I know others here have experience of this, and I have a potential use for it.
Situation: Linux box (Debian/ARM) behind a Draytek router which will variously connect to the Internet via ADSL, WiFi, 3G, etc.
I want to have SSH access to the box whenever it is online without relying on having a routable or static IP at the router, ie the box will need to make and maintain an outbound connection to me so that I can access it when needed.
I think this is what Chris does on his boat, but any pointers to the right way to go about this appreciated. Not looking for a full VPN (not least because some 3G providers block VPN access). The Draytek is already setup to manage office-to-office VPN but it's the failure of that which has prompted this.
Hi Mark,
Assuming you have a static address or hostname that your NAT'd box can ssh to, I've seen AutoSSH [1] used in similar circumstances.
If you combine that with SSH's ability to do reverse tunnelling [2] you have a viable solution as long as the internet connection is alive.
You might want to consider using mosh [3] for at least your connection over the reverse tunnel - it should tolerate bad connections better.
* http://www.harding.motd.ca/autossh/ * http://www.howtoforge.com/reverse-ssh-tunneling * https://mosh.mit.edu/
All the best,
Jim Rippon
On 2014-08-06 11:09, Mark Rogers wrote:
I know others here have experience of this, and I have a potential use for it.
Situation: Linux box (Debian/ARM) behind a Draytek router which will variously connect to the Internet via ADSL, WiFi, 3G, etc.
I want to have SSH access to the box whenever it is online without relying on having a routable or static IP at the router, ie the box will need to make and maintain an outbound connection to me so that I can access it when needed.
I think this is what Chris does on his boat, but any pointers to the right way to go about this appreciated. Not looking for a full VPN (not least because some 3G providers block VPN access). The Draytek is already setup to manage office-to-office VPN but it's the failure of that which has prompted this.
--
Mark Rogers // More Solutions Ltd (Peterborough Office) // 0844 251 1450 Registered in England (0456 0902) @ 13 Clarke Rd, Milton Keynes, MK1 1LG
main@lists.alug.org.uk http://www.alug.org.uk/ [1] http://lists.alug.org.uk/mailman/listinfo/main [2] Unsubscribe? See message headers or the web site above!
Links: ------ [1] http://www.alug.org.uk/ [2] http://lists.alug.org.uk/mailman/listinfo/main
On Wed, Aug 06, 2014 at 11:09:57AM +0100, Mark Rogers wrote:
I know others here have experience of this, and I have a potential use for it. Situation: Linux box (Debian/ARM) behind a Draytek router which will variously connect to the Internet via ADSL, WiFi, 3G, etc. I want to have SSH access to the box whenever it is online without relying on having a routable or static IP at the router, ie the box will need to make and maintain an outbound connection to me so that I can access it when needed. I think this is what Chris does on his boat, but any pointers to the right way to go about this appreciated. Not looking for a full VPN (not least because some 3G providers block VPN access). The Draytek is already setup to manage office-to-office VPN but it's the failure of that which has prompted this.
Yes, it is basically what I have on my boat, though I have less control over the NAT/router bit.
Do you really need to do this (reverse tunnel that is)? I have a very similar set-up to you at home, even down to the Draytek router. What I do for access to my desktop machine from the outside is open up the Draytek router firewall to SSH traffic (maybe on a non-standard port) but only for one or two specific IP addresses 'out there' on the internet. I have ssh access to a couple of hosting services so to connect to home from anywhere I ssh to the hosting service and then ssh from there to home. The firewall on the Draytek only allows connections, as I said, from the two hosting service's IPs.
I never see any SSH break in attempts.
The reason for the reverse tunnel from the boat is that it's behind a NAT firewall over which I have no control so I can't open up a port to ssh.
If you want to do it the other way round then set up outgoing tunnels from the 'box' to somewhere on the internet, that somewhere will have to be accessible passwordless from the 'box'.
So the sequence to set up a reverse tunnel to allow access *to* 'box' is:-
On 'box' create a passwordless login to somewhere you can access directly or via ssh.
Check that the passwordless login works (?!).
On 'box' run something like the following:- ssh -N -T -R 54321:localhost:22 me@somewhere
Then when logged onto 'somewhere' you can connect to box with:- ssh -p 54321 localhost (assumes your login name on both 'somewhere' and 'box' is the same, otherwise you need to us myNameOnBox@localhost of course)
If you want to make sure the ssh reverse tunnel on 'box' continues to run then use autossh which monitors and restarts ssh as necessary.
On Wed, 6 Aug 2014 11:09:57 +0100 Mark Rogers mark@quarella.co.uk allegedly wrote:
I know others here have experience of this, and I have a potential use for it.
Situation: Linux box (Debian/ARM) behind a Draytek router which will variously connect to the Internet via ADSL, WiFi, 3G, etc.
I want to have SSH access to the box whenever it is online without relying on having a routable or static IP at the router, ie the box will need to make and maintain an outbound connection to me so that I can access it when needed.
Mark
I wrote a post about this here:
https://baldric.net/2013/03/26/using-an-ssh-reverse-tunnel-to-bypass-nat-fir...
(snappy title huh?)
Mick
(Your emails are oddly dated. This one appeared from 6 August....)
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
-
Chris Green -
Jim Rippon -
Mark Rogers -
mick