How can I remotely access an intranet website from an external network via an SSH tunnel?

I recently setup FreeIPA on an internally accessible system at home. I’d like to manage this web UI from networks that are external to my LAN, but at the same time, I don’t want to have to expose this web UI to the public internet. Is there a way I can access it through an SSH tunnel?

NOTE: I’m familiar with setting up a tunnel using ssh & it’s -L switch like so:

$ ssh -L mysshserver

However this approach will not work in this scenario, since accessing FreeIPA requires that you use the actual hostname of the server in addition to being able to access the web UI using both ports 443 and 80.

Is there another way to accomplish this beyond ssh -L?

Asked By: slm


Performing SSH tunneling can get a bit confusing with all the terminology, but there is a complementary feature to -L, which provides you the ability to “dynamically” assign ports by allocating a socket locally, instead of a single port.

From the man page:

-D [bind_address:]port
    Specifies a local ``dynamic'' application-level port forwarding.  This works by 
    allocating a socket to listen to port on the local side, optionally bound to the 
    specified bind_address.  Whenever a connection is made to this port, the connection 
    is forwarded over the secure channel, and the application protocol is then used to 
    determine where to connect to from the remote machine.  Currently the SOCKS4 and 
    SOCKS5 protocols are supported, and ssh will act as a SOCKS server.  Only root 
    can forward privileged ports. Dynamic port forwardings can also be specified in 
    the configuration file.

By allocating a socket, all the traffic can be funneled through to the remote site, including DNS queries.

How to use it

For starters you’ll need to open up a connection to your LAN (through its public IP address on the internet) like so:

$ ssh -D 1234 myserver

NOTE: This assumes that you have the ability to SSH into a server that’s accessible through your public internet IP address.

Once that’s setup, in another terminal, you’ll want to configure your web browser to make use of this tunnel. NOTE: This type of tunnel is providing you a socket, so to connect to it, you need to tell your web browser to proxy all of its traffic via this socket. This is typically shown as a SOCKS or SOCKS v5 type of connection for your proxy.

An example

In this example I’ll show how you can do it using Chromium, via the CLI:

$ ./Chromium --proxy-server="socks5://localhost:1234"

Here I’m launching Chromium and pointing it to the SSH tunnel which we earlier configured on our localhost’s port 1234. And with this, if I then attempt to visit a URL for a server that’s configured on my LAN, I’m directed to it:


Proxying with other browsers

All the major browsers provide this feature and it’s covered pretty extensively on other SE sites such as SuperUser:

You can even make use of extensions to the various browsers which allow you to selectively proxy only certain traffic, while allowing you to route everything else out over your normal connection to the internet.

For example, you can use ProxySwitchy! with Chrome to do exactly that:



Answered By: slm