Reverse SSH Tunnel

Published
by
Luis Murillo
38 years, 8 months ago
in Howto and Project
. Tags: , , , , , .
6 views

My home server is located behind a NAT, my ISP hasn’t given me my Public IP, so what can I do to connect to my home server when I’m at work. Simple just do a SSH Reverse Tunnel. I’ll explain how on this small HowTo.

At home I have an ADSL connection but I don’t have a public IP, at least not at the time of this writing. So this means that I can’t connect to it directly, which would be a problem, well not really but I would like to have this functionality enabled.

One day there was a problem with the home server, the workstations were not able to connect to the Internet, but the server was able to. This was due to a missconfiguration of the firewall. I looked up a way that would allow me to connect to my home server over the Internet, so I finally read something about SSH Reverse Tunneling on the Gentoo Tips site (I’m not a Gentoo fan myself, but that site really has some neat tips). After reading the article I knew that this was what I needed.

Now let’s see if I have the tools needed for this:

1. Remote SSH server in which I have a shell account: yes
2. Home server can connect to remote SSH server: yes
3. Home server has an SSH server: yes
4. I can connect from my work computer to the remoter SSH server: yes

Ok, this means that I can successfully do a SSH Reverse Tunnel. So I IM my sister at home, since she’s the one that has access to the Home server and knows how to use Linux, and tell her to connect to the remote SSH server. To do this she has to run the command:

$ ssh 1100:home_user@home_host:22 remote_user@remote_host

Once she runs that command she gets connected to the remote SSH server without any problems, great step one is complete. Now comes the tricky part, connecting to the home server, but before I explain the next part, let me explain the command above.

This will open a SSH session on the remote_host with the remote_user, the -R option tells SSH to open this SSH tunnel as a reverse tunnel, which basically allows connection from the remote_host to the home_host. After the -R flag you would need to specify the port that SSH will use to connect to the home_host, in other words this is the port which will be used to open the SSH session from the remote_host to the home_host. Now add a colon symbol (:) and write the username in the home_host that will be used on the SSH tunnel (this isn’t necessary it will work even if you ommit this username) and finally add the hostname or IP address or domain name of the home_host, given the fact that at home I don’t have a public IP this doesn’t really matter, at least it didn’t seem to matter in my case. Finally add another colon symbol (:) and add the port in which SSH listens to on the home_host, I’ll just use the default 22. And finally add the username and hostname of the remote_host, as usual.

OK, now let’s move on to the tricky part. If you have control over the remote_host, i.e. have root permissions or able to modify the SSH configuration, then go to section A bellow, otherwise if you just have a shell account in the remote_host without any root permissions or can’t edit the SSH configuration then go to section B bellow.

Section A. You have control over the remote_host

There’s one thing you’ll need to change, if you haven’t done so already, in the sshd_config file or the equivalent SSH configuration file. For the port forwarding in the SSH server you will need to enable GatewayPorts, just look for the line that says “GatewayPorts yes” and uncomment it. If it doesn’t appear then add it and if it does appear and it says “no” then just change that to “yes”.

Now run the SSH command above on the home_host and on the machine you’re at, connect via SSH to the remote_host but instead of connecting to the SSH port that the remote_host has assigned connect to the port that you assigned in the command above, for example in my case I specified the port 1100, so I will run the command:

$ ssh remote_host -p 1100

This will connect me directly to my home_host, well not “directly” but it will connect to the remote_host and automatically forward the connection to the home_host.

Section B. You don’t have control over the remote_host

Well this is my case; I don’t have control over the remote_host so I have to find another way to connect to my home server. Well it just turns out that I can do this very easily, I don’t know if this slows down the connection or if it slows down the performance of either host, but I know it works.

In this case the remote_host may not have the GatewayPorts enabled, which means that you can’t use the command in section A, doing so will simply return an error message saying that the remote host refused, or something like that. So what can I do, simple just connect to the remote_host like you normally would:
$ ssh remote_host

And then connect to the same host, like this:

$ ssh localhost –p 1100

Again the –p flag specifies the port to which SSH will attempt to connect to and the port should be the one you specified on when you ran the first command mentioned in this HowTo. This will connect to the home_host, it will of course ask you for the user password in each connection.

If neither of the above methods worked for you then I’m sorry to say that you may have something wrongly configured or just configured in a very secured method that doesn’t allow this to happen. I believe that it’s a lot more secure to disable the GatewayPorts and to use the method described in section B of this HowTo.

The Gentoo site mentions a way to prevent your home_host from getting disconnected from the remote_host after some time of innactivity, but since I don’t have control over the remote_host I can’t make the modifications necessary to do so, and besides it’s not a very good idea. What I’m going to do is just IM my sister and tell her to run the command to connect my home server to the remote_host, at least for now, I might set something up that would allow me to send an e-mail to my home server and have it connect to the remote_host so I can have access to it. But I’ll leave that for another tutorial ;-).

I hope this helps and if you have any problems feel free to ask here, also if you see any problems or mistakes in this HowTo feel free to comment on that as well, I’m not perfect.

-LMurillo

———-

Reference:

1. http://gentoo-wiki.com/TIP_SSH_Reverse_Tunnel (Gentoo Tips)
2. http://tinyurl.com/kh8f9 (TechRepublic)

0 Responses to “Reverse SSH Tunnel”

Feed for this Entry Trackback Address
  1. No Comments

Leave a Reply

Bad Behavior has blocked 22 access attempts in the last 7 days.