Monday, April 16, 2012

SSH Tunneling & Reverse Tunneling

SSH Tunneling:

In short, SSH tunneling allows unix users to connect to a remote computer (through ssh) and map a local port to the remote computer port.

SSH Reverse Tunneling:

SSH reverse tunneling allows a unix user to connect to a remote computer and map a port on the remote computer to a port in the local machine.

The Problem:

We need to test some kind of external service which redirects back to one of our provided service urls. We need a server with a public IP to do it. However, its a pain to always compile, deploy on the public server and test. 

Instead, it will be much easier to be able to map a remote server port to a port on my local machine so that I can deploy my services locally to which the external service will redirect to.

Assume, our external server hostname is mapped to: and we will use to provide Single Sign On (sso) support. From the example site, when the user wants to log in using the SSO service provided by, the user gets redirected to with certain request parameters. Once the user has successfully logged into, he gets redirected back to with some parameters which indicate that the user logged in successfully.

Now to test this, we need to re-deploy the services on to every time we fix something. Of-course, we can mount a file system on the public server that reads the deployment files from a nfs share which can be mounted to some directory on your machine. 

But if the public server and your machine are in different networks and your machine do not have a public IP, then its slightly more tricky to achieve. SSH reverse tunneling will help us come to a solution. 

Assume that your machine host name is "developer" (it can of-course be an IP).

ssh -f -R -N

What this will do is it will log into the remote server "", open a port "8081" and connect it to "developer:8080". So, when anyone logs into "" and sends a request to "http://localhost:8081", the request comes to port 8080 on developer.

But this is no fun since to make the request, a user has to log into So to fix that, we can map another port on to forward everything to port "8081" which is the reverse tunneling port. To do it, we have to first log into and execute the following command:

ssh -f -L -N

Once this command is executed, all requests send to will be forwarded to which in turn will forward everything to  "developer:8080".

Why not try this shortcut?

ssh -f -R -N 

This does log into and map port 8080 to forward everything to developer:8080. However, it only works if someone logs into and sends a request to "localhost:8080". It doesn't work if a user simply sends the request to "". The only way to make the shortcut mentioned above work is to configure the ssh daemon with the GatewayPorts option enabled. By default, sshd binds the reverse tunneling port to the loop back interface only, thus preventing remote hosts from using the reverse tunneling port. The default value for GatewayPorts is no .

No comments:

Post a Comment