Rusty Razor Blade
I frequently need to get access to a machine behind a firewall to do some web development, but I don’t have a VPN available. Not a problem – just use a reverse SSH tunnel. By the end of this tutorial, we’ll be able to SSH to the remote server, as well as view any web pages that server has access to.
We’re going to connect to the remote server using our local port 5000 – here’s how.
The 2 boxes we’ll use will be my.home.com (also referred to as localhost) and my.remote.com. We’re assuming you somehow have access to my.remote.com – maybe while at work or through some tool like Citrix. You might want to add monitoring to this to make it stable, but that’s outside the scope of this tutorial. Also, you’ll need direct outside access to your home machine – so you might need to configure your router to do port forwarding.
- First, from the remote server, SSH back to yourself.
ssh -R 5000:localhost:22 username@my.home.com
You can now SSH to the remote box through the tunnel by typing
ssh localhost -p 5000
All local traffic that connects to port 5000 is being forwarded via SSH through your reverse tunnel, back to port 22 on the remote machine.
The other half of the problem is viewing web pages of dev boxes behind the firewall – it turns out this is pretty easy once you’ve got the reverse proxy going.
-
On your home machine type the following:
ssh -D 9999 username@localhost -p 5000
-
Next, you’ll need to set up a SOCKS proxy. Open your browsers settings and it to the server “localhost” on port 9999. This will forward your traffic back through the tunnel and to the remote server. I do this using FoxyProxy & Firefox, so I can limit the domains that actually route through the proxy.
That’s about it – you should now be able to visit any site that’s in the private network. You now have command line and full browser access.
Helpful references:
howtoforge.com/reverse-ssh-tunneling
If you enjoyed this article, please consider sharing it!
thanks man. this freaken rules.
plus this: http://www.rustyrazorblade.com/2009/09/helpful-guide-for-setting-up-sshfs-on-mac/
i can work from home using proper tools!
Sometimes when all you need is to make your development web server publicly accessible, localtunnel tool would be handy for you http://www.componentix.com/blog/17
Can u be more specific on the “localhost” ?
1.
ssh -R 5000:localhost:22 username@my.home.com
localhost refers to remote server (my.remote.com)
2.
ssh localhost -p 5000
localhost refers to home server (my.home.com)
3.
ssh -D 9999 username@localhost -p 5000
localhost refers to home server (my.home.com)
Use either one will do
PS. Above assumes user is using the SSH server (my.home.com), how about if u r accessing from a 3rd PC which is not within either of the two network ? (my.home.com / my.remote.com)?
do as below 2 commands ?
From Remote Server (with web content which we want to access):
ssh -R 5000:my.remote.com:22 username@my.home.com
From User – Not in web server (my.remote.com) or SSH server (my.home.com) network
ssh -D 9999 username@localhost -p 5000
sorry, the its kind of complex with the use of “localhost”
Is above description correct ?
oops let me address the PS. part again
Enter the below 3 commands ?
1) From Remote Server (with web content which we want to access):
ssh -R 5000:my.remote.com:22 username1@my.home.com
2) From User – Not in web server (my.remote.com) or SSH server (my.home.com) network
ssh -D 9999 username2@my.home.com -p 5000
3) Proxy Set to:
localhost:9999 or user’s IP:9999
SSH Data:
User:22 –Tunnel 1–>my.home.com:22–Tunnel 2–>my.remote.com:22
my.home.com:don’t really need to use 22 , it will depends on the SSH server
Web Server Content:
User:9999 –Tunnel 1–>my.home.com:5000–Tunnel 2–>my.remote.com:22
Hi Pizza.
Command 1 executes from the machine behind firewall.
Command 2 & 3 you execute on your home machine.
You execute command 1 on the machine behind the firewall in order to come back to yourself at home. It opens up port 5000 at home automatically.
It can be done with a 3rd server in the middle – but it’s a pain. It’s why I opened port 22 and pointed it to my home machine.
Sorry, for the questions, but I am really curious d;P… just thinking all the possibilities
1))
base on ur example I assume BOTH SSH and Web Server uses the same port, but I thought that no 2 application can use the same port ?
2))
Is this the Network overview from ur example?
User:9999 –Tunnel 1–> my.home.com:5000 –Tunnel 2–> my.remote.com:22
(User in same network as home server)
or (user is at home server)
my.home.com:5000(redirect to port 9999) –Tunnel 2–> my.remote.com:22
3))
Below is just for my curiosity
if no reverse SSH is made from the remote web server, but u know port 22 is opened. can u still access remote web server ?
Probably not since most of firewall will allow request going out but not for requests coming in from outside of its network ….
On #1 – no, the 2 aren’t using the same port. You’re routing through an SSH connection, which connects to port 80 on the other side.
I’m not sure I understand question #2.
If you can SSH into the remote server, you can just do this
ssh -D 9999 remote.server.com
Then set up the SOCKS proxy to point to localhost port 9999.