How to make an SSH tunnel publicly accessible?

Question

Referring back to this question, I am executing the below via OpenSSH (Client: Mac OS X 10.6 | Server: Linux Mint), however the port that is being tunneled is not working publicly:

ssh -R 8080:localhost:80 -N root@example.com

The purpose is so the local port can be opened on the remote computer
It seems as if the remote side binds only on localhost, instead of to all interfaces
It works when opening the port on localhost on the remote computer, but when trying to access the public IP of the remote computer from my local computer, the port doesn’t seem to be open

How would I make the tunnel public on the IP for anyone to access?

What does public IP mean? If you are trying to connect to a local computer thru the router and via the Internet, most routers will not allow such loopback. — harrymc, Apr 30 '13 at 05:53

score 465 · Accepted Answer · edited Dec 16 '20 at 02:51

465

If you check the man page for ssh, you'll find that the syntax for -R reads:

-R [bind_address:]port:host:hostport

When bind_address is omitted (as in your example), the port is bound on the loopback interface only. In order to make it bind to all interfaces, use

ssh -R \*:8080:localhost:80 -N root@example.com

or

ssh -R 0.0.0.0:8080:localhost:80 -N root@example.com

or

ssh -R "[::]:8080:localhost:80" -N root@example.com

The first version binds to all interfaces individually. The second version creates a general IPv4-only bind, which means that the port is accessible on all interfaces via IPv4. The third version is probably technically equivalent to the first, but again it creates only a single bind to ::, which means that the port is accessible via IPv6 natively and via IPv4 through IPv4-mapped IPv6 addresses (doesn't work on Windows, OpenBSD). (You need the quotes because [::] could be interpreted as a glob otherwise.)

Note that if you use OpenSSH sshd server, the server's GatewayPorts option needs to be enabled (clientspecified, or, in rare cases, to yes) for this to work (check file /etc/ssh/sshd_config on the server). Otherwise (default value for this option is no), the server will always force the port to be bound on the loopback interface only.

edited Dec 16 '20 at 02:51

fresskoma

824
2
8
21

answered May 06 '13 at 06:11

Stefan Seidel

10,485
1
28
44

5

Yeah, that's exactly why I always prefer `0.0.0.0` - it's IPv4 only, but it'll do most of the time :) – Stefan Seidel May 06 '13 at 07:51
1

`fe80::1` hahaha – Trevor Rudolph May 06 '13 at 07:54
jk :D yea but 0.0.0.0 is good, but can you use 127.0.0.1? or is that too local and nonbinding – Trevor Rudolph May 06 '13 at 07:55
Well, actually `[::]` should work for all v4+v6! `127.0.0.1` means loopback, i.e. you're back to square one ;) – Stefan Seidel May 06 '13 at 08:06
yea, i thought as much, but 0.0.0.0 will bind directly to the ipv4 interface so its not device specific – Trevor Rudolph May 06 '13 at 09:01
and `[::]` is only ipv6 right? How can it be used in ipv4? – Trevor Rudolph May 06 '13 at 09:01
1

No, `[::]` means `0:0:0:0:0....:0` and is essentially the IPv6 equivalent of `0.0.0.0` - but since IPv4 is basically a subset of IPv6 (e.g. `::ffff:10.120.78.40` is an IPv4-mapped IPv6 address), it'll mean the port is accessible both via IPv6 and IPv4. – Stefan Seidel May 06 '13 at 09:11
well yea, i actualy jsut researched ipv6 for a half hour and now instead or `\*:` im using `[::0]:` – Trevor Rudolph May 06 '13 at 09:31
and instead of `localhost` im using `[::1]` works like a charm – Trevor Rudolph May 06 '13 at 09:31
I used -L instead of -R and it also works – Daniil Iaitskov Aug 09 '16 at 09:04
65

GatewayPorts yes solved my problem. – Sunry Oct 25 '16 at 08:18
4

GatewayPorts = yes (on the remote sshd config) fixed it for me too – Phil_1984_ Dec 05 '16 at 13:29
3

"GatewayPorts yes" made my day, thanks @StefanSeidel – karser Oct 27 '17 at 10:40
1

Note that **GatewayPorts yes** actually makes the *bind_address* irrelevant: "The argument may be [...], yes to force remote port forwardings to bind to the wildcard address" – Michał Politowski Mar 15 '19 at 18:30
By defautl "GatewayPorts" argument is not exist. Thank you pro! – Owl City Apr 17 '19 at 02:03
1

`GatewayPorts yes` in my `~/.ssh/config` worked well in macOS – surj Oct 12 '19 at 19:39
1

Thank you for the answer! It make sense to add a note that user needs to restart `sshd` after the configuration update. – oliora May 24 '20 at 11:42
I was tripping for almost 30 mins because I did not read the entire answer. Gateway Ports yes worked – Shankara Narayana Jun 16 '20 at 12:37
Never add "GatewayPorts" after a "Match" command (even if it is not indented) or you will go crazy! (cert from the manpage: "Only a subset of keywords may be used on the lines following a Match keyword") – Henning Dec 09 '20 at 21:31
Can you expand on "clientspecified, or, in rare cases, to yes"? Why should it generally not be yes (which seems to be what everyone is doing)? – Gloomy Feb 06 '22 at 12:02
GatewayPorts!!!!!! Why isn't this documented anywhere easily findable.???? I've been banging my head against the wall – phocks Oct 21 '22 at 01:45

score 46 · Answer 2 · edited Apr 13 '17 at 12:14

46

Edit:

-g works for local forwarded ports, but what you want is a reverse/remote forwarded port, which is different.

What you want is this.

Essentially, on example.com, set GatewayPorts=clientspecified in /etc/ssh/sshd_config.

--- previous (incorrect) answer ---

Use the -g option. From ssh's man page:

-g     Allows remote hosts to connect to local forwarded ports.

edited Apr 13 '17 at 12:14

Community

1

answered Apr 28 '13 at 03:34

snapshoe

1,156
8
18

doesn't seem to be working... it starts up but i cant connect remotely – Trevor Rudolph Apr 28 '13 at 06:21
2

Try running `netstat -elnpt` from a separate tty to figure out what ports are bound to what address. Without `-g`, a port should be bound to `127.0.0.1:PORT`. With `-g`, it should be bound to `0.0.0.0:PORT`, which makes it accessible remotely. – snapshoe Apr 28 '13 at 14:58
http://pastebin.com/q6f4kJyd – Trevor Rudolph Apr 28 '13 at 16:11
3

`GatewayPorts=clientspecified` or `GatewayPorts clientspecified` – Trevor Rudolph Apr 29 '13 at 00:01
and do i add that to the client or remote? – Trevor Rudolph Apr 29 '13 at 00:04
already answered in the answer-- on _website.com_ – snapshoe Apr 30 '13 at 15:08
ok, ill try now – Trevor Rudolph Apr 30 '13 at 20:53

score 19 · Answer 3 · answered Oct 29 '13 at 12:09

19

Here's my answer for completion:

I ended up using ssh -R ... for tunneling, and using socat on top of that for redirecting network traffic to 127.0.0.1:

tunnel binded to 127.0.0.1: ssh -R mitm:9999:<my.ip>:8084 me@mitm

socat: mitm$ socat TCP-LISTEN:9090,fork TCP:127.0.0.1:9999

Other option is to do a local-only tunnel on top of that, but i find this much slower

mitm$ ssh -L<mitm.ip.address>:9090:localhost:9999 localhost

answered Oct 29 '13 at 12:09

Miguel Ping

362
1
3
8

I like the fact that I don't have to deal with the sshd configuration and that I can do all of it without sudo. Plus I learn that socat exists. Thanks! – BrutusCat Jun 12 '14 at 14:00
2

+up you go good sir. I tried to tell ssh to bind to 0.0.0.0 without success.. then saw the \* syntax, tried that, no dice. I imagine it may be some sort of security feature on sshd config or something that isn't allowing it. Finally saw this post and `socat` worked awesome. Super useful, putting this in my back pocket ;] – Jaime Jun 24 '19 at 23:45

score 16 · Answer 4 · answered Aug 01 '16 at 22:37

16

You can also use a double forward if you won´t or can change /etc/ssh/sshd_config.

First forward to temporary port (e.g. 10080) on loopback device on the remote machine, then use local forward there to redirect port 10080 to 80 on all interfaces:

ssh -A -R 10080:localhost_or_machine_from:80 user@remote.tld "ssh -g -N -L 80:localhost:10080 localhost"

answered Aug 01 '16 at 22:37

panticz

291
2
5

4

This actually works to bypass forwarding rules! – Michael Schubert Dec 03 '16 at 18:49
1

Love this solution. Great workaround when you don't want the change the config on the machine – Grezzo Aug 18 '17 at 14:54
It works, I have no idea WHY it works – Adam Fowler Jan 30 '22 at 02:20
if you got errors "Permission denied, please try again. Permission denied, please try again. usr@localhost: Permission denied (publickey,password)." like me, use this: https://stackoverflow.com/a/16651742/2051938 – mixalbl4 Aug 31 '23 at 09:48

score 8 · Answer 5 · answered Apr 28 '13 at 13:58

8

Use the "gateway ports" option.

ssh -g -R REMOTE_PORT:HOST:PORT ...

In order to use that, you probably need to add "GatewayPorts yes" to your server's /etc/ssh/sshd_config.

answered Apr 28 '13 at 13:58

Raúl Salinas-Monteagudo

1,258
8
11

Actually this worked. What I do is that I use an EC2 instance as a forwarder to my REST server. This way, I don't need to stick my server in the DMZ and I don't need a public IP. Funny enough, with the first EC2 instance I created, ssh -R remote_port:localhost:port xxx@ec2xxx worked just fine but then I had to create another instance later on for some reason and from that point on, I was always getting: connection refused. Used tcpdump to look at what I was getting and there wasn't much info. -g plus GatewayPorts yes did the trick. – E.T Jan 24 '17 at 19:12

Daniel Schaffrath · Answer 6 · 2020-09-05T07:04:47.973

I don't have enough reputation to comment at the appropriate sections, so I'm adding a new answer.

Warning: if you set GatewayPorts to yes this will make sshd bind your forwardings to any interface - regardless of the client configuration (-R, etc.). This can become quite a security issue if the client assumes she has limited her forwardings to f.e. localhost. Therefore, setting GatewayPorts to clientspecified is usually what you want.

krlmlr · Answer 7 · 2019-06-03T20:39:25.937

Jump hosts are a fairly recent addition to OpenSSH. This requires SSH access to the intermediate, but should work without additional configuration.

ssh -J root@example.com remoteuser@localhost -p 8080

This command instructs SSH to first connect to root@example.com, and then, from that machine, to initiate a connection to port 8080 at localhost (i.e., the port that is tunneled from the jump host to the remote host) under the remoteuser user name.

score 0 · Answer 8 · answered Aug 26 '18 at 15:50

If you'd like to put the configuration in you ~/.ssh/config instead of using command line parameters, you can try something like

Host REMOTE_HOST_NAME RemoteForward \*:8080 127.0.0.1:80

Remember to have you remote host's firewall allow connections to 8080 and ensure that the GatewayPorts option of your /etc/ssh/sshd config isnt set to no

How to make an SSH tunnel publicly accessible?

8 Answers8

Edit:

--- previous (incorrect) answer ---

Linked