SSH port forwarding with qbee VPN
How to access other devices in a remote network with ssh port forwarding?
This tutorial shows how it is possible to use qbee as a gateway on any embedded Linux device to remotely access other devices in that network. Through qbee other connections over any port (such as http or https) can be routed to your local desktop. This works across firewalls and the internet. This is very handy if you have closed edge devices such as some SCADA systems in your remote network but you want to be able to do remote maintenance or generally access and configure these devices. The technique used for this is ssh port forwarding.
This tutorial has three parts:
- What is this?
- Port forwarding completely within qbee-connect
- Port forwarding with qbee-connect and the terminal
- Some more comments
What is ssh port forwarding?¶
A general problem for industrial IoT applications is that some parameters need to be configured or they contain interesting information but the device they are running on is shielded from external access through firewalls. Often that makes sense as they operate an open web server on port 80 (http) or they have a low security web application setup with only basic login and authentification or none at all. Therefore these devices are isolated from the outside. But there is a technique called ssh port forwarding that in conjunction with qbee-connect and the qbee VPN will allow to relay data from the other devices as well. In this case the device running qbee acts as a secure remote gateway taking care of all VPN functionality out of the box. If you want to do that with UDP please follow the udp port forwarding example.
What is ssh port forwarding?
This is a mechanism for tunneling application ports from the remote machine to a localhost port on your local machine running qbee-connect. So a secure or non-secure port (80 or 443) can be tunneled through the secure VPN. Then on the local machine ssh is used to make it accessible. Please see how a system diagram looks in the drawing below.
In this example we have a device in a remote location that for example runs an HVAC application on
port 1880. In the same network a device running qbee is used for something else. Now the qbee device can be used to relay the
port 1880 through ssh port forwarding to a laptop being anywhere in the world. So how does this work?
Port forwarding completely within qbee-connect¶
The qbee-connect tool has been upgraded with a new advanced functionality. Now it can access other devices in a local network through a built-in functionality that is exposed in the UI. A pre-requisite is that you have distributed the public ssh key from your local computer to the remote gateway (in our case RPI8). How to do this with qbee is described here.
Then you can start qbee-connect and connect your qbee gateway device on port 22 to allow port forwarding. In our example we will use the device RPI8 to access Node-RED on port 1880 in the same remote network on a device called RPI1.
Please make sure that your target device is accessible on that port. In our case device RPI1 needs to receive a firewall configuration that allows device RPI8 to access it on 1880. Again, we recommend strongly to close all ports on all devices and we have done that for our complete remote test fleet.
Now we can use qbee-connect, connect to RPI8 on port 22 and open the advanced settings menu. Here we need to define which target IP we want to access in the remote network and on which port. In our case this is 1880 for Node-RED and we map that to 8080 on localhost. It is important to use the private ssh key matching the public key that was delivered to RPI8 previously for that specific user. If all is setup correctly we can now access the Node-RED running on RPI1 on port 1880 in the remote network in our local browser on
What is the impact of this?
Having one qbee enabled device in the remote network allows to access other SCADA applications or controllers assuming that they expose a service on an open port. This function is little known but a standard property of ssh. We use this to allow our customers access to remote legacy devices. But please be aware that any TCP/IP enabled device with a microcontroller can do this. Even your smart lightbulb could access your NAS or re-configure your router if no additional care is taken in terms of device firewall or strong passwords for the services.
Below you find a short video of this:
Port forwarding with qbee-connect and the terminal¶
Since the ssh port forwarding is a built-in functionality of ssh we can of course also do this through the command line. Just start qbee-connect on your local machine and connect
port 22 of the qbee device in the remote network. This gives the mapped port number for ssh. Now we can use the VPN tunnel to ssh into the remote network through the qbee gateway and tunnel through the firewall:
Establishing the ssh port forwarding
The following information is needed:
- the mapped port for qbee (received from the qbee-connect tool):
- the ip address of the device that we want to connect to:
- the port number of the application that is running:
- the user that has ssh access on the qbee device: in this case user
- the port we want to connect the other device to:
This allows to construct the command that maps the HVAC application on the device to
port 8080 on
ssh -p 54580 -L 8080:192.168.100.22:1880 pi@localhost
192.168.100.22:1880is now available on the local machine running qbee-connect. This machine can be anywhere in the world. The mapped web application will appear on
localhost:8080as specified above:
Some more comments¶
This can be done with any application on one or many devices. A simple example could be accessing a wifi router in a home network through a qbee device.
In order to work the web application needs to use relative URLs
This concept works as long as the web application has relative URLs. This is the most common way to implement it, but for debugging this can be helpful information. SSH port forwarding only works with relative URLs.
Some additional thoughts around this concept: If possible the device from which the web application is originating should be as secure as possible. Obviously it needs to have the
port 1880 exposed, otherwise the qbee device will not be able to connect to it. But it is recommended to set the firewall such that only the source IP of the relay device can access the device. In this case it is
If this was a qbee device (which does not make sense because then you could access this directly through its own VPN) a simple firewall rule like this would make it much more secure: