Introduction to Tunnels
In computer networks, tunnels are a connection between two points on the Internet that allows other IP traffic to be transported through this connection. A typical use is an employee to make a tunnel to his or her corporate network and transport all (or just work-related) traffic to the corporate network, and access all services local in that network, which are normally inaccessible from the outside world due to firewall policies.
The connections established with a tunnel are often referred to as a Virtual Private Network, VPN for short.
Two things are important to get a tunnel to work:
- Make a connection to a server in the remote network to set up the tunnel
- Make sure that data destined for the remote network uses the tunnel instead of the regular Internet.
Tunnels are not the only method to connect to a remote network, or reroute traffic. Alternatives include:
- Proxy servers
- where data is rerouted, but not encapsulated in a tunnel
- Remote screen connections
- taking over the screen of a remote desktop computer
General discussion: proxy, tunnel for one socket, tunnel for all traffic.
List of Common Tunnels
- L2TP over IPsec
- Native IPsec
- Cisco Anyconnect
Make a tunnel from localhost:8023 to remote.example.com:23:
ssh -L 8023:localhost:23 email@example.com
Make a tunnel from localhost:8023 to remote.example.com:23, via staging.example.com:
ssh -L 8023:remote.example.com:23 firstname.lastname@example.org
In this example, you can sent traffic to localhost:8023, and it appears at remote.example.com, and appears to be coming from staging.example.com for the application.
Alternatively, one can use a simpler command:
ssh -D 8080 email@example.com
This example creates a SOCKS5 proxy on the localhost on port 8080 through firstname.lastname@example.org.
On Mac OS X laptop:
port install openvpn2
On Linux server at home:
apt-get install openvpn
Mac OS X additional software
You will need the [TUN/TAP driver]
To enable IP forwarding on Mac OS X, use:
sudo sysctl -w net.inet.ip.forwarding=1
The Odds and Weird Ones
This section lists a few uncommon tunnels. Mostly they have been developed as a proof of concept to show piggybacking IP traffic over some tools not originally meant for encapsulating traffic. An example use is to demonstrate how to get free wireless Internet at a paid hotspot. Some hotspots allow some traffic, only to allow potential clients to get an account, or look up the prices. Those few holes can potentially be abused to tunnel regular Internet traffic. (In case you plan to exploit this, note that most hotspots have closed these loopholes, and in my experience, setting this up is more hassle than it's worth; the resulting bandwidth is very, very small.)
- Ping tunnel (ptunnel)
- Tunnels IP traffic over ping (ICMP) packets.
- DNS tunnel (ozymandns)
- Tunnels IP traffic over DNS packets. Very slow!