| Subcribe via RSS

Remote Windows (SMB) Sharing over Secure, Encrypted SSH

October 10th, 2011 Posted in Networking, Security

Here’s a blast from the past. For years I’ve kept an engineering notebook. Simply because after about a decade of playmaking, everything started to blur. Who, what, how and when started to just get hard to track. (And I still haven’t written down everything unfortunately — which really is just a tad irritating when I have to reclimb a mountain once already conquered… :-))

So from time to time, I may reach back and post something of interest, esp. if I’ve had a hard time finding the solution anywhere else. (There’s a million things I’ve done that everyone else has done. You don’t need this blog for that. Click here to find those. :-))

So, once upon a time — I’ll not state the time, place or occasion — I wanted to connect to my Windows shares at home from a remote location inside of a firewall. Now, everyone knows SMB and Windows file sharing in general is notoriously unsecure. How to do this without exposing myself and the network I was on? Enter the old trusty companion, SSH. Here’s how we do it, picking up from a post several years ago:

Original Posting

It’s not too hard to run a remote LAN connection over an SSH tunnel on Windows.  Assuming the SSH tunneling aspect of this is already in place (via Cygwin, PuTTY or something else), here’s what we need to do:

Install the Microsoft Loopback Network Adapter

  • Start Menu -> Programs -> Settings -> Control Panel -> Add or Remove Programs.
  • Next
  • Wizard searches for new hardware — let it.  (It would be nice if MS let us skip this.)
  • “Yes, I have already connected the hardware.”
  • Next
  • Go to bottom of the list and select “Add a new hardware device.”
  • Next
  • “Install the hardware that I manually select from a list (Advanced)”
  • “Network Adapters”
  • Next
  • Manufacturer: Microsoft, Network Adapter: Microsoft Loop Back Adapter
  • Rename in Networking to something like “Home LAN Connection over SSH” etc.

Loopback Adapter Settings

  •  Make sure only “Client for Microsoft Networks” and “Internet Protocol (TCP/IP)” are checked off.  Turn off “File and Printer Sharing.”
  • For the “Internet Protocol” settings, make up any IP you’d like, so long as it’s not in the same IP class as your main network connection.  Generally, it’s good to pick something in the private C class space and a “gateway address” such as 192.168.42.1.  Just name sure it’s unique to anything else on your network or on the remote network because it should be viewed as a gateway address.
  • Don’t enter any DNS addresses.  Leave blank.  (You don’t need them.)
  • Under “Advanced” turn OFF the “Automatic Metric” and use “9999” as the metric.  (I don’t know why this is important — I haven’t looked into it.)
  • Under “Advanced” and the “WINS” tab, turn OFF “Enable LMHOSTS lookup” — don’t need it (and it’s “chatty”).  And disable NetBIOS over TCP/IP.

Now your networking is set.  Now we just need to port forward ports 137 and 139 for this adapter over the SSH tunnel to the destination we want on the remote side:

SSH Tunnel Port Forwarding Settings

In your SSH config file…

Example:

Host mywin
   Hostname me.homeip.net
   LocalForward  192.168.42.1:137 192.168.0.2:137
   LocalForward  192.168.42.1:139 192.168.0.2:139

Now ssh over to your destination: ssh mywin. Bingo.  Now we can map Windows drives to the remote machine on the other side as if they were local, all over an encrypted SSH tunnel.

net use X: \\192.168.42.1\myshare /user:remoteuser
net use Y: \\192.168.42.1\home /user:remoteuser

I believe once a username has been used with these once, the settings for the share will be placed in the Windows registry and it becomes even more transparent; no /user required.

Additional Notes Added

  • Just make sure your SSH isn’t running in gateway mode, or there could be an exposure here, of course. :-) :-(
  • I never said this would be the speediest thing, but it’s certainly convenient and fast enough if going LAN to LAN over the internet.

Comments are closed.