Reverse SSH Tunnel

Advantages:

  • no port forwarding needed on the LAN of the host

  • encrypted connection

  • hides the IP of the host

Requirements:

  • a Virtual Private Server (VPS) - eg. a minimal package on Lunanode for ~3.5$/month

  • root access on the VPS - only root can forward ports under no. 1000

  • ssh access to the host computer (where the ports will be forwarded from)

On the host computer

  • Check for an ssh public key: $ cat ./.ssh/*.pub

  • if there is none generate one (keep pressing ENTER): $ ssh-keygen -t rsa -b 4096

  • copy the ssh public key over to the VPS (fill in the VPS_IP_ADDRESS). Will be prompted for the root password of the VPS. $ cat ~/.ssh/id_rsa.pub | ssh root@VPS_IP_ADDRESS 'cat >> ~/.ssh/authorized_keys && chmod -R 700 ~/.ssh/'

Working on the VPS

  • login as root or run: sudo su -

  • edit the sshd config: sudo nano /etc/ssh/sshd_config

  • make sure these entries are active (uncommented, meaning there is no # at the beggining of the line). Can just paste these on the end of the file:

    RSAAuthentication yes
    PubkeyAuthentication yes
    GatewayPorts yes
    AllowTcpForwarding yes
    ClientAliveInterval 60

    CTRL+O, ENTER to save, CTRL+X to exit.

  • restart the sshd service (WARNING: you can lose access at this point if the config is wrong): sudo systemctl restart sshd

Back to the host computer

Set up a systemd service

  • create the service file: sudo nano /etc/systemd/system/autossh-tunnel.service

  • Paste the following and fill in the VPS_IP_ADDRESS. Add or remove ports as required.

    [Unit]
    Description=AutoSSH tunnel service
    After=network.target
    [Service]
    User=root
    Group=root
    Environment="AUTOSSH_GATETIME=0"
    ExecStart=/usr/bin/autossh -C -M 0 -v -N -o "ServerAliveInterval=60" -R 9735:localhost:9735 -R 443:localhost:443 -R 80:localhost:80 -R root@VPS_IP_ADDRESS
    StandardOutput=journal
    [Install]
    WantedBy=multi-user.target
  • Enable and start the service: $ sudo systemctl enable autossh-tunnel $ sudo systemctl start autossh-tunnel

  • The port forwarding with a reverse ssh-tunnel is now complete. You should be able access the ports/services of the host computer through the IP of the VPS.

Monitoring

  • Check if there are any errors on the host computer: $ sudo journalctl -f -n 20 -u autossh-tunnel

  • To check if tunnel is active on the VPS: $ netstat -tulpn

Resources

https://github.com/rootzoll/raspiblitz/blob/master/FAQ.md#how-to-setup-port-forwarding-with-a-ssh-tunnel

https://stadicus.github.io/RaspiBolt/raspibolt_21_security.html#login-with-ssh-keys