set up SSH tunnel for machines behind NAT

Quick ssh forwarding setup:

0. Topology

          │ MACHINE A │
          │           ├─────────────┐
          │  (HOME)   │             │
          │           │    ssh -p 23456 user@machineB
          └─────┬─────┘             │
                │ :23456◄───────────┘
   $autossh -L 23456:localhost:12345 jump@relay
         │      └──────┼───┐
         │             │   ▼
         │   RELAY     │:12345
         │             │   ▲
         │      ┌──────┼───┘
   $autossh -R 12345:localhost:22 jump@relay
                │ :22
          │ MACHINE B │
          │           │
          │  (WORK)   │
          │           │

Both MachineA and MachineB are behind NAT, i.e. they can not directly connect to each other, neither can the RelayServer to connect directly to them.

We want to access MachineB(workplace) from MachineA(home)


autossh: Automatically restart SSH sessions and tunnels

Install autossh on both MachineA and MachineB.

1. User and Certs

create a non-root user on RelayServer

[me@relayserver]$ sudo useradd -m jump
[me@relayserver]$ sudo passwd jump
[me@relayserver]$ sudo passwd jump

Make sure ssh login via password is disabled:

# /etc/ssh/sshd_config

PasswordAuthentication no

Install the ssh pubkeys of both MachineA and MachineB to RelayServer,i.e.

[me@relayserver]$ cat >> ~/.ssh/authorized_keys

2. Set up the tunnel

On MachineB

autossh -M0 -R 12345:localhost:22 -oServerAliveInterval=20 -oServerAliveCountMax=3 jump@relayserver

On MachineA

# append to .ssh/config

Host forward_to_machineB
    User jump
    ServerAliveInterval 20
    ServerAliveCountMax 3
    ExitOnForwardFailure yes
    LocalForward 23456 localhost:12345

Host tunnel_machineB
    Hostname localhost
    User <UserNameOnMachineB>
    Port 23456


On MachineA(Home) first1

autossh -M0 forward_to_machineB

then (in another terminal)

ssh tunnel_machineB

Main Ref: “SSH access to office host behind NAT router” -

  1. I’d like to run it in a tmux session to keep the connection alive.. ↩︎

Oct 3, 2023

[+] click to leave a comment [+]
the comment system on this blog works via email. The button
below will generate a mailto: link based on this page's url 
and invoke your email client - please edit the comment there!

[optional] even better, encrypt the email with my public key

- don't modify the subject field
- specify a nickname, otherwise your comment will be shown as   
- your email address will not be disclosed
- you agree that the comment is to be made public.
- to take down a comment, send the request via email.


Fun with Image Maps and SVGs via benji February 20, 2024

Over the past few weeks I've been playing around with making some images on my website interactive. My "informatics" class in high school taught us some basic HTML. By basic I mean in notepad and writing everything by hand, saving to a...

Goblin Week 2024 via Helvetica Blanc January 26, 2024

It snuck up on me, but I managed to draw my little goblins to celebrate the week! I love my children - they're like awful Pikmin. I've uploaded the whole parade as a print, as well as individual prints for each goblin. There's something very fu…

How to trust gpg keys via Travis Shears Personal Site October 27, 2023

After moving some GPG keys to a new computer I kept getting these trust warnings. It is NOT certain that the key belongs to the person named in the user ID.If you * really * know what you are doing, you may answer the next question with yes. Use this key a…

Generated by openring from webring