.
I can connect via sFTP, or even through the SSH tunnel (but only in Putty).
The problem I have now is I can't map a network drive in windows as the tutorial says ( https://www.nikhef.nl/~janjust/CifsOver ... pback.html ).
Each time I try to connect I have this error : the specified network name is no longer available.
I can use sFTP so that's great, but I'm so close to the goal XD

procount
Posts: 1083
Joined: Thu Jun 27, 2013 12:32 pm
Location: UK

Re: SSH Tunnel and port forwarding question

Thu May 24, 2018 1:13 pm

Glad you got the ssh bit working - that bit I do know how to do, but tunneling cifs is not something I've done before.
Assuming you have set up your local loopback interface as suggested in the tutorial, I guess your problems will relate to customising the tutorial to your setup.

In the "configuring putty" section, the source port should be "10.255.255.1:44445", but replace 10.255.255.1 with the IP address of your windows PC if it is different (normally this would just be the local loopback address of 127.0.0.1, but is changed in this tutorial to make cifs work). The destination should be changed to match the LOCAL ip address of your RPi behind your router, so e.g. "192.168.1.42:445". Then restart your Putty connection and check the event log to see if the port forwarding is active.
PINN - NOOBS with the extras... https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=142574

Mohza
Posts: 6
Joined: Thu Jan 18, 2018 9:20 pm

Re: SSH Tunnel and port forwarding question

Thu May 24, 2018 2:07 pm

I've made the changes as advised in Putty, I could log in and the event log shows that the port forwarding is active.
But the rest is the same, I can enter command lines to my Rpi with Putty (I'm surprised I can do that with both Putty configurations), but still can't access the share with windows.
I've tried various combinations of IPs and paths in the "Map Network Drive" tool in Windows, but almost the same result :
"Network name no longer available" with 10.255.255.1 tests
"network path not found" with actual IPs (remote windows IP, router IP, Rpi local IP) - yes i've tried a bit of everything

Return to “General discussion”

Who is online

Users browsing this forum: Bing [Bot], Burngate, DirkS, fjp, mfa298 and 77 guests