Securely Access Internal Services Using SSH Tunnel with VPN & Bastion Host

Core Concepts and Architecture

1. Role of Bastion Host

Unified entry : All external access must go through the bastion host, preventing direct exposure of internal resources.

Access control : Limits access based on user identity and role.

Operation audit : Records all actions for replay and keyword search.

Security protection : Defends against brute‑force attacks, MITM, etc.

2. Role of SSH Tunnel

Encrypted communication : Uses SSH to encrypt data.

Port forwarding : Enables penetration of internal services such as databases or web services.

Dynamic proxy : Creates a SOCKS proxy to encrypt browser traffic.

3. Collaboration with VPN

Complementarity : VPN provides network‑layer encryption for large‑scale access; SSH tunnel offers application‑layer encryption for specific services.

Priority : If VPN already connects to the internal network, no extra tunnel is needed; otherwise SSH tunnel can supplement access.

SSH Tunnel Core Concepts

SSH Tunnel establishes an encrypted channel via the SSH protocol, allowing any TCP traffic to be forwarded through the SSH connection.

Three main types :

Local Port Forwarding : Forward local port to a target host.

ssh -L local_port:target_host:target_port user@ssh_server

Remote Port Forwarding : Forward remote SSH server port to a local host.

ssh -R remote_port:local_host:local_port user@ssh_server

Dynamic Port Forwarding : Create a SOCKS proxy.

ssh -D local_port user@ssh_server

Key Advantages

Data encryption and authentication : Uses symmetric (AES) and asymmetric (RSA) encryption with password or key authentication.

Bypassing network restrictions : Acts as a jump host to expose internal services to the public network.

Flexible scenarios : Remote work, secure proxy, development testing, network penetration.

Typical Use Cases

1. Access internal database (MySQL/PostgreSQL)

Scenario: Developers need to query internal databases.

Implementation: Use bastion host to create an SSH tunnel with local port forwarding.

ssh -L 3306:internal_db_ip:3306 user@bastion_ip

Connect locally to

localhost:3306

to reach the internal database.

2. Remote desktop penetration (RDP/VNC)

Scenario: Operations staff need remote access to internal Windows servers.

Implementation: Remote port forwarding via bastion host.

ssh -R 33333:internal_windows_ip:3389 user@bastion_ip

External users connect to

bastion_ip:33333

with an RDP client.

3. Secure proxy and privacy protection

Scenario: Employees on public Wi‑Fi need encrypted access to corporate resources.

Implementation: Dynamic SSH tunnel (SOCKS proxy).

ssh -D 1080 user@bastion_ip

Configure browser proxy to

socks5://localhost:1080

.

Configuration Steps

1. Establish SSH tunnel via bastion host

Step 1: Log in to bastion host

ssh user@bastion_ip

Step 2: Configure local port forwarding

ssh -L local_port:internal_target_ip:internal_target_port user@bastion_ip

Step 3: Configure remote port forwarding

ssh -R bastion_port:internal_target_ip:internal_target_port user@bastion_ip

Step 4: Configure dynamic port forwarding (SOCKS)

ssh -D 1080 user@bastion_ip

2. Using ZOC Terminal

Step 1: Create SSH session

Open ZOC, click “New Session”, select SSH, enter bastion IP, port, username, and authentication method.

Step 2: Set up port forwarding

Local forwarding: enable “Tunneling → Local Port Forwarding” and specify “Local Port” and “Destination Host:Port”.

Remote forwarding: enable “Tunneling → Remote Port Forwarding” and set “Remote Port” and “Local Host:Port”.

Dynamic forwarding: enable “Tunneling → Dynamic port forwarding” and set “Local port”.

Step 3: Save and connect

Save the session and click “Connect”, then verify the tunnel works.

Precautions and Best Practices

1. Security configuration

Disable unnecessary port forwarding in

/etc/ssh/sshd_config

with

AllowTcpForwarding no

and enable only for specific users.

Enforce key‑based authentication and regularly rotate keys.

2. Bastion host audit and monitoring

Command audit to record all SSH tunnel operations.

Traffic monitoring with tools like ELK Stack and set alert thresholds.

3. Network policy optimization

Least‑privilege access, IP whitelisting, and session timeout settings.

4. Troubleshooting

Check logs (

/var/log/secure

or

/var/log/auth.log

) for connection failures.

Ensure no port conflicts and verify each hop in multi‑hop scenarios.

Conclusion

In enterprise networks with VPN and bastion host, SSH Tunnel provides a flexible and secure way to access internal resources, especially for temporary penetration or encrypting specific services. Proper configuration of local/remote forwarding, dynamic proxy, and multi‑hop access ensures efficient and safe internal resource access, especially when combined with tools like ZOC Terminal.