[opensuse] Reverse SSH - How?
Friend's college age son wants to access his computer in the dorm when he visits home. College won't allow listening on ports, and they have him behind a NAT. Is it possible to have an outbound (from the dorm) ssh connection "reversed" so that the target (the home computer) is able to control the dorm machine? -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Dec 19, 2013 at 5:51 PM, John Andersen <jsamyth@gmail.com> wrote:
Friend's college age son wants to access his computer in the dorm when he visits home. College won't allow listening on ports, and they have him behind a NAT.
Is it possible to have an outbound (from the dorm) ssh connection "reversed" so that the target (the home computer) is able to control the dorm machine?
John, The answer is use autossh. It is designed specifically to maintain a open port on a remote server. Then you just connect to the remote server and access the target PC. --- details -- I do that at my Dad's house, but it does require a machine with a static IP somewhere. In my case the PC at his place makes a outbound ssh connection to a server I control in the cloud. The type of ssh connection is a "tunnel" which causes the server in the cloud to open up a port and listen on it. That goes on 24x7x52. No software has to be installed on the cloud server. It just has to allow incoming ssh connections and have the alternate port open at the firewall. Anytime I want to ssh into the PC at my Dad's I connect to the appropriate port on the cloud server and it forwards everything to PC at my Dad's. When I first tried, I just had ssh with the reverse tunnel args called at boot time. I found out quickly that ssh is not very reliable if you are talking weeks/months. Now I use autossh to manage the reverse tunnel for me. That is in the distro, so zypper in should get it for you. I have it running with sysVinit still, so I just had to enable the daemon and edit the included config file. Let me know if you go that route and you want to see any of my sysVinit scripts/config files. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/19/2013 3:19 PM, Greg Freemyer wrote:
On Thu, Dec 19, 2013 at 5:51 PM, John Andersen <jsamyth@gmail.com> wrote:
Friend's college age son wants to access his computer in the dorm when he visits home. College won't allow listening on ports, and they have him behind a NAT.
Is it possible to have an outbound (from the dorm) ssh connection "reversed" so that the target (the home computer) is able to control the dorm machine?
John,
The answer is use autossh. It is designed specifically to maintain a open port on a remote server. Then you just connect to the remote server and access the target PC.
--- details -- I do that at my Dad's house, but it does require a machine with a static IP somewhere.
In my case the PC at his place makes a outbound ssh connection to a server I control in the cloud. The type of ssh connection is a "tunnel" which causes the server in the cloud to open up a port and listen on it. That goes on 24x7x52. No software has to be installed on the cloud server. It just has to allow incoming ssh connections and have the alternate port open at the firewall.
Anytime I want to ssh into the PC at my Dad's I connect to the appropriate port on the cloud server and it forwards everything to PC at my Dad's.
When I first tried, I just had ssh with the reverse tunnel args called at boot time. I found out quickly that ssh is not very reliable if you are talking weeks/months.
Now I use autossh to manage the reverse tunnel for me. That is in the distro, so zypper in should get it for you.
I have it running with sysVinit still, so I just had to enable the daemon and edit the included config file.
Let me know if you go that route and you want to see any of my sysVinit scripts/config files.
Greg
Thanks Greg, this looks promising. You say:
In my case the PC at his place makes a outbound ssh connection to a server I control in the cloud.
So this "cloud" you refer to is any machine on which you can create a listening connection, so it could be some third machine somewhere, not yours, not your dads? -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen <jsamyth@gmail.com> wrote:
On Thu, Dec 19, 2013 at 5:51 PM, John Andersen <jsamyth@gmail.com> wrote:
Friend's college age son wants to access his computer in the dorm when he visits home. College won't allow listening on ports, and they have him behind a NAT.
Is it possible to have an outbound (from the dorm) ssh connection "reversed" so that the target (the home computer) is able to control the dorm machine?
John,
The answer is use autossh. It is designed specifically to maintain a open port on a remote server. Then you just connect to the remote server and access the target PC.
--- details -- I do that at my Dad's house, but it does require a machine with a static IP somewhere.
In my case the PC at his place makes a outbound ssh connection to a server I control in the cloud. The type of ssh connection is a "tunnel" which causes the server in the cloud to open up a port and listen on it. That goes on 24x7x52. No software has to be installed on the cloud server. It just has to allow incoming ssh connections and have the alternate port open at the firewall.
Anytime I want to ssh into the PC at my Dad's I connect to the appropriate port on the cloud server and it forwards everything to PC at my Dad's.
When I first tried, I just had ssh with the reverse tunnel args called at boot time. I found out quickly that ssh is not very reliable if you are talking weeks/months.
Now I use autossh to manage the reverse tunnel for me. That is in
On 12/19/2013 3:19 PM, Greg Freemyer wrote: the
distro, so zypper in should get it for you.
I have it running with sysVinit still, so I just had to enable the daemon and edit the included config file.
Let me know if you go that route and you want to see any of my sysVinit scripts/config files.
Greg
Thanks Greg, this looks promising. You say:
In my case the PC at his place makes a outbound ssh connection to a server I control in the cloud.
So this "cloud" you refer to is any machine on which you can create a listening connection, so it could be some third machine somewhere, not yours, not your dads?
Well it has to be a machine that you have rights to ssh into. If you have a pc at your house and a way to reliably ssh into it from the internet, then your machine could be the tunnel. In my case I rent a virtual machine on the internet to host a website and email. I use that virtual machine as my tunnel. That is the pc at my dad's keeps a ssh socket open to it all the time. I connect to the vm when I need to talk to the pc at my dad's. Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
Is it possible to have an outbound (from the dorm) ssh connection "reversed" so that the target (the home computer) is able to control the dorm machine?
A VPN would do what you want. I have used OpenVPN in the past. Another possibility is to set up an IPv6 tunnel to a tunnel broker and another from your home. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/19/2013 02:51 PM, John Andersen wrote:
Friend's college age son wants to access his computer in the dorm when he visits home. College won't allow listening on ports, and they have him behind a NAT.
Is it possible to have an outbound (from the dorm) ssh connection "reversed" so that the target (the home computer) is able to control the dorm machine?
There are ways to do this, but just because you "can" doesn't necessary mean you "should". I know of places where circumventing policy like this would earn you a security violation. You should ask the boy to find out what kind of penalties he might see if caught. Note that outbound persistent ssh connections are easy to spot by the organization's security team, even if you use non-standard ports. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/19/2013 4:28 PM, Lew Wolfgang wrote:
There are ways to do this, but just because you "can" doesn't necessary mean you "should". I know of places where circumventing policy like this would earn you a security violation. You should ask the boy to find out what kind of penalties he might see if caught. Note that outbound persistent ssh connections are easy to spot by the organization's security team, even if you use non-standard ports.
Yeah, thought of this, but outbound they don't care about at all. You can run all the IMAP with idled connections and stream music all day long. They just don't want any publicly connectable ports open to the outside, and they mostly enforce this with NAT. Going to look into Greg's suggestion. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
College won't allow listening on ports, and they have him behind a NAT.
One thing about NAT. It's not just a matter of opening ports. You have to map that port to the desired computer. Since they're likely using DHCP, the address of that computer could change with time, unless they lock that IP address to a specific MAC address. This is likely more "support" than they're willing to offer. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I use LogMeIn Hamachi. Works fine on oS 12.1 through 13.1. Only thing is I couldn't use the latest version (wouldn't work, but I don't remember what the exact error message was); ended up digging up version 2.0.1 on the interwebs and it's worked fine :) If you need RPMs, shoot me a direct message and I'll try to get them to you. If you use the free version, you're limited to four incoming connections; if you need more than that, I think it's like $20 a year or something like that. I use it for two things - one is for hosting a Minecraft server for some of my friends and I to use, the other is to be able to access my OwnCloud server when I'm away from home. Chris
James Knott 12/20/13 6:53 AM >>> John Andersen wrote: College won't allow listening on ports, and they have him behind a NAT.
One thing about NAT. It's not just a matter of opening ports. You have to map that port to the desired computer. Since they're likely using DHCP, the address of that computer could change with time, unless they lock that IP address to a specific MAC address. This is likely more "support" than they're willing to offer. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott <james.knott@rogers.com> wrote:
John Andersen wrote:
College won't allow listening on ports, and they have him behind a NAT.
One thing about NAT. It's not just a matter of opening ports. You have to map that port to the desired computer. Since they're likely using DHCP, the address of that computer could change with time, unless they lock that IP address to a specific MAC address. This is likely more "support" than they're willing to offer.
No, that's a non starter, because at the dorm, he has no control of the NAT router. Which is exactly why he has to use an outward connection from behind the nat to some reachable machine. This is why Greg's suggestion seems to hold the most promise. Its clear that the cloud machine that Greg mentioned is going to need to be reachable, but it appears like neither of the two endpoints of the ssh connection need public ips. This is classic firewall piercing, like Skype has done for years. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
This is why Greg's suggestion seems to hold the most promise.
Its clear that the cloud machine that Greg mentioned is going to need to be reachable, but it appears like neither of the two endpoints of the ssh connection need public ips. This is classic firewall piercing, like Skype has done for years.
In another note, I mentioned OpenVPN. This will also work. It uses UDP, though, IIRC, it can also be used over UDP. With it, he starts it before he leaves and you have a network connection between his computer and your home network. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Dec 20, 2013 at 4:06 PM, James Knott <james.knott@rogers.com> wrote:
John Andersen wrote:
This is why Greg's suggestion seems to hold the most promise.
Its clear that the cloud machine that Greg mentioned is going to need to be reachable, but it appears like neither of the two endpoints of the ssh connection need public ips. This is classic firewall piercing, like Skype has done for years.
In another note, I mentioned OpenVPN. This will also work. It uses UDP, though, IIRC, it can also be used over UDP. With it, he starts it before he leaves and you have a network connection between his computer and your home network.
autossh should be a one time setup thing. It runs as a daemon on the PC at the college. It establishes and monitors the ssh tunnel to the cloud server. If the ssh tunnel drops it re-establishes a new tunnel. The tunneling feature it uses is built into ssh/sshd, so the cloud server doesn't need anything beyond a normal sshd daemon running. If the cloud server has a firewall, the remote port will need to be opened up. For instance if you want to use port 2222 on the cloud server as the tunneled port, then you config autossh to pass that port to the outbound ssh command. It will then connect to the cloud server on the normal ssh port and tell it to open a listener on port 2222. Obviously you have to make sure no firewalls are blocking port 2222. Then anytime anyone wants so connect to the college PC via ssh, they just connect to port 2222 on the cloud server. The sshd daemon on the cloud server will forward the traffic to the other socket where they will get a standard ssh login prompt. It's all built-in ssh/sshd functionality so there is nothing special to install, etc. autossh just makes the whole process even easier and reliable. And it is in the openSUSE main repos. The only possible issue I can imagine would be making it work with systemd, but I assume that is trivial enough as well. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott 12/20/13 3:07 PM >>> John Andersen wrote: This is why Greg's suggestion seems to hold the most promise.
Its clear that the cloud machine that Greg mentioned is going to need to be reachable, but it appears like neither of the two endpoints of the ssh >>connection need public ips. This is classic firewall piercing, like Skype has done for years.
In another note, I mentioned OpenVPN. This will also work. It uses UDP, though, IIRC, it can also be used over UDP. With it, he starts it before he leaves and you have a network connection between his computer and your home network.
In case my reply got missed earlier - My ISP at home is a small-town one and only hands out NATed IP addresses, so I'm in basically the same situation. I use LogMeIn Hamachi, and it works fine for this. For openSuSE, I've used it on oS 12.1 through 13.1. Only thing is I couldn't use the latest version of the Linux client (wouldn't work, but I don't remember what the exact error message was); ended up digging up version 2.0.1 on the interwebs and it's worked fine :) If you need RPMs, shoot me a direct message and I'll try to get them to you. They also have Mac and Windows clients. If you use the free version, you're limited to four incoming connections; if you need more than that, I think it's like $20 a year or something like that. I use it for two things - one is for hosting a Minecraft server for some of my friends and I to use, the other is to be able to access my OwnCloud server when I'm away from home. Chris -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Christopher Myers wrote:
My ISP at home is a small-town one and only hands out NATed IP addresses, so I'm in basically the same situation. I use LogMeIn Hamachi, and it works fine for this.
There's another solution. I run IPv6 on my local network and get my /56 subnet (2^72 addresses) from a tunnel broker. This tunnel works through NAT and my addresses are static. I also run the client in single address mode on my notebook computer, so that I can access my home network IPv6 addresses from almost anywhere. This also has the advantage of getting you running on IPv6. BTW, 2^72 addresses is over a trillion times the entire IPv4 address space. I haven't used them all yet. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Christopher Myers -
Greg Freemyer -
James Knott -
John Andersen -
Lew Wolfgang