Reverse SSH Tunnel

Reverse SSH Tunnel + Port Forwarding

What’s goin’ on guys?

Today I made a short video talking about Reverse SSH Tunneling and how I connected my local SSH server to my Raspberry Pi 3 using mobile data (AT&T SIM card) as a client. The procedure is very simple (a single ssh command per machine) but there is some details to understand, so let’s get to it!

Networking Considerations

Before we begin, let’s try to clearly understand the network and how both server and client will interact…

The Raspberry Pi 3 is connected to the internet using an AT&T SIM card (more specifically I’m using H2O which offers unlimited internet for $30 – it is basically prepaid AT&T). The Pi will be the client in this scenario. It’s important to note that we have no control over the router since we are using mobile data and therefore cannot do port forwarding on the Pi. Also the Pi is to be deployed remotely with all the networking + pentesting goodies, the reason why it’s connected using the SIM card: so we can get internet anywhere (pretty much).

The server will be my desktop computer running Slackware Linux sitting in my Local Area Network (LAN), where we do have control of the router and are capable of port forwarding. By default my system came with ssh – as all Linux do – and I simply enabled the service to start it at boot. The only other interesting detail to note, is that I am also running a Dynamic DNS on the server, so that if my public IP address changes, it will be automatically updated. Plus, its way easier to remember the dynamic DNS than an actual IP. For this I used No-IP as always.

The reason why I am explaining all of this, is because there are many similar situations where you will use this same method. Properly identifying the network and how it will interact is easily 90% of what we are trying to do here, the rest is simply executing a command on each machine.

Port Forwarding

I have gone over port forwarding on so many videos and posts that I’ve lost track already… here we go again!

We want the Raspberry Pi to be able to connect to the SSH Server right? The server, however, is inside my local network, which is unreachable to the outside internet.

Simply login to your router (usually on for home networks) and enter your username + password (usually admin/admin or admin/password by default). There you will find a section under Advanced Settings called Port Forwarding and you will be able to choose a port (SSH uses port 22) and a local IP address. You should choose port 22 and the IP address of the computer running the SSH server.

Reverse SSH Tunneling

Client Side

Now that we have everything setup, it’s time to get that ssh connection going!

On the client (raspberry pi), we will run the following command:

sudo ssh -f -N -o StrictHostKeyChecking=no -R 8420:localhost:22 username@ip address

Let’s properly breakdown this command:

You will want to run this command by using sudo or making sure you are root beforehand, since most networking tools require higher privileges.

Now let’s explain the parameters:

(-f)    – This will force ssh to run in the background;

(-N)   – This will tell ssh to not execute any command upon connection and wait for a command from an incoming connection (that is, the server);

(-o)    – Allows for additional options, in this case, StrictHostKeyChecking will be set to no (will facilitate things for security purposes);

(-R)    – Tells ssh to create a reverse tunnel so we can connect to this system from the server (the opposite of what usually happens);

– For this option we need to specify another port (8420) where the server will be able to reach client using correct username/password;

– localhost is the local network of the server, which is where we will be able to reach the client from now on…

– Port 22 is the actual default ssh port where the first connection will take place – this is something you can change as well;

Finally you will have to enter your username and IP address also. The username is the same Linux user you create on your computer using the adduser command. The IP address will be your Public IP address, not the LAN one (you do not want the IP address in the format 192.168.1.X here). You can find this out by going to google and typing: what is my IP address.

Once that’s done it should ask you for your Linux user’s password and simply return a blank prompt – as seen in video below.

Server Side

On the server side, things get much easier… all we have to do is enter the following command:

ssh -p 8420 username@localhost

Make sure to replace username with the Linux user that you want to access on the client side, not the server.

It will ask for the user’s password and that’s it! We’re in!



1 thought on “Reverse SSH Tunnel + Port Forwarding”

Leave a Reply

Your email address will not be published. Required fields are marked *