How-to-Setup-Reverse-SSH-Tunnel-on-Linux

How to Setup Reverse SSH Tunnel on Linux

We’ll explain to you, how to set up reverse SSH tunnel on Linux. Let’s say you have a Linux machine behind NAT and a VPS.You want to SSH to the Linux machine behind NAT from your VPS but you don’t want to bother with port forwarding or your machine behind NAT doesn’t have a static IP address. We have an easy solution, in today’s tutorial we are going to learn how to set up a reverse SSH tunnel on Linux.

1. Setting up a reverse SSH tunnel

We’ll start by setting up the reverse SSH tunnel on the machine that is behind NAT, do that by typing in the following command:

ssh -R 24553:localhost:22 [email protected]

Note: Make sure to substitute the SSH user and IP address in the command above to your own SSH user and IP address.

The port used for the reverse tunnel in the command above is 24553, feel free to use whatever port you like and make sure this port is open on the VPS you want to connect the reverse tunnel to.You can check iptables if the port is open by executing the following command:

iptables -L -vn

If the output has a DROP all line at the bottom like the following example:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
 3214 3919K ACCEPT     all  --  *      *       10.20.30.1           0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       10.20.31.2           0.0.0.0/0
 631K  855M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 329K   17M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Or an INPUT policy set to DROP like the following example:

Chain INPUT (policy DROP 329K packets, 17M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
 3214 3919K ACCEPT     all  --  *      *       10.20.30.1           0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       10.20.31.2           0.0.0.0/0
 631K  855M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Then you will need to open the port in iptables by executing the command:

iptables -I INPUT 1 -p tcp --dport 24553 -j ACCEPT

Of course, make sure to replace the value in “–dport” for your preferred port number.

2. Connecting to the SSH tunnel

This is really easy and is done by executing the following command on the VPS:

ssh localhost -p 24553

You can also SSH from other machines to the NAT’ed machine, you can do that by first logging into your VPS:

ssh [email protected]

And then logging in to the machine from your VPS:

ssh localhost -p 24553

3. Creating a persistent SSH tunnel

The tunnel we created above won’t be persistent and will be dropped if the connection on the Linux machine behind NAT drops, if we want to make our reverse SSH tunnel persistent we need to install autossh.
For Ubuntu/Debian execute the following command to install autossh:

apt-get install autossh

For RHEL/CentOS execute the following command to install autossh:

yum install autossh

Now we need to create the reverse SSH tunnel on the machine behind NAT, execute the following command:

autossh -M 20110 -o ServerAliveInterval=20 -R 24553:localhost:22 [email protected] & >/dev/null 2>&1

And then log in to the machine behind NAT by executing the following command on your VPS:

ssh localhost -p 24553

That’s it, now you have successfully set up a reverse SSH tunnel on Linux.

Of course, if you use one of our Linux support services, you can always contact and ask our expert Linux admins (via chat or ticket) to set up a reverse SSH tunnel on your Linux VPS for you. They are available 24×7 and will provide information or assistance immediately.

PS. If you liked this post on how to use please share it with your friends on the social networks using the buttons below or simply leave a reply. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *