Previously I wrote a SSH Tunnel Tips that introduced some SSH tunneling techniques, but it lacked context and coherence, so I’ve reorganized it here and presented a network topo diagram. A better explanation of what I’m doing.
Suppose my network situation is a simplification of this Topo.
| The following is a list of the most important things you can do for your business.
So here are a few possible operations.
- Direct SSH Office PC from Home PC
- From Office PC SSH to Home PC Same as above
- Direct SSH from Home PC to VPS
- From Office PC SSH to VPS same way.
- From VPS SSH to Home (Office) PC
Among these scenarios, the easiest one to implement is: SSH from Home PC to VPS, which is also the most common operation we usually do. The reason why we can easily implement this principle is that the VPS has a public IP, so we can route directly from the Home PC to the VPS.
As you can see in the figure above, simply put, the difference between PC and VPS lies in the fact that the PC is connected to the router once, so if the PC intervenes in the ISP network directly, can it have a public IP? However, with the spread of fiber optics, even if you don’t use a router, you are not directly intervening in the ISP’s backbone, but rather in one of the ISP’s splitters, such as the FTTB series. So, the idea of having a PC (router) have public IP is not universal, and even if it did, the ISP would probably restrict it to a few ports, so it would not be used much.
So, to get to the point of this article, since you can’t connect to the PC directly, can you do the opposite and let the PC initiate the request itself, which is the principle of SSH tunneling.
[[email protected]]# ssh -qngfNTR 9999:localhost:8888 [email protected]
Command Line Quick Use
[[email protected]]# cat ~/.ssh/config Host jump HostName 10.0.0.102 Port 22 User root IdentityFile /root/.ssh/id_rsa ForwardAgent yes Host 10.0.0.87 HostName 10.0.0.87 ProxyJump jump User zhangsan
- The first thing you need to do is make sure you can log in directly to the jumper:
10.0.0.87is accessed via the
The reverse tunnel listens only to localhost.
[[email protected]]# cat /etc/ssh/sshd_config GatewayPorts = yes
[[email protected]]# yum install -y nc [[email protected]]# mkfifo /tmp/fifo [[email protected]]# nc -l -p 1162 < /tmp/fifo | nc -u localhost 1163 > /tmp/fifo
This means listening to the data coming from port 1162 on the machine and sending it to
localhost:1163in the form of UDP.
[[email protected]]# mkfifo /tmp/fifo [[email protected]]# nc -l -u -p 1163 < /tmp/fifo | nc localhost 1162 > /tmp/fifo
This means listening on the machine for UDP protocol on port 1163 and then sending out the received UDP traffic over the TCP link
Points to note
- You must execute the command locally before going to a remote server, otherwise the server side will not work properly because there is no data.
- One of the problems I have encountered is that this way I can only receive UDP once, and the second time I cannot receive it successfully.
- This is an example of a reverse proxy, where the forward proxy is the reverse.
- How to make a SSH tunnel publicly accessible?
- Performing UDP tunneling through an SSH connection
- How to use ansible openstack modules with a ssh socks proxy openstack-modules-with-a-ssh-socks-proxy)