can I tunnel Transmission's web UI through SSH?

[jsmith6]

I have been using the web UI to talk to Transmission from inside the house, but now I want to start using it from the outside too.

I don't feel comfortable that it's plain HTTP. The password and everything I do goes naked through the wire.

I want to use SSH tunneling --or perhaps something similar-- to access the web UI. I want to avoid messing with Apache, if I can help it, since I don't feel comfortable with it for the time beeing.

I'm kind of new to tunneling so I need to ask these two things before I do it.

One.

There will be times that I will be tunneling all my web traffic through my house. In these times, simply accesing Transmission's web UI is safe, since everything gets through the SSH tunnel. Right?

Two.

In times that I will not be tunneling all traffic, is there a way to only tunnel the traffic of Transmission's web UI? There must be something I can do with the specific port that the web UI listens to.

PS: I know I can manage the Deamon directly when I login to the machine. This is not what I'm looking for right now.

[rb07]

Answer: Yes.

Let's start with item "Two" on your list, what I do (not with Transmission but with many other applications I want to protect) is use the tunneling functionality of ssh (OpenSSH), for that you need 2 things: a sshd server on your local network, and a ssh client.

Are you still with me? or the above was Chinese written in Arabic? (just a joke)

If you don't have a SSH server, then start by researching that, I'm not going into that much detail.

On the client side you have many choices depending on what you are running there, Windows/OS X/Linux/Solaris/... you get the idea. If you are using Cygwin(on Windows) or Mac OS X or any Unix variant, then you can open a tunnel on a terminal with a 'simple' command:

Code: Select all

ssh -NL 9091:localhost:9091 your_user@your_server_ip_or_name

You may need to enter your password, or not if you use public key.

Then you connect to your transmission server using: http://localhost:9091/

One end of the tunnel is in your localhost, the other is on your sshd server. If transmission-daemon is not on the same computer as your sshd server then change 'localhost' with the name or IP of the computer running it. For instance, lets say your SSH server is in your gateway and transmission-daemon is running on a PC with IP 192.168.1.96, then you use:

Code: Select all

ssh -NL 9090:192.168.1.96:9091 your_user@your_server

This is getting long and is not Transmission specific, so lets just say about item "One" and in fact about both items, there are other methods to do the same I described, I use autossh, there's also stunnel, and probably others I don't even know.

An example of stunnel on this forum: http://forum.transmissionbt.com/viewtop ... 163#p42476

[lembregtse]

If you already have an Apache2 server running on your server you could use the following method:

http://forum.transmissionbt.com/viewtop ... 133#p29731

It uses Apache2 as a Proxy to your Transmission daemon.

[Glen_S]

I am curious about this as well, I have transmission running on my mybook world edition NAS and would like to be able to access the web gui for transmission from anywhere to check on things, and using ssh sounds like it would be a better way to go.

For now though, I can't even access the web gui over http for some reason. I have port forwarded the nas ip address and port 9091 in my router, and I use dyndns for a dynamic dns service, when I enter in my "myname.dyndns.org:9091 I get nothing though - if i have my port fowarded correctly and shows it open through canyouseeme.org - so should this not work?

Am I missing something?

thanks

[Longinus00]

Have you whitelisted the ip that you're connecting from?

[Glen_S]

I think the ip I was connecting from should be fine, I can log into my router gui, wireless webcams, and webserver on my NAS unit ok. I have web access set up on my NAS unit and it uses port 443 via https, and I can connect to it ok.

[lembregtse]

I think the ip I was connecting from should be fine, I can log into my router gui, wireless webcams, and webserver on my NAS unit ok. I have web access set up on my NAS unit and it uses port 443 via https, and I can connect to it ok.

What do the following settings say:

Code: Select all

 "rpc-whitelist": ...
 "rpc-whitelist-enabled": ...

Either you have rpc-whitelist-enabled set true and have the rpc-whitelist configured correctly with your IP's or have rpc-whitelist-enabled set false. What message do you get when you try to connect?

[Glen_S]

I wasn't sure where you meant to look, but I assume you mean the settings.json file:

Code: Select all

~ # cat ./.config/transmission-daemon/settings.json
{
    "alt-speed-down": 50,
    "alt-speed-enabled": false,
    "alt-speed-time-begin": 540,
    "alt-speed-time-day": 127,
    "alt-speed-time-enabled": false,
    "alt-speed-time-end": 1020,
    "alt-speed-up": 50,
    "bind-address-ipv4": "0.0.0.0",
    "bind-address-ipv6": "::",
    "blocklist-enabled": false,
    "dht-enabled": true,
    "download-dir": "\/shares\/Public\/WWW\/TR-Downloads",
    "encryption": 0,
    "incomplete-dir": "\/root\/.config\/transmission-daemon\/Incomplete",
    "incomplete-dir-enabled": false,
    "lazy-bitfield-enabled": true,
    "message-level": 2,
    "open-file-limit": 32,
    "peer-limit-global": 240,
    "peer-limit-per-torrent": 60,
    "peer-port": 51413,
    "peer-port-random-high": 65535,
    "peer-port-random-low": 49152,
    "peer-port-random-on-start": false,
    "peer-socket-tos": 0,
    "pex-enabled": true,
    "port-forwarding-enabled": false,
    "preallocation": 1,
    "proxy": "",
    "proxy-auth-enabled": false,
    "proxy-auth-password": "",
    "proxy-auth-username": "",
    "proxy-enabled": false,
    "proxy-port": 80,
    "proxy-type": 0,
    "ratio-limit": 2.0000,
    "ratio-limit-enabled": false,
    "rename-partial-files": true,
    "rpc-authentication-required": true,
    "rpc-bind-address": "0.0.0.0",
    "rpc-enabled": true,
    "rpc-password": "{881ab9abf2362330f51ca806e64645cb5dc6b59d1hMZ1jGO",
    "rpc-port": 9091,
    "rpc-username": "glen",
    "rpc-whitelist": "127.0.0.1",
    "rpc-whitelist-enabled": false,
    "speed-limit-down": 100,
    "speed-limit-down-enabled": false,
    "speed-limit-up": 100,
    "speed-limit-up-enabled": false,
    "umask": 18,
    "upload-slots-per-torrent": 14
}

[lembregtse]

Yeah, "rpc-whitelist-enabled": false, so you should be able to access it. Have you forwarded port 9091 correctly to your transmission machine?

[Glen_S]

I have the port 9091 in both the "from" and "to' fields on the port forward page and the 192.168.1.3 ip address (linksys router with dd-wrt), the same as I have my (accessbook gui) 443 port forwarded for the mybook NAS drive. I even tried using the port range forward as well, no luck.

I can access it from within my home LAN fine, it doesn't matter if I use the ip address or dyndns name. But when I try it from a remote computer I just get the "connection timed out" message..

[Glen_S]

update - after some playing around with my port forward settings on my router, I thought I'd try disabling one of my web cams and use its "from" port of 81 on the transmission port forwards "from" field. Voila - I was able to get in, enter my username/pwd and off to the races.

Now what I am curious about is, am I only limited to a few addresses I can use in the "port from" field?

I am accessing webservers on my network through port 80,81, 8080 and 443, are there other ports I can use or is there a way I can work with these ones only?

What I'd like to do is have the access through SSL like I do the Access Book component on the same drive, is this possible?

[rb07]

DD-WRT doesn't have limits on the number of ports, or which port numbers, you probably aren't using it correctly.

In fact port forwarding and all the firewall functions are handled using IPTABLES, the built in firewall in Linux, so you can do much more than simple port forwarding. Also DD-WRT has VPN and other tunneling software already included... but how to use that is a question for the DD-WRT forum, I particularly like the Wiki section with tutorials http://www.dd-wrt.com/wiki/index.php/Tutorials .

[Glen_S]

I thought I might be using it incorrectly too, but I still don't know why it works ok when I enter port 80 or 81 as the port from, but won't work if I put any other port in. From what I read (I thought) the 4 ports I listed were the only ones you could use to access webservers on the home LAN, which made sense when I did my experiment. I also tried disabling the dd-wrt firewall for a minute, and still could not connect using port 9091 in the port from side (in port forwarding)

I'll check the dd-wrt tutorials though and see if that can solve my problem, but I think most of those assume one has more linux knowledge than I do.

My other thought was to add a link to the transmission gui somehow to my SSL site on the MBWE Accessbook page, maybe I can make that work.

[jsmith6]

Thanks!

I went for the SSH tunnel. Works like a charm! Seemed like a more suitable choice for me.

I'm now having some issues accessing the web-ui (like some of you) because I upgraded to 1.8x but kept the config files from 1.75x. I'll work on it some more before I ask.