linux - ssh through a router without port forwarding

18
2014-04
  • Jiechao Li

    I have a linux server, and I want to put it in a home network behind a router. I need to ssh to this server sometime from outside, but I don't want to set up port forwarding because I don't have access to the router, and I don't know the ip of the router either.

    What I can do is to put some program in the linux server, so when it is connected to Internet, it will constantly sending data to my other server online so I know the ip address of it. But is there a way to ssh to the server behind the router from outside? something like NAT or socket that maintains the network connection?

    Thanks a lot

  • Answers
  • khaki54

    What you would want to do is ssh FROM your "linux server" TO something on the outside, such as "my_other_server" or something else both servers can get to.

    You would use ssh remote port forwarding.
    [user@linux_server]$ ssh -R8022:localhost:22 my_other_server.com
    Explaination: Connect to my_other_server and open port 8022 there which will forward back to me on port 22.

    From my_other_server.com you will be able to ssh to localhost on port 8022, and have your traffic forwarded to linux_server piggybacking on the linux_server -> my_other_server tunnel [user@linux_server]$ ssh -p8022 localhost
    Explaination: Connect to myself on port 8022 which is forwarded to linux_server

    If you have problems with the initial linux_server -> my_other_server tunnel dropping out, you could make a script to keep it open, adjust the keepalive settings, or use autossh.

  • Nathan C

    You can use a VPN of sorts to get this working, but it would require you to have a server that the inaccessible server can access. Then you can set up OpenVPN on the server, your PC, and the firewalled server, enable client-to-client, and you're done. http://openvpn.net/howto.html


  • Related Question

    port forwarding on linux without root or ssh
  • BlackShift

    I was wondering whether it is possible to get port forwarding without being root or ssh.

    Currently I do

    ssh -L 20080:othermachine:80 localhost
    

    Using ssh can get you certain benefits like creating encrypted tunnels etc. In the above example I don't do that so using ssh seems unnecessary overhead. Is there an easier way to do this?

    I suppose it is not that hard to create a program that reads all data on one socket and sends it to another and vice versa. There must be some tool that does that job better than I can ever write.


  • Related Answers
  • akira

    i would also prefer ssh BECAUSE of the encryption, but 'socat' should work fine for you as well.

  • Joe Casadonte

    You ask: Is there an easier way to do this? The simple answer would be 'no'. SSH does what you need, and it's a well-used, well-know, very efficient program with (I would imagine) very few bugs, it's available on every platform you can imagine, and it's secure to boot. You don't state that performance is an issue, so I don't see a reason why not to use SSH, personally.

    If you want to forward a local port to a port on a different machine, you need something that will authenticate on that remote host. That's SSH. If you only want to mess with local ports, then as mentioned already, socat may be just what you're looking for.

  • KeithB

    If what you are doing works, and you aren't seeing any performance problems, I wouldn't change anything. If you aren't transferring large amounts of data, it shouldn't have much of an impact. And if you are, ssh can compress the data, so you still might be better off.

    The only problem might be with latency. It looks like you are tunneling http traffic, so it should be negligible.

  • Arjan

    Whatever tool you use: when not using Windows then you will always (and only) need to run with superuser privileges when using privileged ports ("well known ports"). So: when using ports up to and including 1023.

  • BlackShift

    Just a quick note, it seems that ncat that comes with the new nmap 5 can do similar things as socat: http://nmap.org/ncat/