[Symbiote]

Here are the example commands, with the SSH equivalent. There's a small syntax difference, but otherwise I don't think this tool adds much.

  $ mole -local 127.0.0.1:3306 -remote 127.0.0.1:3306 -server example@172.12.0.100
  $ ssh -L3306:127.0.0.1:3306 example@172.12.0.100

  $ mole -v -local 127.0.0.1:8080 -remote 172.17.0.100:80 -server user@example.com:22 -key ~/.ssh/id_rsa
  $ ssh -v -L8080:172.17.0.100:80 -p 22 -I ~/.ssh/id_rsa user@example.com

  $ mole -v -local 127.0.0.1:8080 -remote 172.17.0.100:80 -server example1
  $ ssh -v -L8080:172.17.0.100:80 example1

  $ mole -remote 172.17.0.100:80 -server example1
  $ ssh -L2937:172.17.0.100:80 example1
  NB Random port is predefined to be 2937, see https://xkcd.com/221/. Or use $RANDOM.

  $ mole -v -local :8080 -remote 172.17.0.100:80 -server example1
  $ ssh -L8080:172.17.0.100:80 example1
  NB difference with SSH, -L:8080... would bind the local port to 0.0.0.0:8080.

  $ mole -v -local 127.0.0.1:8080 -remote :80 -server example1
  $ ssh -L8080:127.0.0.1:80 example1

  $ mole -alias example1 -v -local :8443 -remote :443 -server user@example.com
  Add to SSH config: "LocalForward 8443 localhost:443"

I don't know if Mole supports it, but SSH also has the option to forward a remote port through the local machine.

  home $ ssh -R8888:example.net:80 work.example.com
  ...
  work $ curl -H "Host: example.net" localhost:8888

But the most useful of all is perhaps:

  work $ ssh -D3128 personal-vm-or-raspberry-pi-whatever.example.net

Then configure Firefox to use a SOCKS proxy on localhost:3128. You now bypass any corporate HTTP proxy.

[darrenf]

mole also doesn't seem to support DynamicForward for creating SOCKS proxies. Mind you, I'm not sure how it could improve on native ssh for concision:

    ssh -D *:1080 work

Combined with a .pac file that proxies my work domain(s) through the tunnel, it's all the forwarding I ever need.

ETA: largely redundant comment now the parent now also mentions this option. :)

[Symbiote]

I think it's worth drawing attention to it. It's a very useful feature; just don't tell the network administrators.

NB including

  *:

does mean anyone on your local network (assuming a firewall at the gateway) can use your computer to proxy to work. That's great if you're on a private LAN and want to look at a work site on your phone, but not great at a coffee shop.

[Bluecobra]

> You now bypass any corporate HTTP proxy.

Assuming that said corporation isn’t blocking random ssh connections with their fancy NGFW. ;)

[loeg]

Yeah, this hits close to home. Our corp firewall blocks anything other than 80 and 443, and MITM's 443.

[YouKnowBetter]

And when that proxy is worth it's salt, it shall detect attempts to tunnel plain ssh over said ports.

This is 2018, anyone who can bypass their corporate proxy with that example, should find employment elsewhere or atleast prepare to do so since your company's internals will surface on twitter any time now.

[davrodpin]

There is another interesting example:

$ mole -v -remote :80 -server example1

The missing "-local" flag will make mole to listen on a random local port.