on system

Double Reverse SSH

I had a site that didn't have remote access (no ingress available), and I didn't have time to build a proper reverse tunnel, so instead I punched open a simple reverse SSH tunnel, then used that to double up the connection and load a virtual machine image that was used for the permanent reverse tunnel. A niche problem, to be sure, but also some interesting use of SSH.

1) Open the reverse tunnel

#!/bin/bash
# This file is named /home/user/tun, and runs from the hidden host

pgrep -f 2022 >/dev/null || ssh user@peter.example.com -R 2022:localhost:22 -fN&

To make this command work, the pgrep command should look for something unique to the reverse tunnel. In the example, I've used the port because it's sufficiently unique, and there will be multiple tunnels (otherwise part of the FQDN could be used). If the script doesn't see the reverse tunnel running (pgrep fails), it'll attempt to re-open the tunnel. Otherwise it'll exit quietly.

Next, we run this script regularly with cron

* * * * * /home/user/tun

With the reverse tunnel in place, an admin can then SSH to the hidden host. Either two-step it, or use peter as a jump host. In this example, it's named for peter rabbit.

ssh -J anyone@peter.example.com someone@localhost -p2022

By using the port opened in the reverse tunnel, localhost becomes the hidden host.

2) Open another reverse tunnel

To build a permanent tunnel, I needed to access vmware to load a machine image that could be used for a proper reverse tunnel (using a VPN, not just SSH). With just one quick reverse tunnel, I couldn't reach vmware, but opening a second reverse tunnel made it work.

# Run from hidden host to open second reverse tunnel:
ssh user@peter.example.com -R 2443:192.168.1.11:443
# 192.168.1.11 is the vmware host IP

# Open a socks proxy from the admin host:
ssh anyone@peter.example.com -D 1080

Then just configure a web browser to use the socks proxy localhost:1080 and navigate to https://10.10.10.10:2443 where 10.10.10.10 is an IP of the jump host (peter). The traffic will pass up the socks proxy to peter, and down the second reverse tunnel to the hidden host, where it'll be delivered to the vmware host. Quite the convoluted path!

Picture doesn't really do it justice, but this is the end result – a rainbow of tunnels!