Local forwarding and aliasing
In addition to remote port forwarding, Sandhole also supports local port forwarding by default. This allows you to create SSH-based tunnels to connect to a service.
Given a remote service running as
ssh -R my.tunnel:3000:localhost:2000 sandhole.com -p 2222
Note that the server won't listen on port 3000; instead, you can establish a local forward to the port from your machine:
ssh -L 4000:my.tunnel:3000
Then you can access localhost:4000
, and all traffic will be redirected to port 2000 on the remote service. It's almost like a VPN!
Enforcing local forwarding
Local forwarding is always enabled for SSH hosts, and is conditionally enabled for TCP hosts that have a requested address different from localhost
.
To enable local forwarding for HTTP hosts, pass either the tcp-alias
or the allowed-fingerprints
command to the remote forwarding command as follows:
ssh -R my.tunnel:80:localhost:8080 sandhole.com -p 2222 tcp-alias
Restricting access to local forwardings
If you'd like to restrict which users can access your service, you can provide the allowed fingerprints as a comma-separated list at the end of the command, like so:
ssh -R my.tunnel:3000:localhost:2000 sandhole.com -p 2222 allowed-fingerprints=SHA256:GehKyA21BBK6eJCouziacUmqYDNl8BPMGG0CTtLSrbQ,SHA256:bwf4FDtNeZzFv8xHBzHJwRpDRxssCll8w2tCHFC9n1o
Disabling local forwarding
The administrator can disable all local forwardings with the --disable-aliasing
CLI flag.