Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Use a reverse SSH tunnel to get around firewalls Network
My mother (she just turned 68) was having some trouble with her Airport Base Station, and she wanted some help from me. Unfortunately I live 1300 miles away. Remote support has been a constant problem, so last night I talked her through installing Apple's latest Remote Desktop Client 2.1.

Then I found out that her DSL ISP (Earthlink) is blocking incoming port 22. So I couldn't do an SSH connection to her IP to tunnel to the VNC port on her iMac. This was annoying, but I knew there must be a solution.

What you need is the following:
  • your local IP (or hostname)
  • the remote user must have a login on your local machine
  • you must have SSH enabled ("Remote Login" in Sharing preferences), and port 22 available through your firewall
The following shell script is something that I probably couldn't have gotten across to her over the phone, but a simple AppleScript .app sent via iChat solved the problem.

The AppleScript does a reverse port mapping from her machine to mine. Then I used a VNC application -- I use Chicken of the VNC (CotVNC) pointing at localhost, display 0, to remotely control her iMac:
tell application "Terminal"
  open window
   set x to window 1
   (* USER is a user name on the CotVNC machine *)
   (* DOMAIN.ORG is the host name or IP address for the CotVNC machine *)
   do script "ssh USER@DOMAIN.ORG -R 5900:" in x
end tell
Substitute the appropriate USER and DOMAIN.ORG information for your machine in the script.

The only setting you need with Apple's 2.1 client (which should be called ARD 2.1 Server, but that would confuse the unwashed masses) is to check the Apple Remote Desktop in System Preferences Sharing Pane. Then, from the "Access Privileges..." button, check "VNC viewers may control screen with password," enter a bogus password (since we are using SSH for security), and click OK. The other settings are not used unless you are using Apple's Remote Desktop software.

The trick is that we want to tunnel from our local loopback address (IPv4) on the machine running CotVNC to the remote machine. But since the remote machine is behind an incoming firewall that blocks port 22, we need to do a reverse tunnel to our localhost. When the remote user runs this script, the tunnel is available on port 5900 on the localhost for the local VNC client. If you don't have an authorized SSH key on the CotVNC machine, then the Terminal window that opens for the AppleScript user on the remote machine will prompt for a password.

With CotVNC, the setup is to connect to localhost, display 0, with the bogus password. Enter the information in the connection dialog and voila, you have access to the remote machine -- even behind the incoming firewall. The reverse connection doesn't have to be to the login that you are using to connect to the remote machine; any valid login on the local machine will do.
  • Currently 3.29 / 5
  You rated: 5 / 5 (7 votes cast)

Use a reverse SSH tunnel to get around firewalls | 18 comments | Create New Account
Click here to return to the 'Use a reverse SSH tunnel to get around firewalls' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Use a reverse SSH tunnel to get around firewalls
Authored by: wilton on Feb 25, '05 10:41:37AM
Would this not also be possible using a normal VNC server on your mother's mac.
I had a similar problem with my mother's iMac, so I guided her through install Share My Desktop. This is only 400k in size compared to the 7.1MB for ARD.

[ Reply to This | # ]
Use a reverse SSH tunnel to get around firewalls
Authored by: ekc on Feb 25, '05 03:28:22PM

I like ARD at the office when I'm on a nice speedy LAN, but it's not so great over a shaky Internet connection. I prefer OSXvnc for the server and COTVNC for the client in that case. (I haven't tried Share My Desktop, but it looks like it's built around OSXvnc.)

[ Reply to This | # ]
Use a reverse SSH tunnel to get around firewalls
Authored by: jdb8167 on Feb 25, '05 05:42:58PM

You can use any VNC server. I've used OSXvnc for years but not with this particular trick but it will work. I use ARD right now because even though OSXvnc seems a little faster, I suspect that ARD will be eventually part of the OS install.

[ Reply to This | # ]
Use a reverse SSH tunnel to get around firewalls
Authored by: m@ on Feb 25, '05 10:57:26AM

I use the same trick to access my internal work mail directly at home because i cannot directly port forward on my work ssh login server.

First I ssh from Home to Work, ssh to another computer, then ssh with reverse tunneling back to home.

Then set to check localhost ports and not POP/SMTP/IMAP ports on mail server.

home> ssh work
work1> ssh work2
work2> ssh -R 2110:mail:110 home

More specifically the same trick is done from multiple users by port forwarding the returning ssh conections to their computers via a router.

work:X -- Y:router:23 -> 23:home1
via work2:usera> ssh -PX -R 2110:mail:110 router

work:Y -- Y:router:23 -> 23:home2
via work2:userb> ssh -PY -R 2110:mail:110 router

Note: ports X and Y had to chose to again pass the firewall

[ Reply to This | # ]
SSH Tunnel Manager
Authored by: jctull on Feb 25, '05 02:28:11PM
SSH Tunnel Manager v 2.0, a small application that handles ssh tunnels, may be of use for you. I recently created a tunnel to provide afp access to my office server that sits behind a firewall. This machine has a large external fw drive with all of my iTunes music, and I wanted to be able to use that on my wifi network at home. Because afp is blocked outside of the lan, I set this up as my solution.

My settings are:

Login: 'remote user name'
Port: empty

Local redirections
  • Port: 10548
  • LAN Host: localhost
  • Port: 548

  • Remote redirection
  • empty

    Options... Auto connect, Handle authentication, allow LAN connection, Crypt method: 3des

    Now all I have to do is start SSH Tunnel Manager, and I am prompted with my password for the remote machine. I then connect to server localhost:10548 from the finder, and my remote afp volumes show up. This has been working great for me.

    The command line equivalent of all this is, which is listed in the options panel:
    ssh -N -p 22 -g -c 3des 'remote user name' -L 10548/localhost/548

    [ Reply to This | # ]
  • SSH Tunnel Manager
    Authored by: ekc on Feb 25, '05 04:49:24PM
    There is one more step you can take here that's really pretty cool.

    First add the -g option to your tunnel, which allows anyone on your local LAN to access the remote computer via yours. Then download Network Beacon and create a new beacon. Enter the name of the remote file server for "Service Name", choose "AppleShare Server (AFP)" from the menu for "Service Type", and the local port number you're using for the tunnel (in your example, 10548) for the "Port number".

    When you enable the beacon, the remote server shows up all over the local LAN as if it was a local machine (through the magic of Rendezvous/Bonjour/whatever-it's-called-now) and you can just connect to it the normal way. No more entering afp://localhost:10548 in the connection dialog.

    The only problem is that in my experience, -g doesn't seem to work with the -R option for reverse tunnels. I haven't had to use -R much, but in the few cases I have, I managed to kludge something together using two tunnels. Once you have the reverse tunnel going, you open another one on the local machine along the lines "ssh -gL51548:". Then you use 51548 instead of 50548 for the beacon. Ugly, but it seems to work. If anyone knows a better way, let me know.

    [ Reply to This | # ]

    SSH Tunnel Manager
    Authored by: merlyn on Feb 25, '05 06:11:56PM
    The remote sshd must have
    GatewayPorts yes
    in their sshd config to permit off-box connection to a -R tunnel. Since this is a potential security hole, it's generally turned off.

    [ Reply to This | # ]
    You sure it's Earthlink?
    Authored by: Cameroon on Feb 25, '05 03:35:32PM

    Not that it really applies to this hint, but are you sure that Earthlink is blocking port 22?

    I use Earthlink DSL and have no problems what-so-ever with any incoming ports at all. Is there a router that may not be forwarding port 22 on involved?

    I'd be curious to know, since it might mean that I could be losing some incoming ports at some point.

    [ Reply to This | # ]
    You sure it's Earthlink?
    Authored by: jdb8167 on Feb 25, '05 05:48:05PM

    It could be a problem with inbound port mapping with the first generation Airport Base station but I don't think so. I've used that Airport BS for inbound mapping in the past on port 22 and it worked fine. I had her check her connection settings to make sure her iMac was still using manual IP assignment to the correct IP and it was and I still wasn't able to connect on port 22. It has all the earmarks of a firewall.

    It looks like Earthlink has a variety of security settings for their DSL accounts. I didn't go through them very carefully so maybe one of the settings controls an ISP based firewall. Also, it might be different in different parts of the country. My mother lives on the gulf coast of Florida.

    [ Reply to This | # ]
    Use a reverse SSH tunnel to get around firewalls
    Authored by: cirrus on Feb 26, '05 12:12:15AM

    Why not run the ssh server on a different, not blocked port. I know you can do it in Linux by editing sshd_config, and the same should apply to OSX.
    Then you can run your tunnel command as usual only by adding a -D new_port.

    [ Reply to This | # ]
    Use a reverse SSH tunnel to get around firewalls
    Authored by: jdb8167 on Mar 03, '05 07:56:13PM

    Ultimately, this is much easier. A simple double click and I own her machine (with her permission of course.) If I had thought of it before, I would never have bothered with trying to port-forward.

    This is really something that I think a lot of people here don't understand. My mother has a hard time with what we consider very simple concepts. I have to continually remind her how to cut/copy and paste. She has a hard time dragging icons from one window to another. Even the terminology is hard for her, she calls windows pages or sheets and gets confused when I don't use her terminology.

    This is a very easy way to solve her computer problems. I put the applescript in her dock. I tell her to click it when she is having a problem and from there I can fix whatever it is that is bothering her.

    [ Reply to This | # ]
    Reverse VNC is easier
    Authored by: art54 on Feb 26, '05 02:39:14PM
    Why not use a reverse VNC connection instead? It is faster and easier. A turorial can be found at:

    [ Reply to This | # ]
    Reverse VNC is easier
    Authored by: jdb8167 on Mar 03, '05 07:50:23PM

    I humbly disagree that this is easier. First, I wanted to use ARD because I suspect that in the future it will be a standard install as part of OS X. Second, I really don't want any more forwarded ports from my router to my machine. I'd really rather work with 22 and be done with it. Third, having her run my little applescript app is the exact same amount of trouble as her running OSXvnc but no configuration at all on her part. Just a password that I've bypassed by giving her an authorized key.

    [ Reply to This | # ]
    aren't mothers great
    Authored by: asher on Feb 27, '05 12:41:02AM

    Mom is 92 and not too swift. I talked her into letting me put an iBook with iSight in her apartment. I arranged with the ISP for a static IP address. I leave the iBook on all the time with the video turned down to blank the screen. Now I or my bother can use ARD to take a peak to see if she's sitting reading or on the floor in need of help while I'm at work. She complained that she didn't like seeing the little light on the front of the iBook so we had to tape over it. Aren't mom's just great.

    [ Reply to This | # ]
    Use a reverse SSH tunnel to get around firewalls
    Authored by: nemoinis on Mar 02, '05 06:57:17PM

    Why not just change port 22 to 5900 in /etc/sshd_config and /etc/services ?

    [ Reply to This | # ]
    Help with error
    Authored by: chko on Mar 03, '05 11:23:33PM
    When I do this I get an error, and then of course the tunnel doesn't work.
    In the terminal I type:
    ssh -R 5900: user@ipaddress
    The if I do:
    grep sshd /var/log/system.log
    I get:
    ... localhost sshd[388]: error: bind: Address already in use

    I'm I missing something? (Obviously I am!) Help.

    [ Reply to This | # ]
    Found the error
    Authored by: chko on Mar 04, '05 12:54:23PM

    The problem was I had a VNC server running on my machine using port 5900. Once I killed that, and reestablished the SSH tunnel from the "other" computer things worked fine.

    [ Reply to This | # ]
    Use a reverse SSH tunnel to get around firewalls
    Authored by: joebloggs on Nov 30, '06 04:02:09PM

    Hi there,

    I was just wondering if anyone knew how to do something a little different with all of this.

    I have a network at work with around 8 computers on it. Our cable router does not allow any kind of port forwarding at all.

    I have my home computer which again is on a cable router with no port forwarding allowed.

    My question is this. Is there a way to somehow using SSH log in to one of the work computers and using Apple Remote Desktop control the computer?

    I hope this is possible and any help with getting this to work would be greatly appreciated.

    I maybe should mention that the work computers also do NOT have static IP addresses which I believe probably makes it more difficult?

    I'm sure this must be possible though.

    Thanks in advance.


    [ Reply to This | # ]