How to enable SSH Tunneling on QNAP NAS

"Sponsored Links"

I have a QNAP TS-109 II Network Attached Storage (NAS) device which I use for data storage, download station, torrent client etc. This NAS is a Linux Box so I thought about using it for another application in addition to the other mentioned above: as an SSH tunneling box for encrypting traffic when I’m outside of the home (on an unsecured wi-fi hot spot for example). Since the NAS is already running an SSH deamon, you can enable it to work as an SSH tunneling server. Basically you can use PuTTY (SSH client) to create an SSH tunnel with the NAS using local port forwarding. PuTTY creates a local port on your PC (e.g 9999) which listens for connections and sends all traffic that is destined to this local port over to the remote NAS SSH server. This traffic is sent over the encrypted SSH tunnel between your PC and the remote NAS. At the NAS end, the traffic exits the NAS towards the Internet (TCP Forwarding must be enabled on the NAS). With that setup you essentially create a secure encrypted tunnel that can be used to access the internet securely when you are connected on a public wi-fi hot spot or even in a hotel room.

First, we need to make some changes on the sshd configuration of the NAS station. Open a CLI connection with the NAS (using telnet or ssh) and edit (using vi) the sshd_config file located under /etc/ssh/ path. You need to change the following settings in sshd_config:

  • Uncomment the #AllowTcpForwarding no parameter (remove the # ) and change it to yes.
    AllowTcpForwarding yes
  • Uncomment the #PermitTunnel no parameter (remove the # ) and change it to yes.
    PermitTunnel yes

However, the changes above will not be permanent since the QNAP NAS device will change all configuration to default settings when rebooted. Therefore we need to somehow make the changes permanent. What we can do is the following:

  • Copy the modified sshd_config file into a shared location on the NAS.
  • Use the “autorun.sh” script to copy the modified sshd_config file from the shared location and overwrite the original sshd_config file located under /etc/ssh/
  • Then restart the sshd deamon to take the new modified settings.

I have copied the modified sshd_config file under /share/HDA_DATA/
Now, in order to create the autorun.sh file, do the following:
# mount -t ext2 /dev/mtdblock5 /tmp/config
# vi /tmp/config/autorun.sh

Get into vi editor and enter the following lines:
cp /share/HDA_DATA/sshd_config /etc/ssh/
killall sshd

Save the file and make it executable.

# chmod +x /tmp/config/autorun.sh
# umount /tmp/config

That’s it for the NAS.

Now in order to create the ssh tunnel, we will use PuTTy as shown below:

Open up PuTTY and go to Tunnels. At Source Port enter a desired local port that will be listening on your local PC (e.g 8888). Select Dynamic and press Add.

As you can see above, port 8888 is created. This port will start listening on your local PC after you connect with SSH to the NAS.

Now go up to “Session” and put the IP address of your NAS ssh server. The picture above shows a private IP address (192.168.10.111) but in real situations this should be the domain name or the public IP address of your NAS server. Click “Open” to log in to the NAS with your SSH username and password. When you log in, a secure SSH tunnel will be created between your PC and the remote NAS server.

If you need to encrypt all of your internet browsing traffic, you have to configure a SOCKS proxy on your browser with IP address 127.0.0.1 and port 8888.

"Sponsored Links"

Comments

  1. Alexey says

    First, thanks for a nice guide. The only thing is I can’t mount /dev/mtdblock5:

    [/etc/ssh] # mount -t ext2 /dev/mtdblock5 /tmp/config
    mount: /dev/mtdblock5 is not a valid block device

    I have QNAP 439 Pro. Do you have any idea how can I find the correct place for autoexec.sh? :)

    Thanks.

  2. BlogAdmin says

    Hello Alexey,

    Check under /dev/ directory to see if the name for the block device is different. It might not be exactly mtdblock5 but maybe something else. Do an “ls” under /dev/ and let me know.

  3. BlogAdmin says

    Jim,

    SSH is already installed on TS-101. Remember that it is a Linux box, so you have SSH preinstalled.

  4. Mavis says

    @ BlogAdmin: Yes, ssh is preinstalled, but it is a proprietary version which only allows admin to login. The only way around this is with some hacks. The install of OpenSSH allows you to add users for remote login…you cannot currently do this using QNAP’s preinstalled ssh.

  5. pambosch10 says

    ok cool. I didn’t try it with a different user to be honest (just with admin). Thanks for your feedback.

    Harris

  6. sathishkannan says

    How to forward udp packets from tunnel to eth0 in the pc?
    Please help me to resolve this issue.

    Thanks
    Sathish

  7. sathishkannan says

    How to forward the packets from tunnel to eth1 in PC?

    please help me resolve this issue.

    Thanks
    sathish

  8. BlogAdmin says

    The application must be able to send the packets to localhost at the port you specified in the SSH tunneling. For example, the browser (application) is able to send the packets to localhost via its proxy feature.

Leave a Reply

Your email address will not be published. Required fields are marked *