Some notes on computer stuff code tags rss about

How to connect a computer behind NAT to another computer behind NAT using ssh

October 10, 2012
[howto] [ssh] [network] [nat]

I was wondering how can I connect to my laptop from work for some time, but didn't know how to do that without using VPN. I even decided that it's impossible to do something simple, but then... I realized that a third party server to which I have access through ssh can be used for this.

The thing is that ssh can do port forwarding, which can be used to forward ssh traffic through ssh tunnel.

Consider having three machines:

  • machine DST, a remote one, to which we want to connect
  • machine SRC, our local host, at which we're working
  • machive SRV, which is a publicly accessible on the Internet ssh-enabled web-server, and which has an account for you

We need to connect to the DST machine from SRC using SRV. Here is how one can do that:

One port forwarding operation

The idea:

  1. Run sshd on DST:port on DST
  2. Forward DST:port to SRV:port using ssh
  3. Connect to SRV from SRC using ssh
  4. Connect to DST from ssh session to SRV using SRV:port

Lets use same port number on both DST and SRV for simplicity, let it be 4567, so:

DST:port = 4567
SRV:port = 4567

Lets perform the algorithm step by step:

  • Step #1
root@DST# sshd -p 4567
  • Step #2
user@DST$ ssh -R 127.1:4567:127.1:4567 user@SRV

You should leave this session open, otherwise port mapping will be finished. Also check for warning messages of ssh, there should be no remote port forwarding failed messages in the output.

  • Step #3
user@SRC$ ssh user@SRV
  • Step #4
user@SRVi$ ssh -p 4567 user@127.0.0.1

Two port forwarding operation

Here the idea is a bit different at the end (from step number tree):

  1. Run sshd on DST:port on DST
  2. Forward DST:port to SRV:port using ssh
  3. Forward SRV:port to SRC:port using ssh
  4. Connect to SRC:port

We also need to use an additional port on our SRC machine:

SRV:port = 4567

I won't repeat first two steps as they are same as in "One port forwarding operation" section. Here are new third and forth steps:

  • Step #3
user@SRC$ ssh -L 127.1:4567:127.1:4567 user@SRV

you should leave this session open, otherwise port mapping will be finished. also check for warning messages of ssh, there should be no remote port forwarding failed messages in the output.

  • Step #4
user@SRC$ ssh -p SRC:port user@SRC

Now you should be logged in on the DST. Mission completed!

Update on 17.10.2012: it's quite easy to accidentally close shell so here are a couple of tips one can use to handle this:

  1. Run stty eof '?', which will disable exiting using CTRL-D key.
  2. Press CTRL-S key, which will suspend shell, so it won't react until you use CTRL-Q to resume it.