I had a site that didn't have remote access (no ingress available), and I didn't have time to build a proper reverse tunnel, so instead I punched open a simple reverse SSH tunnel, then used that to double up the connection and load a virtual machine image that was used for the permanent reverse tunnel. A niche problem, to be sure, but also some interesting use of SSH.
1) Open the reverse tunnel
#!/bin/bash # This file is named /home/user/tun, and runs from the hidden host pgrep -f 2022 >/dev/null || ssh email@example.com -R 2022:localhost:22 -fN&
To make this command work, the
pgrep command should look for something unique to the reverse tunnel. In the example, I've used the port because it's sufficiently unique, and there will be multiple tunnels (otherwise part of the FQDN could be used). If the script doesn't see the reverse tunnel running (pgrep fails), it'll attempt to re-open the tunnel. Otherwise it'll exit quietly.
Next, we run this script regularly with cron
* * * * * /home/user/tun
With the reverse tunnel in place, an admin can then SSH to the hidden host. Either two-step it, or use
peter as a jump host. In this example, it's named for peter rabbit.
ssh -J firstname.lastname@example.org someone@localhost -p2022
By using the port opened in the reverse tunnel,
localhost becomes the hidden host.
2) Open another reverse tunnel
To build a permanent tunnel, I needed to access vmware to load a machine image that could be used for a proper reverse tunnel (using a VPN, not just SSH). With just one quick reverse tunnel, I couldn't reach vmware, but opening a second reverse tunnel made it work.
# Run from hidden host to open second reverse tunnel: ssh email@example.com -R 2443:192.168.1.11:443 # 192.168.1.11 is the vmware host IP # Open a socks proxy from the admin host: ssh firstname.lastname@example.org -D 1080
Then just configure a web browser to use the socks proxy
localhost:1080 and navigate to
10.10.10.10 is an IP of the jump host (
peter). The traffic will pass up the socks proxy to peter, and down the second reverse tunnel to the hidden host, where it'll be delivered to the vmware host. Quite the convoluted path!