Use a reverse SSH tunnel to get around firewalls

Feb 25, '05 08:02:00AM

Contributed by: jdb8167

My mother (she just turned 68) was having some trouble with her Airport Base Station, and she wanted some help from me. Unfortunately I live 1300 miles away. Remote support has been a constant problem, so last night I talked her through installing Apple's latest Remote Desktop Client 2.1.

Then I found out that her DSL ISP (Earthlink) is blocking incoming port 22. So I couldn't do an SSH connection to her IP to tunnel to the VNC port on her iMac. This was annoying, but I knew there must be a solution.

What you need is the following:

The following shell script is something that I probably couldn't have gotten across to her over the phone, but a simple AppleScript .app sent via iChat solved the problem.

The AppleScript does a reverse port mapping from her machine to mine. Then I used a VNC application -- I use Chicken of the VNC (CotVNC) pointing at localhost, display 0, to remotely control her iMac:

tell application "Terminal"
  open window
   set x to window 1
   (* USER is a user name on the CotVNC machine *)
   (* DOMAIN.ORG is the host name or IP address for the CotVNC machine *)
   do script "ssh USER@DOMAIN.ORG -R 5900:127.0.0.1:5900" in x
   activate
end tell
Substitute the appropriate USER and DOMAIN.ORG information for your machine in the script.

The only setting you need with Apple's 2.1 client (which should be called ARD 2.1 Server, but that would confuse the unwashed masses) is to check the Apple Remote Desktop in System Preferences Sharing Pane. Then, from the "Access Privileges..." button, check "VNC viewers may control screen with password," enter a bogus password (since we are using SSH for security), and click OK. The other settings are not used unless you are using Apple's Remote Desktop software.

The trick is that we want to tunnel from our local loopback address 127.0.0.1 (IPv4) on the machine running CotVNC to the remote machine. But since the remote machine is behind an incoming firewall that blocks port 22, we need to do a reverse tunnel to our localhost. When the remote user runs this script, the tunnel is available on port 5900 on the localhost for the local VNC client. If you don't have an authorized SSH key on the CotVNC machine, then the Terminal window that opens for the AppleScript user on the remote machine will prompt for a password.

With CotVNC, the setup is to connect to localhost, display 0, with the bogus password. Enter the information in the connection dialog and voila, you have access to the remote machine -- even behind the incoming firewall. The reverse connection doesn't have to be to the login that you are using to connect to the remote machine; any valid login on the local machine will do.

Comments (18)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20050222062346277