Tunneling SSH Connections
Mon, 21 Sep 2015
Photo by Torsten Uhlmann
You want to access a firewalled server from your local machine which has a dynamic IP assigned by your internet provider that changes regularly. The server you want to access has a firewall that whitelists the IP addresses that are allowed to access.
The solution I found working for me is to tunnel all traffic to these restricted servers through a machine that has a fixed IP address, in my case a web server I use for lots of other purposes.
You should be able to ssh into that server and add ssh keys. If the firewalled machine does not have a dns’ed IP address you may need to edit your remote server’s
/etc/hosts file to add these servers there.
In order to access a firewalled server with a browser, I’m using a SOCKS proxy that tunnels traffic through my remote server:
ssh -CN -D 9050 user@my-remote-server
This creates a SOCKS proxy that you can access at localhost:9050. I found it easiest to use with Firefox and the FoxyProxy plugin. You can give that plugin a url mask- if that matches it will use the SOCKS proxy, otherwise it will use the default connection.
Here are my settings for the SOCKS proxy within FoxyProxy:
Update 7.5.2016: As Richard reports, if you are on a Mac you can configure its on board socks proxy like so:
# enable it: sudo networksetup -setsocksfirewallproxy Wi-Fi localhost 9050
# disable it: sudo networksetup -setsocksfirewallproxystate Wi-Fi off
networksetup command also has an option
-setproxybypassdomains to exclude certain domains from using the configured proxy.
Establishing ssh access is a tad bit more involved, but not too much. It also uses a ssh tunnel through the fixed IP remote server.
I set up a ssh config that allows me to type
ssh firewalled-server and get a connection from my dynamic IP, without having to login to the remote machine and open another ssh session from there.
~/.ssh directory create a
config file that will contain entries like the following, separated by a blank line:
Host firewalled-server Hostname firewalled-server User my-username ForwardAgent yes Port 22 ProxyCommand ssh my-username@my-remote-server /bin/nc %h %p
On your remote server you should setup key based access by adding a ssh key to the authorized_keys file.
If the name of your firewalled server is not known through public dns you need to add the name(s) of your firewalled servers to the
Then, from your remote server, you should ensure you can ssh into the firewalled server, have added ssh key based access and accepted the fingerprint of the firewalled server so it’s added to the
If it works to log in from your local machine to your remote server and from there login via ssh key to the firewalled server, you should be able to directly hit the firewalled server via:
Unless, of course, we forgot something…