I want to connect from my home computer to my account in the institutional computer. This machine has a NAT/firewall that doesn’t allow access from the outside. Assuming the home computer has known name/ip address, it more or less like this:
XXX.XXX.XXX.XXX is the IP address of the home computer (visible in the internet)
YYY.YYY.YYY.YYY is the IP address of the work computer (in a private range, hidden behind the institutional NAT/firewall)
homeuser@homepc:22022 (XXX.XXX.XXX.XXX) —>|||–> workuser@workpc:22 (YYY.YYY.YYY.YYY)
In this example, ssh is using ports 22 and 2222 for the work and home computers, respectively, but the default port (22) can be used for both, of course. Port 22022 in the home computer is going to be used to open the port. Ports 22022 and 2222 must be open in the home firewall.
I will use a basic set of tools available in any Linux PC:
- OpenSSH
- GNU-Screen
- AutoSSH
From the inside I have access to my home computer. The solution is to create a reverse tunnel with ssh from the inside to the outside. When you’re inside the work computer, type:
workuser@workpc:~$ssh -N -R 22022:localhost:22 -p 2222 homeuser@homepc
From workuser@workpc, we’re connecting to homeuser@homepc:2222 and forwarding connections to port 22022 in homepc to workpc:22 while the option -N is to say that no remote commands are executed.
Now there are two problems: 1st you have to leave the terminal where you issued the command open. 2nd the connection can be dropped after some time.
The 1st problem is addressed with GNU-Screen: Just enter the previous command inside a screen session and you can close the terminal window.
The 2nd problem can be solved with autossh. You can use with autossh the same options you would use with ssh:
workuser@workpc:~$autossh -M 0 -N -o "ServerAliveInterval 300" -o "ServerAliveCountMax 3" -p 2222 -R 22022:localhost:22 homeuser@homepc
-M 0 don’t use monitoring (autossh option, not needed with ssh 2, see autossh manual)
-o “ServerAliveInterval 300” -o “ServerAliveCountMax 3” (ssh options, see manual)
I thought this was stable, but found out that sometimes autossh quited on the workpc, closing the tunnel. Issuing the command inside a while cycle can be an alternative:
workuser@workpc:~$while true; do autossh -M 0 -N -o "ServerAliveInterval 300" -o "ServerAliveCountMax 3" -p 2222 -R 22022:localhost:22 homeuser@homepc; done
That’s it!
To establish the connection using the tunnel we created, it’s simply done in the homepc:
homeuser@homepc:~$ ssh localhost -p 22022
sshfs can be used to mount the work file system at the home pc:
homeuser@homepc:~$ sshfs -p 22022 localhost: homemountpoint
see also http://www.rustyrazorblade.com/2010/03/ssh-reverse-tunnel-to-access-box-behind-firewall/