If you’re looking to communicate with a Linux device while in a different network, it can be difficult to do so without exposing your device on the public internet. This may put your data at risk – especially if you’re running your IoT device through the cloud

Thankfully, you can navigate around this by setting up an SSH tunnel. This is widely used in and outside of the IoT community. In fact, it’s used by the majority of Linux users. It’s generally considered easy, secure, and lightweight. However, you need to make the SSH port accessible from the internet making the device vulnerable to attacks on the TCP/IP kernel level but also require firewall adjustment which may be too hard for IoT device end-users to cope with. Is there an even better solution for IoT devices? We’re going to answer both of these questions right here. Let’s get into it.

What is SSH Tunneling?

So, “what is an SSH tunnel and how does it work?”

First off, let’s define SSH. This is a client-server-based architecture protocol that’s used for accessing Linux devices’ shells using TCP/IP communication, e.g. through the public Internet.

It uses a network port to create a connection session between the server – that listens on the chosen port – and the client – which sends an SSH request on that port. As a result, the client is able to access the server shell from a remote device.

SSH is very secure. It uses state-of-the-art cryptographic techniques as opposed to the legacy Telnet protocol which it today replaces (or should be replacing) With Telnet,  all communication happens in cleartext and should be avoided when possible. However, it’s still abundant in the field as it is simple and available in most systems.

So, what about SSH tunneling? Well, SSH tunneling allows you to use that established SSH connection to set up a new “clean TCP” connection from your local computer to the remote server.

The client’s SSH program listens on a local port on the client computer. . Then,  when a new connection is made to this port, the SSH program will forward the data communicated on this port to a connection made to a port on the server.

All of this is neatly encapsulated inside the existing SSH connection, which is why it’s called a tunnel (inside the SSH connection). This makes it possible to not only use SSH to create secure connections from a client to a server but also to “tunnel” other connections from the client to the server in a secure way.

Is There a Better Alternative to SSH Tunneling?

One downside to SSH is that the client and server need to be able to “see each other” on the internet. For example, a clear accessible route vai the public internet needs to be possible to establish involving either the server. What’s more, this has to be placed outside a firewall or a hole has to be made in the firewall via something called port-forwarding. And, even though SSH is very secure, this is probably not something you can count on the average IoT buyer being able to do.

So, despite the merits of SSH tunneling, is there a better alternative out there?

By this, we mean a method that’s simpler to deploy (no firewall adjustments), provides easier access control but with the same security level as SSH, and is specifically designed for the Internal of Things? Step forward, Nabto Edge TCP Tunneling.

What Is Nabto Edge TCP Tunneling?

The Nabto Edge platform supports TCP tunneling. This allows TCP client applications to securely connect to remote TCP server applications on IoT devices sitting behind end-users firewalls. Compared to SSH tunneling the device does not need to be reachable directly from the internet which in SSH normally is accomplished by TCP port forwarding or similar means, hence making it much more simple to set up (since inherently there’s no setup). 

Here’s what it looks like in action:

This integration is useful if you want to add secure remote access capabilities to existing TCP client/server applications.

Furthermore, it only requires minimal code changes. This is because the existing TCP client only needs to connect to the local Nabto proxy TCP server started in the client application – not the actual TCP server. 

This concept is very similar to SSH tunneling; however, it is easier and puts you in greater control. 

How to Get Started With TCP Tunneling Using Nabto Edge

Setting up a TCP Tunnel with Nabto is extremely straightforward. Why? Because we provide SDK level support for clients and their devices. This allows them to easily integrate Nabto Edge TCP tunneling into their solutions.

But, what are the steps commonly involved in the setup? Let’s take a look.

Step 1: Use Nabto Provided Standalone Apps

A typical workflow is to first use the ready-made applications for a proof-of-concept project to evaluate the platform.

On both ends (client and embedded device), you just download, configure and run the existing applications. 

Your existing TCP client can then connect through the Nabto applications on the client and embedded device, respectively, to your existing TCP service.

You can learn more about the process in our Nabto Edge TCP Tunnel Step-by-Step Guide

Step 2: Client Integration Through SDK

After the quick evaluation, a typical next step is to integrate tighter on the client-side. However, instead of using a standalone tunnel application, the Nabto Edge Client SDK is integrated with the client application to start the tunnel endpoint.

The integration effort is minimal. The existing TCP client still just connects to the TCP endpoint spawned by Nabto Edge Client SDK.

In this step, the embedded tunnel endpoint application, as described above, is still typically used.

Step 3: Embedded Device Integration Through SDK

As an optional final step, some customers prefer to further tailor the integration on the embedded device. In some scenarios, this is mandatory. For instance, it’s mandatory for platforms where standalone tunnel applications are not supported. This includes all real-time operating systems (RTOS).

As a result, using the Nabto Embedded Edge SDK to start the Nabto TCP tunnel server endpoint is still very simple. Furthermore, on higher-level systems where the ready-made tunnel applications exist, these are typically used as-is for production purposes – or slightly modified for customer-specific requirements.

What Can You Use Nabto Edge TCP Tunneling For?

On top of being used for secure communication with Linux devices, we’ve seen many other deployments of Nabto Edge’s TCP tunneling amongst our customers. 

Here are some common use cases we’ve helped our customers set up:

    • Video – The majority of Nabto devices deployed in the field use TCP tunneling injected between an existing video player client and a TCP video streaming service such as an RTSP server on an IP camera or an NVR/DVR.
    • HTTP – Secure remote access to existing HTTP services is popular in providing remote access to admin applications. On top of that, remote API access from a client app to a REST service on an IoT device is popular. With Nabto, you don’t need the hassle of browsers complaining about self-signed HTTPS certificates – you can use plain HTTP on top of the secure Nabto layer.
    • SSH/telnet – You can use TCP tunneling to access ssh or telnet services on deployed devices. Nabto ensures secure access to your devices. Furthermore, you only need to allow SSH/telnet access from localhost and use the Nabto authorization framework to control remote access.
    • TCP tunneling allows you to use Bare Metal – Nabto’s TCP tunneling solution allows you to run on both Bare Metal and RTOS systems. On the other hand, standard SSH tunneling only allows you to run on RTOS. 
    • Custom TCP protocols – In fact, you can tunnel any TCP-based protocol!

Want to hear how you could benefit from Nabto Edge’s TCP Tunneling? Get in touch with us today for a free consultation.

The Bottom Line: Nabto Edge TCP Tunneling > SSH Tunneling

As you can see, while both have their similarities, Nabto Edge’s TCP tunneling is a better option for your IoT solution than an SSH tunnel. 

It’s simple to deploy, gives IoT developers greater control, and has our IoT experts input along the way. So, if you want to utilize maximum security and control for your IoT solution, it’s really a no-brainer!

Sign up for the Nabto Cloud Console to try out some of our features for yourself.

Read Our Other Resources

We’ve also published a range of IoT resources for our community, including:

Leave a Reply

Your email address will not be published.