- no port forwarding needed on the LAN of the host
- encrypted connection
- hides the IP of the host
- a Virtual Private Server (VPS) - eg. a minimal package on Lunanode for ~3.5$/month
- root access on the VPS - only root can forward ports under no. 1000
- ssh access to the host computer (from where the ports will be forwarded from)
-
Check for an ssh public key:
$ cat ./.ssh/*.pub
-
if there is none generate one (keep pressing ENTER):
$ ssh-keygen -t rsa -b 4096
-
copy the ssh public key over to the VPS (fill in the VPS_IP_ADDRESS).
Will be prompted for the root password of the VPS.
$ cat ~/.ssh/id_rsa.pub | ssh root@VPS_IP_ADDRESS 'cat >> ~/.ssh/authorized_keys && chmod -R 700 ~/.ssh/'
-
login as root or run:
sudo su -
-
edit the sshd config:
sudo nano /etc/ssh/sshd_config
-
make sure these entries are active (uncommented, meaning there is no
#
at the beggining of the line).
Can just paste these on the end of the file:RSAAuthentication yes PubkeyAuthentication yes GatewayPorts yes AllowTcpForwarding yes ClientAliveInterval 60
CTRL+O, ENTER to save, CTRL+X to exit.
-
restart the sshd service (WARNING: you can lose acccess at this point if the config is wrong):
sudo systemctl restart sshd
-
create the service file:
sudo nano /etc/systemd/system/autossh-tunnel.service
-
Paste the following and fill in the VPS_IP_ADDRESS.
Add or remove ports as required.[Unit] Description=AutoSSH tunnel service After=network.target [Service] User=root Group=root Environment="AUTOSSH_GATETIME=0" ExecStart=/usr/bin/autossh -C -M 0 -v -N -o "ServerAliveInterval=60" -R 9735:localhost:9735 -R 443:localhost:443 -R 80:localhost:80 -R root@VPS_IP_ADDRESS StandardOutput=journal [Install] WantedBy=multi-user.target
-
Enable and start the service:
$ sudo systemctl enable autossh-tunnel
$ sudo systemctl start autossh-tunnel
-
The port forwarding with a reverse ssh-tunnel is now complete. You should be able access the ports/services of the host computer through the IP of the VPS.
-
Check if there are any errors on the host computer:
$ sudo journalctl -f -n 20 -u autossh-tunnel
-
To check if tunnel is active on the VPS:
$ netstat -tulpn
https://stadicus.github.io/RaspiBolt/raspibolt_20_pi.html#login-with-ssh-keys