tirsdag den 11. november 2014

SSH connection thru your router

I have a router at home, running OpenWRT, and with SSH enabled (only with ssh-keys, no pasword authentication). Sometimes I want to connect to a server on the inside of the OpenWRT from the outside, to get a file or something, but I do not want to publish the inside server on the internet to minimize the risk.

This is easily done using SSL tunelling.

So at work, or elsewhere I can just run

ssh -L 2222:insidehost:22 user@openWRT-public-ip

This opens an ssh connection to the OpenWRT router and also sets up a forwarding port. So now I can open another window (I use CygWin) and do

ssh insideuser@ -p 2222

Or, to copy files:

scp -P 2222 insideuser@ .

So basicly I have access to copy files across the Internet to/from a server hidden behind a firewall. Be aware, that scp uses uppercase -P to specify port number, whereas ssh uses lower case.

The same method can be used to access internal web servers behind openWRT. If the internal server expects a hostname, you would also need to modify the local hosts file to point your internal servername to

You can also use this method to access external hosts, tunnelling through your home router. Just use an external hostname instead of insidehost in the first ssh statement. So if you can't access http://whatever.com:8888 due to company blocking non-standard ports, you can do

ssh -L 8888:whatever.com:8888 user@openWRT-public-ip

and then add whatever.com to your local hosts file, pointing to But this will kill access to port 80/443 on the same server, unless you set those up as well. This would conflict with a local webserver.

I more often use this on Windows:
ssh -L 22:internalserver.local:22 user@openWRT-public-ip

This allows me to scp files to internaluser@localhost:/dir

If working with SOCKS aware apps, you can also set up a SOCKS proxy that tunnels all traffic to the remote openWRT. This is done by

ssh -D 1080 user@openWRT

which creates a listening SOCKS proxy at port 1080, the default SOCKS proxy port.

Security info

The listening port created by ssh is only on the loopback interface, i.e., and can't be used from outside your machine.

Ingen kommentarer:

Send en kommentar