How Reverse SSH Tunneling Works

Typically, SSH clients connect to a SSH server running in a local network or in a public network.

But if you want SSH access to the SSH client from the SSH server, then you need to do the reverse.

Sometimes, you may want to access a SSH Client behind NAT, from a public SSH server. For this we need to create SSH tunnel from the SSH client to the SSH server, so that the client can be accessed via the tunnel. This is called Reverse SSH Tunneling.

How to create a Reverse SSH tunnel ?

Source (Public IP: 202.10.135.4) -> Internet -> NAT -> Destination(Local IP: 192.168.1.1)

Step 1:

Reverse SSH into the Source ( 202.10.135.4) from the Destination(192.168.1.1).

$ ssh -fNT -R  20022:localhost:22   source-user@202.10.135.4

Step 2:

Now you can SSH into the Destination behind NAT from the public Source via the Reverse SSH Tunnel endpoint ( port 20022) created in step 1.

$ ssh -p 20022  destination-user@localhost

How to create a Reverse SSH tunnel port forwarding ?

Let’s say you want to access a nodejs web application running in the Destination behind NAT. The web application listens on TCP port 3000.

We can use the Reverse SSH Tunnel port forwarding feature to access the web application.

Here is how to do it.

Source (Public IP: 202.10.135.4, Port: 20022) -> Internet -> NAT -> Destination(Local IP: 192.168.1.1, Port: 3000)

Step 1:

Reverse SSH into the Source ( 202.10.135.4) from the Destination(192.168.1.1).

$ ssh -fNT -R  20022:localhost:3000   source-user@202.10.135.4

Step 2:

From the Source, access the nodejs web application running in the Destination behind NAT, as follows:

$ curl http://localhost:20022

Problem:

The only problem with this approach to access the Destination behind NAT is that the Source needs to have a Public IP address. Otherwise, it is not possible to establish a Reverse SSH Tunnel from the Destination to the Source.

What if the Source is also behind a NAT and wants to access the Destination behind another NAT ?

Source (Local IP: 10.1.1.1) -> NAT -> Internet -> NAT->Destination (Local IP: 192.168.1.1)

Solution:

A simple and easy way to solve this problem is to get an instant public TCP tunnel endpoint for the Source using SocketXP Cloud Service.

Step1:

Install the SocketXP client in the Source server and configure it as described in this article.

Step2:

Get a SocketXP public TCP tunnel endpoint for the Source SSH server using the below command.

$ socketxp -connect tcp://localhost:22
Tunnel Access -> tunnel.socketxp.com:30981

Step3:

Create a Reverse SSH Tunnel port forwarding using the command below.

$ ssh -fNT -R  20022:localhost:3000  -p 30981 source-user@tunnel.socketxp.com

Step 4:

From the Source server access the nodejs web application running in the Destination server, listening on TCP port 3000, using the below curl command.

$ curl http://localhost:20022

Conclusion:

Creating Reverse SSH Tunnels with port forwarding using SocketXP Cloud Service is a simple and secure way to selectively expose remote service to your customers.

Note that the reverse SSH tunnel encrypts the data end-to-end between the source and the destination server. There is no way that anyone including SocketXP Cloud Service could decipher the information sent over this secure tunnel.

Reverse SSH Tunnel port forwarding is a great way to selectively expose your applications and network services running in your private network to your customer applications running in your customer’s private network.

You may also like...

Popular Posts