Search:  
Gentoo Wiki

SSH_Reverse_Tunnel

Image:OpenSSH-logo.png

SSH Basics

Tips & Tricks

Other Gentoo-wiki SSH

edit

Situation

You sometimes visit a campus lab, internet cafe ... and you want your computer (notebook) there to connect to your ssh daemon at your home, dorm ... (destination), but the destination is behind NAT (Network Address Translation, IP masquerade) or firewall, blocking connections to your destination machine.

Fortunately you somehow happened to be able to initiate a TCP connection to some other computer (the middle) from both computers (notebook and destination) where you have UNIX accounts.

Preconditions

You do not need root privileges on any of these machines.

If you need to use port <1024 on the middle, you would need to be root there.

The actual steps

All you have to do create a tunnel from the middle to destination.

user@destination$ ssh -R 10000:localhost:22 middleuser@middle

or

user@destination$ ssh -N -f -R 10000:localhost:22 middleuser@middle


This will open port 10000 for listening and forward all future connections to port 22 at destination.
user@notebook$ ssh destinationuser@middle -p 10000

Note: To make the last command work you need to enable the GatewayPorts feature on middle.

Turn on -X or -Y for XForwarding, and you can run X apps on your localmachine through the tunnel!

Avoiding timeout

We must make sure that we can hold an SSH session without timing out. This way, when we leave home, we know that the connection won't just die. So, edit the /etc/ssh/sshd_config (destination) file on the server as shown:

File: /etc/ssh/sshd_config on the server

...

TCPKeepAlive yes
ClientAliveInterval 30
ClientAliveCountMax 99999

...

Enabling the GatewayPorts

If you want to use the above given example, the SSH daemon running on middle must be set to allow the GatewayPorts feature. To make this possible, edit the /etc/ssh/sshd_config as follows. Don't forget to restart the ssh server after making these changes!

File: /etc/ssh/sshd_config on middle

...

GatewayPorts yes

...

This makes it possible that forwarded ports on middle can be reached from another host. If you do not have the necessary privileges to make these changes, you can still log on to middle directly and then reach destination by opening a ssh connection to localhost -p 10000. That means, instead of:

user@notebook$ ssh destinationuser@middle -p 10000

You have to call:

user@notebook$ ssh user@middle
Use the user/password pair on middle.

and then:

user@middle$ ssh user@localhost -p 10000
Use the user/password pair on destination.

Alternatives

See also

Retrieved from "http://www.gentoo-wiki.info/SSH_Reverse_Tunnel"

Last modified: Thu, 09 Oct 2008 06:29:00 +0000 Hits: 47,570