Using qbee as a relay for other devices (ssh port forwarding)

A general problem for industrial IoT applications is that some parameters need to be configured or they contain interesting information but the device they are running on is shielded from external access through firewalls. Often that makes sense as they operate an open web server on port 80 (http) or they have a low security web application setup with only basic login and authentification or none at all. Therefore these devices are isolated from the outside. But there is a technique called ssh port forwarding that in conjunction with qbee-connect and the qbee VPN will allow to relay data from the other devices as well.

What is ssh port forwarding?

SSH port forwarding is a mechanism in qbee for tunneling application ports from the remote machine to a localhost port on your local machine running qbee-connect. So a secure or non-secure port (80 or 443) can be tunneled through the secure VPN. Then on the local machine ssh is used to make it accessible. Please see how a system diagram looks in the drawing below.

qbee-diagram-remote-web-server-proxy

In this example we have a device in a remote location that for example runs an HVAC application on port 1880. In the same network a device running qbee is used for something else. Now the qbee device can be used to relay the port 1880 through ssh port forwarding to a laptop being anywhere in the world. So how does this work?

First we need to start qbee-connect on our machine and connect port 22 of the qbee device in the remote network. This gives the mapped port number for ssh. Now we can use the VPN tunnel to ssh into the remote network and tunnel through the firewall:

qbee-connect-ssh

Establishing the ssh port forwarding

The following information is needed:

  • the mapped port for qbee (received from the qbee-connect tool): 54580
  • the ip address of the device that we want to connect to: 192.168.100.22
  • the port number of the application that is running: 1880
  • the user that has ssh access on the qbee device: in this case user "pi"
  • the port we want to connect the other device to: 8080

This allows to construct the command that maps the HVAC application on the device to port 8080 on localhost:

ssh -p 54580 -L 8080:192.168.100.22:1880 pi@localhost
When this is established the web application from the local device 192.168.100.22:1880 is now available on the local machine running qbee-connect. This machine can be anywhere in the world. The mapped web application will appear on localhost:8080 as specified above:

qbee-ssh-port-mapping-8080

This can be done with any application on one or many devices. A simple example could be accessing a wifi router in a home network through a qbee device.

In order to work the web application needs to use relative URLs

This concept works as long as the web application has relative URLs. This is the most common way to implement it, but for debugging this can be helpful information. SSH port forwarding only works with relative URLs.

Some additional thoughts around this concept: If possible the device from which the web application is originating should be as secure as possible. Obviously it needs to have the port 1880 exposed, otherwise the qbee device will not be able to connect to it. But it is recommended to set the firewall such that only the source IP of the relay device can access the device. In this case it is 192.168.100.25. If this was a qbee device (which does not make sense because then you could access this directly through its own VPN) a simple firewall rule like this would make it much more secure:

qbee-firewall-exception