Friday, July 21, 2017

Can't create public-facing SSH server because of firewall or ISP policy? No worries, Reverse SSH Tunnel come to the rescue!

In regular situation, creating a public-facing SSH server, or any other server can be done as following:


Usually, the added complexity would simply be that ISP subscription only gives dynamic IP address, which gets randomized whenever the modem/connection is restarted. But this can easily be worked around using Dynamic DNS service.

However, today I encountered annoying issue. The ISP I used blocks their DMZ and Port Forwarding capabilities from their router! I called and they told me they had no solution! They also wouldn't let me tinker around with their router (i.e. installing Open-WRT or other open-source OS). But this turned out to be a great experience, because I learned a new cool SSH trick today!

 Reverse SSH Tunneling allows a relay-server that is publicly accessible to relay connection to private server that we have. So instead of SSH-ing to the private server, we SSH into the relay server, which in turn relay the connection to the private server. Wait, hold on a second! How could the relay-server establish a connection with the private server? Isn't it not publicly accessible? Simple, the connection between relay and private servers are initiated by the private server. So it's just like any computer can SSH into any publicly accessible SSH server out there.



The commands are the following:
# Run on private-server
# Tell nusantara-cloud.com SSH-server to relay any connection made to port 3559 of itself, to the private server.
ssh -R :3559:localhost:22 antonius@nusantara-cloud

# Editted on the relay-server:
# Without this configured, SSH-server would only relay connection made to port 3559 if it comes from loopback adapter. So this made it accessible from external world as well!
sudo echo "GatewayPorts clientspecified" >> /etc/ssh/sshd_config 
Credit: http://xmodulo.com/access-linux-server-behind-nat-reverse-ssh-tunnel.html

No comments:

Post a Comment