Generate and maintain a ssh reverse tunnel to a remote host
Shell
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
README
revpipe

README

Overview:
 This script establishes and maintains an ssh reverse tunnel connection
 from one location to another.

Problem:
 Your work box sits behind a NAT router in the office, and you
 want/need to access it from home whenever you need to via ssh, scp or
 nx.

Solution:
 This script will generate a reverse ssh tunnel from work to home
 and make sure it stays up, re-establishing it whenever it drops.


Setup @ work
---------------------------------------------------------------------
 Make sure this script (revpipe) is executable.

 There are two configuration settings you MUST set in the revpipe
 script itself.

  youasroot@work emacs ~/bin/revpipe

 Set HOME_ADDR and PORT variables as appropriate.

  Here's a handy one-liner to run from a pc (e.g. your home desktop)
  to get your current external IP address:

  $ wget -q -O http://myexternalip.com/raw

  Save the line above to ~/bin/getip, and chmod it to 755.
  Then you can use 'getip' whenever you need to grab your ip.


 In order for your tunnel to work, you'll need to be able to ssh
 into your home pc as root, from work as root, as in:

  youasroot@work~# ssh root@your_house

 without a password, using ssh keys from work into your home pc.

 To get your keys setup:

  youasroot@work~# ssh-copy-id -i <pubkeyfile> root@your_house

 where <pubkeyfile> is typically either of:

  ~/.ssh/id_dsa.pub or ~/.ssh/id_rsa.pub

 Note:
 revpipe must be run as root on your work box, and should be run
 from root's crontab like so:

 # crontab example to restart tunnel
 MAILTO=''
 #m    h dom mon dow  command
 @reboot             /path/to/revpipe 2>&1 >/dev/null
 */5  *  *   *   *   /path/to/revpipe 2>&1 >/dev/null


  youasroot@work~# crontab -e

 Use above command to edit root's crontab.

 The crontab above will check the connection on reboot, and every 5
 minutes thereafter while your work box is running.  If the connection
 test fails 5 times during a cron cycle, it will recreate the tunnel.


Advanced Work-side Configuration Options
---------------------------------------------------------------------
 If you want to use a faster but less secure tunnel cipher, such as
 arcfour or blowfish, you'll need to setup a Host section in your
 ~/.ssh/config file. Create the file if it does not already exist.

 Example ~/.ssh/config Host section

   Host <my.homepc.com OR my_home_ip_address>
       Ciphers arcfour,arcfour128,arcfour256,blowfish-cbc
       BatchMode yes
       Compression yes


Setup @ home
---------------------------------------------------------------------
 To get to your desktop at home, you'll need to configure your home
 router to forward incoming ssh (port 22) to your box inside, and
 make sure sshd is running on your box, and that you can ssh in as
 root. (/etc/ssh/sshd_config)

 PermitRootLogin yes

 It's a VERY good idea, AFTER you have keys working from work to
 disable password authentication in /etc/ssh/sshd_config on your
 home desktop, as in:

 PasswordAuthentication no

 That way, login can only occur via keys, and that helps reduce
 your exposure from the internet. You can also adjust your
 firewall to limit access to only your Work's external ip address.


Using the Tunnel
---------------------------------------------------------------------
 With this script connected from work to your home pc, accessing your
 work pc from home is done by ssh-ing to localhost, on the configured
 port, as in:

  you@home$ ssh -p2222 workyou@localhost

 This will go back through the local reverse tunnel endpoint, which
 is at localhost:2222, dropping you right onto your work pc. Or, to
 copy files to your work desktop:

  you@home$ scp -P2222 /my/local/file workyou@localhost:~/Desktop/

 NX server, from nomachine (www.nomachine.com), works great to deliver
 a full graphical desktop experience over this reverse tunnel. To use
 it, setup nxserver on your work box and use nxclient on your home
 machine. In the client configuration, set your target to be
 localhost, on the port you specified above. I'm writing this on my
 work desktop from home. It spans two monitors fullscreen, and it
 feels almost as fast as being there. Try it - it blows vnc away.


Other stuff
---------------------------------------------------------------------

 Some other ssh settings to read up on:
  ServerAliveCountMax
  ServerAliveInterval

 Use 'apropos ssh' for a list of related ssh manpages. ssh_config is a
 good manpage to read.  If the tunnel is isolated by your firewall by
 IP addresses, you might consider a less robust tunnel cipher to
 improve performance, like arcfour. Use root's ~/.ssh/config to modify
 the cipher for this connection only.

 See Advanced Work-side Configuration Options above for more
 information. This cipher will only affect the tunnel, your sessions
 back through the tunnel are still encrypted using your default
 cipher.