Why would you need to create a simple Two-Way SSH tunnel? In your Linux system administration job have you ever found your self in a situation in which you cannot SSH to a any of your servers/hosts that may be behind a firewall, NAT or otherwise obstructed from an easy access.
In order to gain the access, you would need to reconfigure the firewall or create VPN which could be an enormous overhead just because you need to execute few commands from now and then. With Two-Way SSH tunnel you can connect to any destination under a single condition, which is, the ability to ssh login from the destination to the source.
If you can do that, you can as well reverse login from source to destination even if it is behind firewall or NAT.
In this tutorial you will learn:
- How to create Two-Way SSH tunnel
Software Requirements and Conventions Used
Category | Requirements, Conventions or Software Version Used |
---|---|
System | Any Linux distribution |
Software | Source and destination hosts must have SSH client and SSH server installed and configured |
Other | Privileged access to your Linux system as root or via the sudo command. |
Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
How to create an encrypted Two-Way SSH tunnel step by step instructions
In this scenario UserA
wishes to connect from the HostA
with the IP address 204.55.6.77
to behind the firewall or NAT HostB
with the IP address 156.78.4.56
which is maintained by UserB
.
- Create SSH tunnelIn order for
UserA
to get past the firewall theUserB
must first initiate a remote SSH login toHostA
while creating an encrypted tunnel to be accessed byUserA
on a local ephemeral port eg. 50505. Any port from the 32768 to 61000 range should be fine to use. To do so theUserB
executes:HostB~$ ssh -R 50505:localhost:22 UserB@204.55.6.77
- Check for a new local portAt this stage the
UserA
should be able to see port50505
listening on the hostHostA
after executing the following command:HostA~$ ss -lt State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:ssh *:* LISTEN 0 128 localhost:50505 *:* LISTEN 0 128 *:http *:* LISTEN 0 128 :::ssh :::* LISTEN 0 128 localhost:50505 :::* LISTEN 0 128 :::http :::*
- Use SSH tunnel for a remote SSH loginAll what has left is for the
UserA
to use the SSH tunnel available onHostA
‘s local port50505
to SSH login toHostB
:HostA~$ ssh UserA@localhost -p 50505
The result of the above linux command should be a successful remote login from HostB
to HostA
.
After a successful SSH login the UserA
should be connected to HostB
via SSH tunnel.