Software Development with Linux

A secure reverse network connection

FRI, 01 MAY 2009

One thing I like about Linux, the open source world and the command line is that any problem you face, you can often solved it quickly and easily using a mash ups of console applications.

So, what do you do if you need a secure (authorized & encrypted) network connection to a computer sitting behind a NAT? You setup a reverse network connection using OpenSSH!

Here's the network setup we're talking about :

First, you need to have OpenSSH installed on both computers.

Then, from the computer behind the firewall (the one you want to access from your PC), you start an SSH connection toward your PC :
ssh -nNTR 12345:hidden.mydomain.org:22 username@pc.mydomain.org

Once this is done, if you connect to pc.mydomain.org on port 12345, it will be tunneled through the secured connection toward hidden.mydomain.org's port 22. You can use the port you want, so you can tunnel anything this way.

I've used this to be able to SSH to servers behind firewall, to connect a VNC client to an embedded device behind a firewall, etc.

As you can see, the possibilities are endless.

And if you want to have this connection being made automatically on boot, you can put this into a start up script, that restart it if it stop. In this case, you'll have to use a shared public/private key pairs to remove the password request. Here's how to do it.

On the hidden machine, generate the key pair :
ssh-keygen -t rsa

This will create two files inside ~/.ssh/ : id_rsa and id_rsa.pub. You then copy id_rsa.pub into
~/.ssh/ on your PC, but renaming the file to authorized_keys2. Now every time you establish an SSH connection the hidden machine to your PC, it will use this key pair instead of asking for a password.

That's it. It is as easy as it sound, and very useful.

For more information about this, see the following web pages :


Happy tunneling :)