•  Dynamic SSH Tunnel (~VPN)
•  Curl With SOCKS SSH Tunnel
•  SSH Using An Existing SSH Tunnel
•  SSH Tunnel MQTT Data Example

Dynamic SSH Tunnel (~VPN)

Dynamic SSH Tunneling Example

Imagine that you are currently located in Moscow and having to use an unsecure wifi connection (e.g. in a hotel lobby via your laptop computer) and you need to ensure that your internet connection to your bank’s website is secure. If you have a “bastian computer” (a secure computer that you trust e.g. a networked machine that you own somewhere in the world) then you can establish a secure connection via this bastian machine with ease. A “Dynamic SSH Tunnel” provides this functionality. For example, the following simple command would achieve this:

sudo ssh -D *:5555 –Nn

Note: The * means that it binds to all addresses.
I should mention that this assumes that you have already set up SSH Keys on both the Bastian Computer in Brazil and the computer (e.g. your laptop) in Moscow. RSA keys are easy to setup. If you haven’t already got RSA Keys setup for the two machines then you would have to type the following (which is less secure for many different reasons, the obvious one being that your so-called bastion box isn’t in fact secure and therefore probably not a bastion computer in the first place - the machine could be hacked with less effort potentially unless you are using a pretty elaborate password – SSH Keys are the way to go!!):

sudo ssh -D *:5555 Your_SSH_Username@ –Nn
...and then type in your password when prompted.

After doing the above you merely have to make a quick change to your web browser’s proxy settings. For example in FireFox you would change the settings to the following:

Dynamic SSH Tunneling SOCKS Example

Now all of your internet browsing data will be transmitted securely through the SSH Tunnel to/from Russia to/from Brazil i.e. encrypted.

Although not particularly useful, for test purposes you can easily observe/confirm data moving over your port 5555 via tcpdump:

sudo tcpdump -i any port 5555 -n –A -v

Curl With SOCKS SSH Tunnel

If you want to grab a webpage's HTML code via curl then type the following:

curl --proxy socks5h://localhost:5555 -k -u username:password

• The -k option prevents the verification of the SSL certificate (you may not want to do this unless you are using a self certified SSL certificate!).
• The optional -u username:password is for an Apache Server Authentication prompt. Just remove this if you don't need it!

SSH Using An Existing SSH Tunnel

SSH SOCKS Connection Example

I'm demonstrating this by using three Linux Machines here:

(1) Linux Box 1
(2) Linux Box 2
(3) Linux Box 3 1192.168.1.155 [on port 8080]

Terminal A - Linux Box 2 (

sudo ssh -D *:5555 root@ –Nn

Terminal B - Linux Box 2 (

ssh -o ProxyCommand='nc -X 5 -x %h %p' -p8080

Running the above ssh -o ProxyCommand='nc -X 5 -x %h %p' -p8080
means you SSH into the Linux Box 3 (on port 8080).

Now if you open another Terminal (C) on the Linux Box 2 (

sudo tcpdump -i any port 5555 -n –A

This Terminal (C) is now used for watching traffic move through port 5555...
On the Terminal (B) which has already SSHed into the Linux Box 3, start typing or press the return key whist watching Terminal (C). You will observe that data is being fired out as you press a key in the terminal. So the the data is going through port 5555 on (The Linux Box 2).

If you now for example reboot the Linux Box 1 (, the Terminal (B) which is SSHed into the Linux Box 3 via my SSH SOCKS Tunnel will drop (i.e. because you decided to sever the connection via rebooting). That is to say, the Tunnel breaks as you would fully expect...

SSH Tunnel MQTT Data Example

A remote machine with IP Address is running a Mosquitto Broker on port 1883 ( You have already setup RSA Keys on the Mosquitto broker machine and your local machine (laptop).

I wish to be able to see this MQTT data on my laptop via my laptops mosquitto broker while sitting in an internet cafe somewhere in the world... therefore I can setup an SSH Tunnel so that port 2883 on my local machine (my laptop in the internet cafe) receives said MQTT data from the remote machine ( which uses the default 1883 port for MQTT.

sudo ssh -L 2883: –N

Note that you can fork this into the background via using -f if you want (or add & to the end of the command).
-L => Local tunnel
2883 => Local port number on the laptop => The remote computers localhost ip address (i.e. perspective of the tunnel end point)
1883 => Mosquitto Broker's MQTT port on the remote machine
-N => Fore SSH not to run a command on the remote machine

On a terminal on the laptop type:

(1) mosquitto_sub -h -v -p 2883 -u MosquittoUsername -P MosquittoPassword -t '#'

In another terminal, SSH into the remote MQTT Machine (using RSA keys here):

sudo ssh

Get some live streaming MQTT data from the Mosquitto broker:

(2) mosquitto_sub -t '#' -v -u MosquittoUsername -P MosquittoPassword

Comparing the terminal outputs of (1) and (2) above, you will note that the local laptop Mosquitto broker using port 2883 (1) is identical to the remote machine Mosquitto output using port 1883 (2). In otherwords the MQTT data is being successfully tunneled over SSH.

And of course you can send MQTT data from your laptop via the SSH Tunnel to the remote MQTT Mosquitto Broker at

mosquitto_pub -h -p 2883 -t Tester -m "**** MESSAGE SENT FROM MY LAPTOP Via AN SSH TUNNEL ****" -u MosquittoUsername -P MosquittoPassword

Linux Examples - Comments