How to make an SSH tunnel publicly accessible?

ssh openssh ssh-tunnel

Referring back to this question, I am executing the below via OpenSSH (Client: Mac OS X 10.6 | Server: Linux Mint), however the port that is being tunneled is not working publicly:

ssh -R 8080:localhost:80 -N [email protected]
  • The purpose is so the local port can be opened on the remote computer
  • It seems as if the remote side binds only on localhost, instead of to all interfaces
  • It works when opening the port on localhost on the remote computer, but when trying to access the public IP of the remote computer from my local computer, the port doesn’t seem to be open

How would I make the tunnel public on the IP for anyone to access?


If you check the man page for ssh, you'll find that the syntax for -R reads:

-R [bind_address:]port:host:hostport

When bind_address is omitted (as in your example), the port is bound on the loopback interface only. In order to make it bind to all interfaces, use

ssh -R \*:8080:localhost:80 -N [email protected]

or

ssh -R 0.0.0.0:8080:localhost:80 -N [email protected]

or

ssh -R "[::]:8080:localhost:80" -N [email protected]

The first version binds to all interfaces individually. The second version creates a general IPv4-only bind, which means that the port is accessible on all interfaces via IPv4. The third version is probably technically equivalent to the first, but again it creates only a single bind to ::, which means that the port is accessible via IPv6 natively and via IPv4 through IPv4-mapped IPv6 addresses (doesn't work on Windows, OpenBSD).  (You need the quotes because [::] could be interpreted as a glob otherwise.)

Note that if you use OpenSSH sshd server, the server's GatewayPorts option needs to be enabled (clientspecified, or, in rare cases, to yes) for this to work (check file /etc/ssh/sshd_config on the server). Otherwise (default value for this option is no), the server will always force the port to be bound on the loopback interface only.


Edit:

-g works for local forwarded ports, but what you want is a reverse/remote forwarded port, which is different.

What you want is this.

Essentially, on example.com, set GatewayPorts=clientspecified in /etc/ssh/sshd_config.

--- previous (incorrect) answer ---

Use the -g option. From ssh's man page:

-g     Allows remote hosts to connect to local forwarded ports.

Here's my answer for completion:

I ended up using ssh -R ... for tunneling, and using socat on top of that for redirecting network traffic to 127.0.0.1:

tunnel binded to 127.0.0.1: ssh -R mitm:9999:<my.ip>:8084 me@mitm

socat: mitm$ socat TCP-LISTEN:9090,fork TCP:127.0.0.1:9999

Other option is to do a local-only tunnel on top of that, but i find this much slower

mitm$ ssh -L<mitm.ip.address>:9090:localhost:9999 localhost


You can also use a double forward if you won´t or can change /etc/ssh/sshd_config.

First forward to temporary port (e.g. 10080) on loopback device on the remote machine, then use local forward there to redirect port 10080 to 80 on all interfaces:

ssh -A -R 10080:localhost_or_machine_from:80 [email protected] "ssh -g -N -L 80:localhost:10080 localhost"

Related

How can I prevent Ask.com Toolbar from being installed every time Java is updated?
How to control Windows 7 snap feature with two monitors?
Purpose of a "mystery key" on an IBM PC 3270 keyboard
How can I give write-access of a folder to all users in linux?
What are differences between VBoxVGA, VMSVGA and VBoxSVGA in VirtualBox?
Difference between OTF (Open Type) or TTF (True Type) font formats?
What is a SSH key fingerprint and how is it generated?
Rename screen session
How do I set system environment variables in Windows 10? [duplicate]
How can I remove outdated installed versions of Homebrew packages?
How can I execute a Windows command line in background?
How to convert .ppk key to OpenSSH key under Linux?