Tunnel (computer network)

from Wikipedia, the free encyclopedia

A tunnel - in a computer network - is a virtual transmission path. The translation and transmission of a network protocol that is embedded in another protocol for transport is also known as tunneling and also ( borrowed from English ) as tunneling . The original protocol is “spoken” in front of and behind the tunnel partners, while a different protocol is used between the tunnel partners, which can serve a different type of communication and still transport the data of the original protocol. For this, the tunnel software is required on both sides of the tunnel. After embedding the original communication data in another protocol, the software on the other side of the tunnel has to translate the data back again and pass it on.

A vivid example of tunneling within the public switched network is the transmission of digital computer data through an analog voice network using acoustic couplers . There the transition between the acoustic coupler and the telephone receiver forms a visible entrance (if the computer is sending data) and the exit of the tunnel (receiving data). Tunnels like DSL are required today to be able to access the Internet via the public switched network.

Internet access over the switched network is an example of a tunnel that connects networks (the private network and the Internet) through a neighboring network without the neighboring network (the switched network) having to be compatible with these networks. In addition, tunneling is used in a computer network to transmit data from one network service embedded in the protocol of another network service. The communication protocol used by the other service is used like a shell that helps to disguise the actual content. In this way, insecure network protocols embedded in a secured and encrypted network protocol can be transported tap-proof and tamper-proof (e.g. SSH tunnel). Tunnels can also be used to connect participants in a network from their original network to another network (e.g. VPN tunnel). Tunnels are also suitable for circumventing the rules of a firewall and other security measures (e.g. HTTP tunnel).

Five parallel SSH tunnels of a client (complete left side) across a firewall ( Firewall1 ) through a neighboring network (here the Internet ) to its SSH tunnel partner on or behind Firewall2 ( if it is behind it, the firewall extends the port 22 request there). The tunnel partner receives the requests and forwards them to the servers in his private (self-contained) network for which the requests are intended (right side); for the use of various server services (here VNC, print, SSH shell, RDP and Telnet), whereby the data between the client and its SSH tunnel partner is encrypted thanks to the tunnel protocol (SSH) used and is thus transmitted tap-proof and tamper-proof.

Tunneling within the public switched network

The public switched network contains an infrastructure. A device connected there must be able to operate this infrastructure (speak its protocol). Otherwise the device could not reach the other party.

In addition to the public switched network, which was originally developed for telephony, there are other networks. To put it very simply, another network can be imagined that is located somewhere, for example in Germany, and connects several computers with one another. The computers provide services that can be accessed via their network. The provider could now lay its own lines into the home of its customers in order to provide a connection for the new network. This process would, however, be very complex and expensive and there would be a large number of junction boxes in a household that would like to contact several networks in a similar way.

Alternatively, the existing public switched network can be used using a tunnel: On the one hand, the new network is connected to the public switched network via a gateway ; on the other hand, at the user's telephone socket, a remote terminal is installed to which the end devices intended for the new network can be connected (here the customer's own computer). The data is transmitted between the remote station and the gateway in accordance with the protocol of the public dial-up network (they are tunneled; more precisely, they are packed into a protocol that masters the addressing of the dial-up network and "packs" the data of the other network in itself, without the technical Violate the specifications of the dial-up network). These devices are tunnel partners because they pack the original packets in a different protocol and unpack and forward them on the other side. The protocol of the other network is spoken again in front of and behind these devices; addressing takes place again, for example, in a form that the computer network understands.

Such tunnels, which connect networks across another network, belong to the VPNs . Well-known tunnels within the public switched network are, for example, ISDN , X.25 , Frame Relay and DSL .

Tunneling within a computer network

Appropriate protocols

In principle, all protocols can be used for a tunnel. You just have to be routed through the network and offer the option of embedding the data to be transported. So z. B. use ping packets ( ICMP ) for data transport in an ICMP tunnel . Asymmetric tunnels are also possible in which two different protocols are used for the outward and return route.

Bypass a firewall with a tunnel

Tunnels can be used to bypass the security policy of a network system. They are called tunnel in the academic literature covert channels (English network covert channels ). For example, a security policy can be enforced using a firewall . Under certain circumstances, a tunnel allows a firewall to be "bypassed". The following example illustrates such a procedure.


A network service works on a specified port . If ports are blocked with the help of a firewall , the aim is to prevent certain services from being used. Is z. For example, if port 80 ( HTTP ) is allowed and port 21 ( FTP ) is blocked, the user can call up Internet pages but cannot exchange files with an Internet server via FTP.

You could now change the FTP client program and the server service of your own Internet server so that they also communicate via port 80 and thus circumvent the filter rule of the firewall.

A firewall that is able to analyze the packets can also examine the structure of the data and block all packets that do not correspond to the protocol of the approved service. Theoretically, the trick would no longer work here. In practice, however, such a control is not trivial. After all, every protocol should transport some kind of data. So it is possible, for. B. to embed the data of an FTP service in the protocol of an HTTP service without violating the protocol standard. The data only has to be converted accordingly.

A tunnel carries out such a conversion: It sends the data of a blocked service embedded in the data of a released service through the firewall to its target system. To do this, tunnel software must be installed on the PC and the target system, which converts the data on the one hand and converts it back to the original format on the other.

Does the firewall allow encrypted connections, such as B. to HTTPS - servers , the data can no longer be at the firewall read along . A content check is therefore not possible. These connections are particularly suitable for tunnels. The OpenVPN software with the TCP protocol is very suitable here, as the connection is almost identical to that of a website ( HTTPS ).

Hole punching is a tunneling technique that can be used when both sides of a connection are shielded from the Internet by firewalls.

Employers sometimes prohibit the use of services other than HTTP and ensure this through a usage policy and a firewall. If a firewall in company networks is bypassed under such conditions, it should be noted that this can be seen as a deliberate violation of the terms of use, which means that employees risk termination without notice.

Use the tunnel principle for an encrypted connection

Tunnels are primarily used to establish tap-proof connections across unsecured computer networks. The tunnel software ensures that the network packets are embedded in an encryptable protocol so that they can be decrypted and unpacked again on the other side. This means that encrypted data transmission is also implemented for services that normally do not have their own encryption. Entire networks can also be connected to one another in a tap-proof manner.

Tunnel software (converter)

Local port forwarding with SSH via command line. The ssh command is started on the blue computer.
Remote port forwarding with SSH via command line. The ssh command is started on the blue computer.
Local port forwarding with SSH via PuTTY. The PuTTY program will start on the blue computer.

As the tunnel software of the client hangs in the IP implementation, it could automatically redirect outgoing requests to certain services (more precisely to a TCP or UDP port X, green in sketch) to port Y (purple in sketch) of another service and convert the data as soon as a specific target ( IP address , orange in sketch) is addressed. According to the example above, port X could be the port for the FTP service, while port Y would then be the port for the HTTP service over which the request is to be tunneled.

So that only the local system can use this port, the tunnel software usually does not bind to the external address of the network card, but to the internal local address of the computer ( localhost , the so-called loopback interface The client program is then configured in such a way that it no longer sends its queries to the target system, but rather sends them to its own computer on the tunnel software port (target system = "localhost: Port X"). Depending on the setting, the tunnel software in turn automatically forwards all packets that arrive at port X to the actual target system (target system = "remote server: port Y", orange faraway host or nearhost in the picture ).

In this way, several local ports can be used, which can be configured individually and connected to different destinations.

The tunnel software runs on the server according to the same principle - just the other way around (see `Remote port forwarding` sketch on the right): It listens at the tunnel port, converts all incoming packets back into the original format and then forwards them to the destination and port.

As an alternative to the method described above, there are also application programs in which the tunnel software is already integrated. The tunnel can thus be used directly without having to switch a separate converter program in between.

Examples of tunnel software

  • GNU httptunnel HTTP tunneling solution.
  • HTTPTunnel - a platform independent (Perl / PHP) HTTP tunneling software
  • OpenSSH - SSH offers the possibility to establish encrypted TCP tunnels
  • OpenVPN - VPN solution for Unix , Windows , Android and iOS , uses either UDP or TCP (version 2.0 or higher )
  • corkscrew - an SSH HTTP (s) tunnel program
  • PuTTY is a free SSH and Telnet client program
  • FreeS / WAN
  • OpenS / WAN
  • iPig Hotspot VPN - TCP / UDP tunnel software and service (A limited version can be used free of charge.)
  • VTun
  • PingFu is a game tunnel service
  • LogMeIn Hamachi - a free VPN tunnel service
  • Your Freedom is a partially free HTTP tunnel service
  • Crypto IP Encapsulation (CIPE)
  • Tunnel - TCP tunnel software (limited free use, Windows + Linux)
  • Tunngle P2P VPN gaming tool
  • Token2Shell - Universal Windows app


Tunneled connections are only considered secure as long as the encryption methods used are considered to be sufficiently strong.

Also you have to realize is that data that is passed over a public provider of this and also its underlying nodes (. Eg the provider ) are readable, if not higher underlying protocols such as TLS in HTTPS - protocol encryption to the destination to ensure. You are therefore on the safe side if you choose more trustworthy providers such as B. uses your own server, an access point at work or a friend.

The software that you use can contain holes and gateways that an attacker can exploit. You should therefore always ensure that the endpoints (server ↔ client) are up to date.

The key used to access the tunnel could fall into the wrong hands. It should therefore be ensured here that this is not compromised .

In summary, the following aspects must be observed:

See also

Web links

  • RFC 2003 - IP Encapsulation in IP
  • Tunneling (PDF; 259 kB), Wolfgang Schulte. NET 11/2009 p. 30

Individual evidence

  1. ^ Tunneling - Duden , 2019
  2. a b Virtual private network , IT knowledge, online lexicon for information technology
  3. a b c “What is a VPN?” (PDF; 652 kB), Paul Ferguson and Geoff Huston , April 1998
  4. How to hide OpenVPN traffic blog post about OpenVPN over port 443 tcp (English)