# Reverse SSH into private network?

## OdinsDream

I've set up a laptop for my sister, and she's off at school. It would really be great if I could help her with an SSH session when she has particularly complex problems.

However, her computer is on a private network. She can use AIM, and other web services, so I believe she'd be able to SSH into my computer, but I cannot SSH into hers.

What's the simplest way for me to get an SSH session on her computer given this setup? Is there a reverse method whereby she can connect to me, and then I connect back through to her?

----------

## slug420

site to site vpn  :Smile: 

----------

## grant.mcdorman

It's certainly possible, but what you can run is limited by what services she has running.

In my case, I do something like this all the time; at my workplace, one can only connect in via a proprietary Windows-only product (SecuRemote). So, what I do is to use VMWare to connect to work, and then establish a reverse session using this shell script [names changed to protect the guilty]:

```

#!/bin/sh

HOST=${3:-a.dns.host.name.or.ip}

# X forwarding

LOCALHOST=`hostname`

xauth add localhost/unix:1 $1 $2

xauth add localhost:1 $1 $2

xauth add ${LOCALHOST}/unix:1 $1 $2

xauth add ${LOCALHOST}:1 $1 $2

xauth add ${LOCALHOST}/unix:63 $1 $2

xauth add ${LOCALHOST}:63 $1 $2

#forward ports: local display 1 forwards to remote display 0

#               remote 5903 (VNC as display 3)

Xvnc -depth 24 -geometry 1280x1024 -ac :3&

VNC=$!

# ports to open here

localports="6001:localhost:6000"

# ports to open there

# 3389 is RDP

homeports="5903:localhost:5903 1430:imaphost:143 8080:wwwproxy:80 2323:localhost:23 2500:smtphost:25"

for p in $localports;do cmd="$cmd -L $p";done

for p in $homeports;do cmd="$cmd -R $p";done

ssh -gnTfN $cmd -p 23 ${HOST}

sleep 5

# start lbxproxy for lower-bandwith connection

lbxproxy -display localhost:1 :63&

LBX=$!

sleep 7

# start terminal window (xterm or your choice)

rxvt -display :63&

# wait for lboxproxy to terminate

wait $LBX

# kill VNC server

kill $VNC
```

You run the script with the xauth code (output from xauth, i.e. MIT-MAGIC-COOKIE and the hex key), and, optionally, your hostname.

What this script does is as follows:

Set up X authorization using the supplied xauth type and key

Run a VNC server (without any security enabled, by the way)

Forward ports from the machine to yours: 5903 for a 24-bit VNC server, 1430 for IMAP, 8080 for the local Web proxy, 2323 for telnet, and 2500 for SMTP (mail sending)

Forward the X display port from your machine to the remote host, via lbxproxy to help with bandwidth

Run a terminal window to display on your machine

In the script, 'ports to open here' (localports) are ports to forward from your machine to your sister's, and 'ports to open there' (homeports) are ports to forward from hers to yours.

Obviously, some of these services may not be available; in particular, your sister's machine may not be running a telnet daemon, and you may not need IMAP, SMTP, and Web proxy.

However, the other two things - VNC server and a terminal window - would work fine. On top of that, once you've got that terminal window, you've got a $DISPLAY (on her machine) that can be used for any X application.

The VNC display can be used instead of an X display; note that it has no local security whatsoever, though - anyone that can connect to her machine would be able to view and manipulate the VNC server's virtual display.

If she is running KDE, you can also forward VNC display 0 (port 5900), and enable KDE's remote desktop sharing; this would allow you to see *her* desktop.

Also note that to allow your local X display to be forwarded, you have to remove '-nolisten tcp' option from the X startup in whatever display manager you're using (/etc/X11/xdm/Xservers, /usr/kde/3.1/share/apps/kdm/Xserver, /etc/gdm-somthing for GDM).

You could also forward port 22 (ssh) 2222 on your machine, allowing you to do something like 

```
ssh -p 2222 localhost
```

to get a command line, or 

```
scp -P 2222 file locallhost:file
```

 to copy files. This is a bit weird - but functional, though, because it'd be ssh tunnelled through ssh.

None of this requires root privileges at either end of the connection; it doesn't even need a ssh daemon (sshd) running on your sister's machine.

A VPN, as suggested by slug420, would also work, but personally I don't know how to set that up. I suspect that root access would be required.

----------

## barlad

I must admit I did not grasp all the subtelties in the previous solution but I guess the problem is that your sister is on a network that uses NAT to grant her internet access. You cannot initiate a connection to her PC from the outside - except if the router does port redirection  which is irrelevant here unless the school admin is her boyfriend -.

As far as I know (and my knowledge is very limited) you cannot set up a real "reverse ssh" session... the best solution to me is the vpn site to site. Your sister initiates the connection to your PC and you are done.

I am not sure how the previous solution is going to work since it seems like you would have to initiate the connection to your sister's pc which is impossible.

----------

## barlad

My knowledge is indeed very limited. Glad to have been proven wrong once again. Read that:

 *Quote:*   

> http://www.brandonhutchinson.com/ssh_tunnelling.html

 

I suppose that's exactly what you need.

----------

## barlad

My knowledge is indeed very limited. Glad to have been proven wrong once again. Read that:

 *Quote:*   

> http://www.brandonhutchinson.com/ssh_tunnelling.html

 

I suppose that's exactly what you need.

----------

## grant.mcdorman

 *barlad wrote:*   

> My knowledge is indeed very limited. Glad to have been proven wrong once again. Read that:
> 
> http://www.brandonhutchinson.com/ssh_tunnelling.html
> 
> I suppose that's exactly what you need.

 Exactly; my solution is just a more complicated version of that (more ports get opened, and an X terminal is run).

Perhaps I need to clarify a bit: the script runs on OdinsDream's sister's computer (i.e. on the machine behind the locked-down NAT firewall). I am using it in exactly the same situation they have, as far as I can tell: my work computer (where I run the script) is behind a NAT firewall, with pretty much everything closed, except for the proprietary/non-*nix SecuRemote access. (Actually, my home LAN is too, but since I control that I've opened ports in the firewall - to just the work NAT gateway.)

One point I forgot in the script: ssh is invoked with the option '-p 23'. This is because the machine I want to connect to at home is visible on my home NAT gateway as port 23 (not the default SSH port 22).

----------

## OdinsDream

Is there perhaps an easier way using screen and my sister's outbound SSH session?

I admit I am not very knowledgeable about screen, but I'll be reading up on it this evening. My thought was that I could create a shared screen session, she could log in and attach to it, then I'd be able to type to her. I don't really know if this gets me anywhere, though, does it.

Just a thought. It would really need to be something simple, since until I get SSH, everything I do is over the phone with her, or with an IM session. I think this rules out site VPNs, since I haven't even been able to get that working between two networks I have full access to. (Admittedly, one end has a cisco PIX firewall which I barely understand)

God forbid, someone hasn't created a gaim<->shell plugin, have they?

----------

## grant.mcdorman

 *OdinsDream wrote:*   

> Is there perhaps an easier way using screen and my sister's outbound SSH session?

 Nope. screen lets one have several virtual sessions attached to one "terminal". In this case, the "terminal" would be your sister's SSH session - i.e. at her end. I think screen does let you detach sessions, and rettach to them later, but that doesn't help - the sessions would be on your machine, and therefore of no use to you. (Sessions on her machine would be inaccessable, since they'd be on the wrong end of the ssh connection.)

The simplest thing is what's given in the URL barlad's post points to: your sister does: 

```
ssh -R 220:localhost:22 your_home_computer
```

and then you do:

```
ssh -p 220 localhost
```

 and you're on her machine. (This is presuming that she has an account on your machine with the same userid as her account on her machine; if not, use the -l option to ssh.)

Note that her ssh session will, by default, also try to start a shell session on your machine. If she doesn't need or want a shell session, add the -N (don't execute a command) and -f (go into the background) options to her ssh command.

On the other hand, if what you want is to be able to demonstrate things for her, then some variation of KDE desktop sharing or VNC for display 0 is what you want. With that, you could both see - and interact with - her desktop.

If she runs the KDE desktop, then it's quite easy: she goes to the KDE Control Centre ([small]um, center, silly 'mercans[/small]), expands Internet And Network, picks Desktop Sharing, and creates an invitation. She then does:

```
ssh -R 5901:localhost:5900 yourhome_computer
```

and you, on your computer, use KDE Remote Desktop Connection (under the Internet sub-menu), or vncviewer from the command line, to connect to localhost:1. You would then see, and can interact with if required, her desktop. (The same notes apply to the ssh options, by the way.)

Note that you need to emerge vnc (or tightvnc) to get the command-line vncviewer.

If she isn't running KDE, then you'd have to find a VNC server for display 0 to install on her system. The latest RealVNC, version 4, has this; unfortunately there's no ebuild in portage for this version yet. Alternatives that do have ebuilds in portage include xf4vnc and gemsvnc.

With respect to VPNs, as I said before I don't know much about them; however, I would expect that it would show up as a virtual network interface on both your machine and hers; that would imply more configuration as root, and wouldn't give you a great deal more than using ssh as described above. It would make her machine appear as a node on your network, but if all you need is some predefined number of ports, then ssh -R will do nicely.

It all comes down to what you want to do, in the end.

----------

## OdinsDream

Many thanks, grant. The first solution appears to be exactly what I need. It likely won't be necessary to demonstrate things, but rather to do something like recompile a kernel, or install new programs and shell scripts. Thanks again, I'll give it a shot on monday.

----------

## 59729

screen -x would allow you to attach how many screens you want to 1session

----------

## BillyBreen

I wrote this article (http://www.linuxjournal.com/article.php?sid=6675) about VTun for Linux Journal last year.  I use this setup to connect to work from home.  It may be overkill for what you are doing, but it gives you a far more comprehensive VPN solution than ssh forwarding.

----------

## zayhen

Hy guys,

I was setting up a development enviroment for wap applications, when I was stuck at the problem that the servers I was setting up are inside a private network. So, I got the same problem described here.

I used 

```
ssh -R port:host:hostport remote_server
```

 with success to get external clients to access the internal site, but the problem persists when try to access via wap browsing 

```
Hostname could not be resolved
```

 is what I get.

I don't know if this is important but I use the same external server for getting through the internet from my officce.

----------

## GNUtoo

 *BillyBreen wrote:*   

> I wrote this article (http://www.linuxjournal.com/article.php?sid=6675) about VTun for Linux Journal last year.  I use this setup to connect to work from home.  It may be overkill for what you are doing, but it gives you a far more comprehensive VPN solution than ssh forwarding.

 

why do you have 2 work network?

```
      # 192.168.5.0/24 = actual work network 1

      # 192.168.100.0/24 = actual work network 2
```

----------

