SSH Tunneling and reverse SSH

One of the tools in any system engineer’s hand as well as those dealing with customer remote service is to set a remote connection to the other end’s server or PC, through VPN, Public IP or any other possible way. One easy yet effective approach is to establish a ssh tunnel by means of reverse SSH.

There are so many applications to reverse ssh but here we deal with 2 most commonly used scenarios:

Scenario #1:

You want to connect to a PC or server which is behind firewall or inaccessible through internet. on the other hand your laptop is connected to internet by means of you router. If you don’t have a public IP on your laptop you can use and register a domain like Here we are not supposed to talk about dyndns, so we assume that the router is configured to forward ssh ports (default: 22) to the ip of your laptop. Now all you need to do is to run this on PC:

ssh -N -R 10555:localhost:22

Note: 10555 could be any available port on your laptop. The -R 10555:localhost:22 option causes the laptop to listen on port 10000 and forward any requests on that port to the work machine (this is basically ssh tunneling).

Next thing to do is to ssh to port 10555 on your laptop and you will actually be sshing to port 22 on the firewalled server:

ssh -p 10555 PCusername@localhost

Scenario #2:

Now let’s presume that we want to remotely log into a customer’s server from our desktop PC in the office. The thing is neither sides are accessible from internet. (nor public ip nor dyndns) But we have a server/PC which is accessible. we can simply use it as a platform (middleman) between the customer server and your desktop.

So here is how it works:

customer server ip: linux user: support
Middle man Public IP:
linux user: miduser
Your Desktop PC IP:
user: mehrdust

All you need to do is to ask your customer to run this on their server:

ssh -f -N -R 10050:localhost:22 miduser@

Then you will be prompted for the password.

You can now login to their server by running this from your desktop:

ssh -p 10015  support@


Make sure you add the following in /etc/sshd_config:

TCPKeepAlive yes
ClientAliveInterval 30
ClientAliveCountMax 99999
GatewayPorts yes

After setting the above restart ssh deamon:

# service ssh restart

To check the list of opened tunnels on the middleman run:

# sudo lsof -i -n | egrep '\<sshd\>'
sshd      25407     root    3r  IPv4 777970       TCP> (ESTABLISHED)
sshd      25415  support    3u  IPv4 777970       TCP> (ESTABLISHED)
sshd      25415  support    9u  IPv6 778070       TCP [::1]:10150 (LISTEN)
sshd      25415  support   10u  IPv4 778071       TCP (LISTEN)
sshd      25471     root    3r  IPv4 778472       TCP> (ESTABLISHED)
sshd      25479  support    3u  IPv4 778472       TCP> (ESTABLISHED)
sshd      25551     root    3u  IPv4 778922       TCP *:ssh (LISTEN)
sshd      25551     root    4u  IPv6 778924       TCP *:ssh (LISTEN)
sshd      25554     root    3r  IPv4 778930       TCP> (ESTABLISHED)
sshd      25562  support    3u  IPv4 778930       TCP> (ESTABLISHED)
sshd      25672     root    3r  IPv4 779734       TCP> (ESTABLISHED)
sshd      25680  support    3u  IPv4 779734       TCP> (ESTABLISHED)
sshd      25680  support    9u  IPv4 779835       TCP *:10142 (LISTEN)

NOTE: To drop the connection simply kill the PID (in this case 25680).

You can also use: 

netstat -n --protocol inet | grep ':22'

Here is a script to check the ssh tunnel and bring it back on in case it’s down:

while true 
if ps aux | grep "[6]"
echo "SSH connection up." 
echo "SSH connection down." 
echo "Trying to connect ..." 
ssh -f -N -R 10050:localhost:22 miduser@

sleep 60 

  Reversing ssh connection

You may also like