Reverse SSH to access Linux computer behind firewall.

firewallEver find yourself needed to access a computer that is behind a NAT firewall, but cannot without a bunch of goofy port forwarding rules at your router? I know, it is annoying. Here is how to SSH into your computer without adding port forwarding rules to your router’s firewall.

For ease of explaining, I will label some of these in a common setup and then refer to them as such. Your setup may be slightly different. Change the names and locations to fit your needs… In my case, I am going to have a laptop, a home desktop and a server.

When I am out and about, I bring my laptop with me. I want to connect to the home computer (running Ubuntu Linux). Since the home desktop is behind a firewall, I cannot access it directly.However, I do have a server with a public domain that I can get to from the internet. Using this, I can proxy through the server and use it as a common meeting ground.

What you will need:

  • ssh setup on all computers (Server, Laptop, and Desktop)
  • Root access on the desktop and maybe on the server
  • SSH Key (login without password) needs to be working on your Server and Desktop. See here for setup instructions.

Setup Server

  • There is not much to setup here. Let’s just say 12345 for the port (You can choose anything in range). Make sure any firewall on your system (or on an external router) allows this port. There, that is it.

Setup Home Desktop

  • On the home desktop, we need to have it connect to the server automatically. To do so, we will setup a script that will automatically dial in to the server. This script will login, but also ask that all traffic that comes into the server on a specific port be forwarded to the home desktop.
  • First, edit your ssh config file (in Ubuntu one can find it here: /etc/ssh/ssh_config) to include the following line:
    • GatewayPorts yes
  • Create a new file (or modify the existing file) with this command and add the text below (this will cause the command to be executed at 10 minutes after startup): sudo vim /etc/rc.local
    • #!/bin/sh
      # ------------------------------
      # Automatically setup reverse tunnel on boot...
      # This script allows me to connect to the nat'ed computer by using a third party server as a proxy.
      # To connect from somewhere other than the office, use port 12345 like this... ssh workcomputer -p 12345
      # This should cause the job to start initially about 10 minutes after boot. It will recheck/initialize
      # every 10 minutes after that.
      # See http://terry.ipearson.net/programming/reverse-ssh-to-access-linux-computer-behind-firewall/
      # ------------------------------
      while true; do
      sleep $((60*10))
      ssh -nNT -R 12345:localhost:22 myusername@server.com
      done
  • Change the permissions of the script:
    • sudo chmod 755 /etc/rc.local
  • Now restart sshd and networking. I would recommend just restarting the computer since there appears to be a bug with network restarts in Ubuntu.
  • Now, from your laptop, ssh to the server using the port specified:
    • ssh -p 12345 user@server.com

You will notice that instead of logging in to your server, you will actually be logged in to your home desktop! You have not broken through the NAT barrier. Congrats.

 

Troubleshooting:

If you are having ‘connection refused’ errors after restarting, but it works when directly running the script, the issue may be that your root user does not have an ssh key setup properly.

2 thoughts on “Reverse SSH to access Linux computer behind firewall.

  1. How do you connect to a computer behind NAT router? Any NAT router is also a firewall. Sometimes you do have access to firewall configuration and can set up port forwarding. Yet often it is complicated and even impossible. Common situation is when you want to connect to a computer in the office from home. Companies usually hide office computers behind NAT routers and firewalls. Hence you cannot connect to office computer as is.

    1. This is precisely what we are doing here. Rather than you reaching into the office network, a specific computer in the office network is reaching out and forming a connection to an outside server. Usually, outgoing connections are not blocked. Outgoing connections almost universally go out on random ports and are therefore not blocked.

      So essentially, your office computer connects to a neutral server outside the office network. Your home computer then connects to the same neutral server and then that neutral server connects the to servers together. This bypasses the issues with NAT.

Leave a Reply