Ever find yourself needed to access a computer that is behind a NAT firewall, but cannot without a bunch of goofy port forwarding rules at your router? I know, it is annoying. Here is how to SSH into your computer without adding port forwarding rules to your router’s firewall.
For ease of explaining, I will label some of these in a common setup and then refer to them as such. Your setup may be slightly different. Change the names and locations to fit your needs… In my case, I am going to have a laptop, a home desktop and a server.
When I am out and about, I bring my laptop with me. I want to connect to the home computer (running Ubuntu Linux). Since the home desktop is behind a firewall, I cannot access it directly.However, I do have a server with a public domain that I can get to from the internet. Using this, I can proxy through the server and use it as a common meeting ground.
What you will need:
- ssh setup on all computers (Server, Laptop, and Desktop)
- Root access on the desktop and maybe on the server
- SSH Key (login without password) needs to be working on your Server and Desktop. See here for setup instructions.
- There is not much to setup here. Let’s just say 12345 for the port (You can choose anything in range). Make sure any firewall on your system (or on an external router) allows this port. There, that is it.
Setup Home Desktop
- On the home desktop, we need to have it connect to the server automatically. To do so, we will setup a script that will automatically dial in to the server. This script will login, but also ask that all traffic that comes into the server on a specific port be forwarded to the home desktop.
- First, edit your ssh config file (in Ubuntu one can find it here: /etc/ssh/ssh_config) to include the following line:
- GatewayPorts yes
- Create a new file (or modify the existing file) with this command and add the text below (this will cause the command to be executed at 10 minutes after startup): sudo vim /etc/rc.local
#!/bin/shwhile true; do
# Automatically setup reverse tunnel on boot...
# This script allows me to connect to the nat'ed computer by using a third party server as a proxy.
# To connect from somewhere other than the office, use port 12345 like this... ssh workcomputer -p 12345
# This should cause the job to start initially about 10 minutes after boot. It will recheck/initialize
# every 10 minutes after that.
# See http://terry.ipearson.net/programming/reverse-ssh-to-access-linux-computer-behind-firewall/
ssh -nNT -R 12345:localhost:22 firstname.lastname@example.org
- Change the permissions of the script:
sudo chmod 755 /etc/rc.local
- Now restart sshd and networking. I would recommend just restarting the computer since there appears to be a bug with network restarts in Ubuntu.
- Now, from your laptop, ssh to the server using the port specified:
ssh -p 12345 email@example.com
You will notice that instead of logging in to your server, you will actually be logged in to your home desktop! You have not broken through the NAT barrier. Congrats.
If you are having ‘connection refused’ errors after restarting, but it works when directly running the script, the issue may be that your root user does not have an ssh key setup properly.