Vovoid Research team: Jonatan Wallmander & Johan Wilfer:

How to use SSH tunnels to make machines on the internet
(or in other LAN's with an SSH server accessible from the internet)
part of the local network with samba and windows clients

1. Introduction

Can your friends' computers be part of your LAN even though they are far away
and there's a gaping internet in between?
Can your friends access your windows shares over the internet securly?

Yes!

This article provides a common solution to this problem and aims to give some in-depth
knowledge about SSH tunnels in general. It discusses this on OpenBSD with OpenSSH.
(This might work with some tweaking on other platforms as well - perhaps even OpenSSH running on your windows box).

2. The environment

We like windows as a workstation client. It's quite nice.
However as it comes to anything that has to do with playing server and doing TCP/IP windows support for this is terrible.

This might sound harsh but windows lacks some basic funcionality;
Windows can't map network drives on a port different than 139!
Guess they don't like people running samba...

3. The basic solution

This solution is OK if you need to tunnel only one machine. The brown server is considered
by the windows machine to be part of your LAN at the address of the green server.

To set this up do this on the OpenBSD machine in your LAN:

	ssh -2 -q -f -N -g -L 139:127.0.0.1:139 user@fileserver.mycolocation.com
	
Then map network drive in windows:
	
	\\192.168.0.200\fooshare
	login: sambauser
	password: koko123

It's as simple as that. This can be done with the default installation of SSH. It works perfectly if you only need one SSH tunnel like in this example.

Detalis:

{}

[brown] is a host {fileserver.mylocation.com} on the internet
[brown] {user} is your unix account on this box
[brown] samba is running inside this fileserver only listening internally on 127.0.0.1 
            (the SMB protocol as designed by microsoft is not suited for communication over the internet)
[brown] {fooshare} is the name of a samba share that you have access to on this box
[brown] {sambauser} is the name of your samba login (can be same as unix login, see samba docs)
[brown] {koko123} is your samba password
[green] this machine is on your LAN and has address {192.168.0.200}
[green] port 139 { 139:} is open for the LAN {-g}
[red] this is a windows box. only good for playing minesweeper and writing word documents.

 your windows PC can connect to the green server on port 139 (-g does this)
thus, you can map this address in your windows server: \\192.168.0.200

4. The full solution

So, you want to add more computers to your LAN like this? Since the windows box can't connect to more than one port
per IP (139) - we declared windows to be a stupid OS - we need more IP addresses on the green UNIX machine. Right.
So I add more IP addresses to the OpenBSD machine by running ifconfig [interface] inet alias 192.168.0.x wher x is the new IP i want to add. (See the OpenBSD FAQ on openbsd.org, section 6.1.3)

Can you use the SSH client to tunnel different computers on the internet to different interfaces on the local green machine?
As of OpenSSH 3.6.1 the answer is no.

In the current situation you would have to get more physical servers.
The SSH client with the -g option listens on INADDR_ANY which is all defined interfaces and IP addresses.

So what we did was to hack around with the source for the SSH client and some of its include files to
add this feature.
It is a fairly simple hack. We just added an extra parameter, -G in addition to -g. -G takes an ip or a hostname as
a parameter like so: -G 192.168.0.5

Since section 3 we've added 2 IP's to the BSD box, 192.168.0.5 and 192.168.0.6. They will act as dummy IP's for the
windows machine(s) in the LAN. With 192.168.0.200 we put in samba and stored files locally for cooperative work.

After patching and compiling ssh the following can be used to create the above situation:

To set this up do this on the OpenBSD machine in your LAN:

	ssh -2 -q -f -N -G 192.168.0.5 -L 139:127.0.0.1:139 user@fileserver.mycolocation.com
	ssh -2 -q -f -N -G 192.168.0.6 -L 139:192.168.1.46:139 jaw@my-friends-ip.my-friends-isp.com
	
Then map network drive in windows:
	
		\\192.168.0.5\fooshare
		login: sambauser
		password: koko123

		\\192.168.0.6\funstuff
		login: jaw_samba
		password: [secret!]

To get this patchwork up and running do this:

tar xvfz openssh-3.6.1.tgz
cd ssh
ftp http://research.vovoid.com/smbssh/openssh_3.6.1_openbsd_local_tunnel_bind.patch
patch <openssh_3.6.1_openbsd_local_tunnel_bind.patch
make
cp ssh/ssh /usr/bin/ssh

That's what I did on our machine. You might need to do something else.

The patch