1

How would I go about using ssh on Mac OS X to remote into a computer that's overseas? I would like to help my brother with his computer, but he lives in the UK now (and I'm pretty sure he uses a VPN to maintain connection to US based streaming media services). I've done it on my LAN, but never to a remote server...much less one that's overseas.

I tried the basic ssh username@xx.xx.xx.xx, but I'm sure there are PLENTY of reasons why a random IPv4 address won't work :D

Do we need to configure his side?

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
Sparrow1029
  • 308
  • 4
    Why should being overseas make any difference? Assuming xx.xx.xx.xx was actually replaced with the correct IP address, what happened when you tried to ssh to it? – JigglyNaga Aug 17 '16 at 20:07
  • At work (in Denmark) I routinely use SSH to log in to servers in the US. There's no real difference from when I log in to servers 10 kilometers away – Henrik supports the community Aug 17 '16 at 20:16
  • 1
    The result of running the basic SSH command would be useful - are there any messages printed? –  Aug 17 '16 at 21:43

3 Answers3

2

Well you would need him to port forward port 22 from his computer and have him be running sshd if you want to do it the simple way.

On the other hand, you can do the dirty work and have him do a port forward through ssh to your computer. This would be done by you setting up an ssh daemon (instructions for OSX here), then port forwarding port 22 (ssh port) from your main computer through your router. There are many, many variations between each router and firmware, so I really can't walk you through this step. However, this site seems to have a very large database of guides tailored for different routers, so you might have some luck there. Also make sure you set a static private IP address for your main computer so that dhcp doesn't give you a new address. If this happens, your external port will be forwarded to a non-existent internal host, so it would be pointless.

Next, create a user for your brother. Nothing fancy here, just make sure it has a password and that he knows what it is. Also make sure that he has an ssh daemon running on his computer. He may also be interested in creating a user on his computer for you so that he need not expose his password to you and give you your own home directory.

Once you have an ssh daemon running, have your brother connect to your computer with the command ssh -R 2222:localhost:22 brother@your.public.ip.here he should be able to connect and enter his password (which doesn't show on UNIX based OSes while you enter it for security reasons). Once he's connected, traffic from your computer on port 2222 will be forwarded to his computer's port 22 (the ssh port). You should now be able to connect to his computer with ssh -p 2222 you@localhost. Have fun!

As a closing remark, you may also want to pick up a hostname from a DDNS site, I suggest no-ip.com. This way, you can easily connect to your router, which will be at something.ddns.net, or something along those lines. I like no-ip because it's free, and if you configure your router to use it correctly, it will automatically update the hostname to point to your public IP address.

Community
  • 1
John Leuenhagen
  • 1,167
  • Thank you for your answer! I still haven't gotten a chance to try it with him again (as his schedule is 5 hours ahead of mine :) but I think by having him enable remote login (duh, can't believe I forgot that) and by finding his actual PUBLIC IP will be a good start. I'll report back if it's successful or not! also, I LOVE these forums. Everyone is awesome for helping each other out. Learning computers and programming is exciting because the community rocks. – Sparrow1029 Aug 21 '16 at 01:45
  • @Sparrow1029 sure, I'm happy to help. The one issue with what you are proposing is that he would have to go through the trouble of port forwarding, and it sounds like you are better with this stuff than he is based on the question. I can explain how NATs/routers work and why it's not as simple as getting his public address if you need me to, although I'm not sure how familiar you are with it. – John Leuenhagen Aug 21 '16 at 05:45
  • I think the critical step I may have forgotten from your instruction may be the "Have an ssh daemon running", Do I need to have him run an sshd command? Also, DDNS is a good idea, though this exercise is mostly for me to learn about ssh and networking in general :) I had him enable port forwarding for SSH on his router, and used ssh -f -N -T -R 2222:localhost:22 my.public.ip but it didn't work...does he need brother@my.public.ip? and will that work if he doesn't have an account on my machine? – Sparrow1029 Aug 22 '16 at 01:18
  • 1
    @Sparrow1029 I linked the instructions for enabling an ssh daemon on OSX at the top of my answer. Yes, he needs to have an ssh daemon running, which is usually named sshd. If he's on Linux, he should run 'systemctl enable sshd' and then 'systemctl start sshd', both commands, as root, if he's on a distro that uses systemd (Fedora, Arch, ect.). Also make sure that he has an ssh daemon installed. Some distros, like Ubuntu, separate the ssh client and server packages, so in that case, he would have to run 'apt-get install ssh-server' as root. – John Leuenhagen Aug 22 '16 at 04:34
1

SSH doesn't care about distance. To connect to the computer whose name is somewhere.example.com, just run ssh somewhere.example.com. To connect to the computer whose IP address is 192.0.2.4, just run ssh 192.0.2.4. Of course the target computer must be running an SSH server.

The fly in the ointment is that your brother's computer probably doesn't have an IP address that you can reach. Most computers aren't directly reachable from the Internet: they're behind a NAT appliance. Most ISP boxes (called “routers” or “modems”) also perform NAT. In its basic form, NAT gives computers on a network a private IP address (i.e. address that's only valid on that local network), and allows outgoing connections through a single public IP address, but not incoming connections.

To reach your brother's computer, you need to get him to configure his NAT appliance to make incoming SSH connections reach the computer you want to reach. The modem/router's web interface probably has a setting for that somewhere.

A further difficulty is that most home ISP assign IP addresses dynamically, so your brother's IP address changes over time (typically every few days). You should get him to set up dynamic DNS, to make his computer register the IP address with a server each time it changes. Some ISP appliances support dynamic DNS, but this is far from universal; if your brother's doesn't, he'd have to do this from his computer.

Alternatively, you could go through those steps yourself, get your brother to SSH to your machine, and set up a reverse SSH tunnel.

Community
  • 1
Gilles 'SO- stop being evil'
  • 829,060
0

Loggin into a computer inside your LAN via SSH is not quite different to loggin in to a computer on the internet. But there are a few things that have to be taken into account.

  1. The computers on your LAN are very likely in in a "private" network which address space is not routed on public WANs (see here). I guess when you do ifconfig your interface will be configured some sort of 192.168.0.x or 10.x.x.x IP address. Is that right?

  2. Computers sitting in such networks have access to the internet. But in return the internet does not necessarily have access to your computer by its IP. The reason is that the IPs of your LAN are mapped to one public routable adress that you may even have in common with the devices in your whole neighbourhood. That is done by your ISP (so called NAT).

  3. Even when your brother uses a VPN he does not necessarily have an public IP address assigned to his computer because even the VPN provider could use NAT to save IP addresses and hide a whole community behind one or several public IPs.

The first and simplest thing I would do in this situation is to look, whether you and your brother have ISPs that assign IPv6 addresses to their clients. Have a look here.

These addresses have 8 blocks of 4-digit hexadezimal separated by a colon. See here. And their advantage is: There are a lot of them available, so that each network capable device on earth can have at least one unique address. Do ifconfig on your PC and let your brother do ifconfig too.

In the case your ISP is providing IPv6 and your PC is configured to obtain them (what I guess is the default at least in Linux) then you should find a row shaped like the following:

inet6-address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64 scope:global

(Update: Instead of scope:global you also could have scopeid: 0xe)

Note that the notation standard for IPv6 addresses allows to drop consecutive blocks having 0-digits: 1234:000:0000:0000:0000:0000:000:5678 -> 1234::5678 (which is very useful).

Then - in the easiest case - you can simply do:

ssh username@[ipv6-address of your brother]
fragwürdig
  • 532