Why would you need to create a simple Two-Way SSH tunnel? In your Linux system administration job have you ever found your self in a situation in which you cannot SSH to a any of your servers/hosts that may be behind a firewall, NAT or otherwise obstructed from an easy access.

In order to gain the access, you would need to reconfigure the firewall or create VPN which could be an enormous overhead just because you need to execute few commands from now and then. With Two-Way SSH tunnel you can connect to any destination under a single condition, which is, the ability to ssh login from the destination to the source.

If you can do that, you can as well reverse login from source to destination even if it is behind firewall or NAT.

In this tutorial you will learn:
  • How to create Two-Way SSH tunnel
How to create a simple encrypted Two-Way SSH tunnel
How to create a simple encrypted Two-Way SSH tunnel

Software Requirements and Conventions Used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Any Linux distribution
Software Source and destination hosts must have SSH client and SSH server installed and configured
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ - requires given linux commands to be executed as a regular non-privileged user

How to create an encrypted Two-Way SSH tunnel step by step instructions

In this scenario UserA wishes to connect from the HostA with the IP address to behind the firewall or NAT HostB with the IP address which is maintained by UserB.

  1. Create SSH tunnel

    In order for UserA to get past the firewall the UserB must first initiate a remote SSH login to HostA while creating an encrypted tunnel to be accessed by UserA on a local ephemeral port eg. 50505. Any port from the 32768 to 61000 range should be fine to use. To do so the UserB executes:
    HostB~$ ssh -R 50505:localhost:22 UserB@

    Subscribe to our NEWSLETTER and receive latest Linux news, jobs, career advice and tutorials.

  2. The result of the above linux command should be a successful remote login from HostB to HostA.

  3. Check for a new local port

    At this stage the UserA should be able to see port 50505 listening on the host HostA after executing the following command:
    HostA~$ ss -lt
    State       Recv-Q Send-Q        Local Address:Port                         Peer Address:Port                
    LISTEN      0      128                       *:ssh                                     *:*                    
    LISTEN      0      128               localhost:50505                                   *:*                    
    LISTEN      0      128                       *:http                                    *:*                    
    LISTEN      0      128                      :::ssh                                    :::*                    
    LISTEN      0      128               localhost:50505                                  :::*                    
    LISTEN      0      128                      :::http                                   :::*
  4. Use SSH tunnel for a remote SSH login

    All what has left is for the UserA to use the SSH tunnel available on HostA's local port 50505 to SSH login to HostB:
    HostA~$ ssh UserA@localhost -p 50505
    After a successful SSH login the UserA should be connected to HostB via SSH tunnel.
FIND LATEST LINUX JOBS on LinuxCareers.com
Submit your RESUME, create a JOB ALERT.
Subscribe to NEWSLETTER and receive latest news, jobs, career advice and tutorials.
Get extra help by visiting our LINUX FORUM or simply use comments below.