Permanent Reverse SSH Tunneling
This tutorial will present you how to open a remote connection (via SSH) to a network that don't allow it. And more generally to a computer without a public IP address.
You have access to inside, outside and middle but cannot access inside from the outside because of a firewall you don't control. In order to gain such access you need to open a permanent connection from inside to middle. Then make middle forward every connection from outside to inside via the permanent connection previously established.
Contents |
You need
On inside machine (Unix-like)
- A regular account (no root needed)
- A SSH client that can perform a connection with middle (it is installed by default on every linux distributions and on Mac OS X)
- A SSH server accessible at least locally -from the machine itself or more commonly from the local network (ie. 192.168.0.XXX).
- Access to crontab
On middle machine (Unix-like)
- A root/sudo account (in order to modify ssh configuration files)
- A SSH server accessible from everywhere (ie. with a public IP address)
On any outside machine (Any platform)
- A regular account with an ssh client (an SSH client for windoze machines)
You do
On middle :
- In order to make the connection permanent you must prevent any timeout or closing procedures due to inactivity :
edit /etc/ssh/sshd_config
and add/modify the following lines :
TCPKeepAlive yes ClientAliveInterval 30 ClientAliveCountMax 99999 GatewayPorts yes
On inside :
- In order for inside to be able to log into middle without having to type a password, you need to set up a public key.
create a public key (choose default options):
ssh-keygen -t rsa
copy the public key to middle :
ssh-copy-id <middle-username>@<middle-hostname>
- In order to make the connection run again in case of loss you need to create a script and add it to your crontabs
create a file launch-reverse-ssh-tunneling.sh and add the following lines to it :
a=(`ps -ef | grep 19999 | grep -v grep`) if [ ! "$a" ]; then ssh -fN -R 19999:localhost:22 <middle-usename>@<middle-hostname> fi
make the file executable:
chmod +x /path/to/your/script/launch-reverse-ssh-tunneling.sh
edit the Cron tabs :
crontab -e
add the following line :
* * * * * /path/to/your/script/launch-reverse-ssh-tunneling.sh
this will test every minute if the tunnel is alive and re-launch it in case it died
You can
you should now be able to access to inside from outside via a connection to middle :
ssh <inside-username>@<middle-hostname> -p 19999
enjoy ! ;)
Links
http://en.wikipedia.org/wiki/Reverse_connection