SSH port forwarding with qbee VPN
SSH Port Forwarding: An essential technology for IT and IoT
This guide explains how qbee acts as a pivotal gateway on Linux-based embedded systems for remote access through ssh port forwarding. Utilizing qbee, users can redirect various port connections, including HTTP and HTTPS, straight to their local desktop environment—even across restrictive firewalls and through the internet's intricate topology.
For professionals working with servers or closed edge devices, like specific SCADA configurations, this becomes indispensable. Remote maintenance, configuration adjustments, and direct device access can often become constrained due to network limitations. The solution lies in leveraging the ssh port forwarding technique integrated within qbee.
This tutorial has three parts:
- What is ssh port forwarding?
- SSH Port forwarding completely within qbee-connect
- SSH tunnel with qbee-connect and the terminal
- Some more comments
What is ssh port forwarding?¶
SSH port forwarding which sometimes also is called an SSH tunnel is a technique to map a remote port on a remote device to your local machine. A general problem for industrial IoT applications is that some parameters need to be configured or they contain interesting information but the device they are running on is shielded from external access through firewalls. Often that makes sense as they operate an open web server on port 80 (http) or they have a low security web application setup with only basic login and authentication or none at all. Therefore these devices are isolated from the outside. But there is a technique called ssh port forwarding that in conjunction with qbee-connect and the qbee VPN will allow to relay data from the other devices as well. In this case the device running qbee acts as a secure remote gateway taking care of all VPN functionality out of the box. If you want to do that with UDP please follow the udp port forwarding example.
What is ssh port forwarding?
This is a mechanism for tunneling application ports from the remote machine to a localhost port on your local machine running qbee-connect. So a secure or non-secure port (80, 443 or any other) can be tunneled through the secure VPN. Then on the local machine receiving the ssh port forwarding it is used to make the port accessible again in a secure way. Please see how a system diagram looks in the drawing below.
In this ssh tunnel example we have a device in a remote location that for example runs an HVAC application on
port 1880. In the same network a device running qbee is used for something else. Now the qbee device can be used to relay the
port 1880 through ssh port forwarding to a laptop being anywhere in the world. So how does this work?
SSH Port forwarding completely within qbee-connect¶
The qbee-connect tool has been upgraded with a new advanced functionality. Now it can access other devices in a local network through a built-in functionality that is exposed in the UI. A prerequisite is that you have distributed the public ssh key from your local computer to the remote gateway (in our case RPI8). How to do this with qbee is described here. Here you learn how to create keys on different platforms with ssh-keygen
Then you can start qbee-connect and connect your qbee gateway device on port 22 to allow ssh port forwarding. In our example we will use the device RPI8 to access Node-RED on port 1880 in the same remote network on a device called RPI1.
Please make sure that your target device is accessible on that port. In our case device RPI1 needs to receive a firewall configuration that allows device RPI8 to access it on 1880. Again, we recommend strongly to close all ports on all devices and we have done that for our complete remote test fleet.
Now we can use qbee-connect to create the SSH tunnel. Connect to RPI8 on port 22 and open the advanced settings menu. Here we need to define which target IP we want to access in the remote network and for which port we want to create the ssh tunnel. In our case this is 1880 for Node-RED and we map that to 8080 on localhost. It is important to use the private ssh key matching the public key that was delivered to RPI8 previously for that specific user. If all is setup correctly we can now access the Node-RED running on RPI1 on port 1880 in the remote network in our local browser on
What is the impact of this?
Having one qbee enabled device in the remote network allows to access other SCADA applications or controllers assuming that they expose a service on an open port. This function is little known but a standard property of ssh called ssh port forwarding or ssh tunneling. We use this to allow our customers access to remote legacy devices. But please be aware that any TCP/IP enabled device with a microcontroller can do this. Even your smart lightbulb could access your NAS or re-configure your router if no additional care is taken in terms of device firewall or strong passwords for the services.
Below you find a short video of this:
SSH tunnel with qbee-connect and the terminal¶
Since the ssh tunneling is a built-in functionality of the ssh tool we can of course also do this through the command line. Just start qbee-connect on your local machine and connect
port 22 of the qbee device in the remote network. This gives the mapped port number for ssh. Now we can use the VPN tunnel to ssh into the remote network through the qbee gateway and tunnel through the firewall:
Establishing the ssh port forwarding
The following information is needed:
- the mapped port for qbee (received from the qbee-connect tool):
- the ip address of the device that we want to connect to:
- the port number of the application that is running:
- the user that has ssh access on the qbee device: in this case user
- the port we want to connect the other device to:
This allows to construct the command that maps the HVAC application on the device to
port 8080 on
ssh -p 54580 -L 8080:192.168.100.22:1880 pi@localhost
192.168.100.22:1880 is now available on the local machine running qbee-connect through the SSH tunnel. This machine can be anywhere in the world. The mapped web application will appear on
localhost:8080 as specified above:
Some more comments¶
This can be done with any application on one or many devices. A simple example could be accessing a Wi-Fi router in a home network through a qbee device. Therefore it is of utmost importance to secure each device in your network if you don't want sh port forwarding to allow to access it.
In order to work the web application needs to use relative URLs
This concept works as long as the web application has relative URLs. This is the most common way to implement it, but for debugging this can be helpful information. SSH port forwarding only works with relative URLs.