12

We can easily connect via ssh to the remote machine that has public IP.

But now I have a remote machine without public IP, and I need to connect to it from my machine that does have public IP. So that, remote machine should initiate this connection (add a client).

I need it because there is my grandfather on computer without public IP, and he needs help with his system sometimes.

In similar situation on Windows I've used VNC connection (by TightVNC), TightVNC server has an option "Add a client": user just entered client's IP (i.e. my public IP), my client is already in "listening mode", and when "server" adds a client, connection is initialized.

So, is it possible to perform the same trick with SSH connection?

Randall
  • 445
Dmitry Frank
  • 2,738
  • But now I have a remote machine without public IP - if you don't have an external internet connection, this remote machine isn't going to co connect to anybody. – Jeremy Boden Jan 12 '22 at 01:53

2 Answers2

16

By definition, the client is the one that initiates the connection.

For your problem, I think a simple solution would be building a reverse tunnel.

On the computer without public IP:

ssh -R 2222:localhost:22 loginOfServerWithPublicIP@publicIP

This connects to the server by SSH and builds a tunnel from the server with public IP on port 2222 to the computer without public IP on port 22 (SSH).

And then on the server:

ssh -p 2222 loginOfComputerWithoutPublicIP@locahost

The connection is redirected from the port 2222 of the server to the port 22 of the computer by the first tunnel. You may want to use tool like autossh to make the tunnel more resilient (i.e. restart it automatically when it shuts down).

lgeorget
  • 13,914
  • Thank you, very useful and concise. See answers to this question for more details and other useful options. – AstroFloyd Jan 18 '18 at 19:52
  • Very clever ! :-) I love it. – bvdb Feb 11 '21 at 19:43
  • Has this been tried and proven to work?

    I doubt this work in this most popular case where the two machines to be connected through SSH both are in their own private networks. In that case

    ssh -p 2222 loginOfComputerWithoutPublicIP@locahost

    Will not reach the end of the tunnel created by ssh -R command.

    We have tried different scenarios and unable to make this work in two servers into two different networks.

     – SC-SL Jan 12 '22 at 16:33
  • @SC-SL I've just tried it right now. I sshed from my laptop to a server, then sshed from another device to the same server and was able to ssh from that server to my laptop via the tunnel open on port 2222. My answer addresses only the situation where you have a private network, a public SSH server, and you occasionnally want to ssh to your private host, from the public one. – lgeorget Jan 12 '22 at 18:38
0

To remove ambiguities of names such as remote, client, host, server, I created a diagram where Local PC (LPC-1) needs to SSH to Remote PC (RPC-2), both Local and Remote PCs are in their respective networks behind their routers with their public IP addresses. A user cannot modify the port forwarding settings of the remote Router, however, the user has access to the local router to modify the port forwarding setting.

[![How to SSH between two machines within their networks][1]][1]

enter image description here

  • Local user account: userLPC1
  • Remote user account: userRPC2

The above two commands translate to:

RPC2> ssh -f -N -T -R2222:localhost:22 42.48.128.49
LCP1> ssh -p 2222 userRPC2@localhost

However, the LPC1 is also behind a firewall i.e. Local Router (LR). Local Router (LR) can be confirmed to port forward 2222 to LPC1.

I doubt running ssh -p 2222 userRPC2@localhost on LPC1 will reach RPC2, since LPC1 is not on public network.

I am hoping somebody will use these diagrams to provide clearer steps to create an SSH session between LPC1 and RPC2.

SC-SL
  • 101
  • That's a more generalized version of the problem described by the OP, who has a server with a public IP and one host without, not two hosts each inside a private network. – lgeorget Jan 12 '22 at 18:45
  • In your example, is port 22 on the router forwarded to port 22 on 192.168.1.16? – lgeorget Jan 12 '22 at 18:51
  • Do you mean port 2222 on LR forwarded to port 2222 on 192.168.1.16. I think 2222 need to be forwarded so ssh -p 2222 userRPC2@localhost works.

    Yes we tried with the port forwarding and did not work. I will try and post the results!

     – SC-SL Jan 12 '22 at 21:23
  • If I understand you setup correctly, you need to forward port 22 on router LR to port 22 on LCP1. When you do ssh -R 2222:localhost:22 user@server it opens a tunnel from server on port 2222 towards localhost (i.e. the client) on port 22. That's what makes your SSH server installed on localhost and listening on port 22 accessible on port 2222 on the server. The -R option does the "forwarding" (except that it's not a network forwarding like the router does, it's on top of SSH but it works the same). – lgeorget Jan 12 '22 at 22:30