Using A VPS As A Jump Box To Access Servers Behind NAT Using Reverse SSH Tunnels: Part 1
Ok, so the title’s a bit of a mouthful, but it’s also a handy technique to know. If you are managing multiple Linux systems across multiple sites, you’ll often find that the networks use different NAT and firewall settings. This means that if you need remote access to systems behind the routers, you’ll need to go through configuring port forwarding and firewall rules for remote access from the IP ranges you’ll be accessing from. This can be made all the harder if your ISP doesn’t provide a static IP address, or your need to be able to connect from a mobile device while out and about.
One solution is to use a VPS as a jump box. This just needs to be a low specification VPS with a bare Linux installation on it. You simply use SSH to connect to the VPS, and then SSH from that to connect to the other systems you manage. This way you only need to create firewall and port forwarding rules for the single IP address of the VPS. So what do you do when the systems you need to manage are on a network where it isn’t practical or possible to set up the port forwarding and firewall changes? This is where the reverse SSH tunnel comes in.
SSH Tunnel
So how does it work? When setting up a reverse tunnel, the SSH client on the system you wish to connect to makes its own connection to an intermediary system – in this case, our VPS – and listens on a port on that system for connections. You can then either connect to the VPS directly and SSH to your remote system by connecting to the port that it has opened on the VPS for the reverse tunnel, or connect directly to the reverse tunnel from the remote system.
Now let’s look at putting this into practice. The first thing to do – having established access to the system that is behind the NAT/Firewall – is create a reverse SSH tunnel to your VPS. In this example we’ll be using the domain name vps.example.com, which you’ll need to replace with the address for the VPS you’ll be using:
ssh -R 22222:localhost:22 username@vps.example.com
What makes this work is the -R flag, which takes three settings:
#1. The first is the port on the system being connected to, on which it should listen for connections. We used port 22222 in this example but you could use any unused port on the VPS.
#2. After the colon is the system to which the traffic on that port should be forwarded, which in this case is ‘localhost’, meaning the local machine sees the traffic.
#3. Finally the number 22 specifies the port that the traffic should be forwarded to, which is the port that SSH is running on on the local system. By default this only accepts connections from the port 22222 from the VPS itself, meaning that you need to log into the VPS first before you can connect onward.
Connecting to systems behind NAT
With this configuration you can connect to your system behind the NAT by first connecting via SSH to the VPS, and then using SSH to connect as follows, changing 22222 for the port you chose to listen on:
ssh localhost -p 22222
If you’d rather not have to connect to the VPS and then make the second connection to the other system,, then this behavior can be changed by including the VPS’s IP address before the port to listen on when creating the reverse tunnel, as shown below:
ssh -R 1.2.3.4:22222:localhost:22 username@vps.example.com
In this example you’d replace “1.2.3.4” with the IP address of the VPS, enabling you to connect to your system behind the NAT by connecting via SSH to port 22222 on the VPS. Note that this means that anyone else on the internet can also do so unless you restrict access to that port on your VPS using its firewall. To connect, use:
ssh vps.example.com -p 22222
That’s pretty much all there is to it. With the reverse tunnel set up it’s simple to then connect to the remote system using your VPS. You can also have multiple remote systems all tunnelled into the same VPS for convenience. One thing to note is that this VPS then becomes a doorway into all of these remote networks so it’s important to ensure that you secure the VPS adequately.