On Wed, Aug 06, 2014 at 11:09:57AM +0100, Mark Rogers wrote:
I know others here have experience of this, and I have a potential use for it. Situation: Linux box (Debian/ARM) behind a Draytek router which will variously connect to the Internet via ADSL, WiFi, 3G, etc. I want to have SSH access to the box whenever it is online without relying on having a routable or static IP at the router, ie the box will need to make and maintain an outbound connection to me so that I can access it when needed. I think this is what Chris does on his boat, but any pointers to the right way to go about this appreciated. Not looking for a full VPN (not least because some 3G providers block VPN access). The Draytek is already setup to manage office-to-office VPN but it's the failure of that which has prompted this.
Yes, it is basically what I have on my boat, though I have less control over the NAT/router bit.
Do you really need to do this (reverse tunnel that is)? I have a very similar set-up to you at home, even down to the Draytek router. What I do for access to my desktop machine from the outside is open up the Draytek router firewall to SSH traffic (maybe on a non-standard port) but only for one or two specific IP addresses 'out there' on the internet. I have ssh access to a couple of hosting services so to connect to home from anywhere I ssh to the hosting service and then ssh from there to home. The firewall on the Draytek only allows connections, as I said, from the two hosting service's IPs.
I never see any SSH break in attempts.
The reason for the reverse tunnel from the boat is that it's behind a NAT firewall over which I have no control so I can't open up a port to ssh.
If you want to do it the other way round then set up outgoing tunnels from the 'box' to somewhere on the internet, that somewhere will have to be accessible passwordless from the 'box'.
So the sequence to set up a reverse tunnel to allow access *to* 'box' is:-
On 'box' create a passwordless login to somewhere you can access directly or via ssh.
Check that the passwordless login works (?!).
On 'box' run something like the following:- ssh -N -T -R 54321:localhost:22 me@somewhere
Then when logged onto 'somewhere' you can connect to box with:- ssh -p 54321 localhost (assumes your login name on both 'somewhere' and 'box' is the same, otherwise you need to us myNameOnBox@localhost of course)
If you want to make sure the ssh reverse tunnel on 'box' continues to run then use autossh which monitors and restarts ssh as necessary.