Why would you need to create a simple Two-Way SSH tunnel? In your Linux system administration job have you ever found your self in a situation in which you cannot SSH to a any of your servers/hosts that may be behind a firewall, NAT or otherwise obstructed from an easy access.
In order to gain the access, you would need to reconfigure the firewall or create VPN which could be an enormous overhead just because you need to execute few commands from now and then. With Two-Way SSH tunnel you can connect to any destination under a single condition, which is, the ability to ssh login from the destination to the source.
If you can do that, you can as well reverse login from source to destination even if it is behind firewall or NAT.
In this tutorial you will learn:
- How to create Two-Way SSH tunnel
Software Requirements and Conventions Used
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Any Linux distribution |
| Software | Source and destination hosts must have SSH client and SSH server installed and configured |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
How to create an encrypted Two-Way SSH tunnel step by step instructions
In this scenario UserA wishes to connect from the HostA with the IP address 204.55.6.77 to behind the firewall or NAT HostB with the IP address 156.78.4.56 which is maintained by UserB.
- Create SSH tunnelIn order for
UserAto get past the firewall theUserBmust first initiate a remote SSH login toHostAwhile creating an encrypted tunnel to be accessed byUserAon a local ephemeral port eg. 50505. Any port from the 32768 to 61000 range should be fine to use. To do so theUserBexecutes:HostB~$ ssh -R 50505:localhost:22 UserB@204.55.6.77
- Check for a new local portAt this stage the
UserAshould be able to see port50505listening on the hostHostAafter executing the following command:HostA~$ ss -lt State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:ssh *:* LISTEN 0 128 localhost:50505 *:* LISTEN 0 128 *:http *:* LISTEN 0 128 :::ssh :::* LISTEN 0 128 localhost:50505 :::* LISTEN 0 128 :::http :::*
- Use SSH tunnel for a remote SSH loginAll what has left is for the
UserAto use the SSH tunnel available onHostA‘s local port50505to SSH login toHostB:HostA~$ ssh UserA@localhost -p 50505
The result of the above linux command should be a successful remote login from HostB to HostA.
After a successful SSH login the UserA should be connected to HostB via SSH tunnel.
