Sinabro

When you have to maintain a few servers and workstations, it’s useful to have remote access. However, this can be difficult if the workstation has to be put behind a NAT router for lack of IP addresses or ethernet ports. By having all these workstations/servers behind NAT routers make ssh connection to one central server with a reverse tunnel, you can maintain ssh accessibility to all your servers.

Basic Idea

Here’s the basic setup. From your workstation, run

ssh -R 31337:localhost:22 central_server

where “central_server” should be replaced with the IP address or FQDN of your central server. Once you have done that, from your central server, you can run,

ssh -p 31337 localhost

in order to access that workstation.

If you need to setup additional workstations, you will need to use different port addresses (31338, 31339, etc., etc.) as only one process can listen to a port at the time. if the connection gets cut for some reason and you need to reconnect, watch out for messages like “Warning: remote port forwarding failed for listen port 31337″. That means some other process (including zombie processes) is using the port and the forwarding is probably not set up correctly. In order to correct this, you can kill all processes named “sshd” by running the following command on the server:

pkill -u user sshd

where “user” is the username of the user which is usually used for setting up these reverse tunnels.

Please note that this will likely cut the reverse tunnel for any other machines connected to the central server as well.

In fact, lost connection is a somewhat serious problem as it defeats the purpose of this setup as well. So it is necessary to use cron to monitor and re-establish this connection automatically if it gets cut. (To be continued …)