Reverse SSH Tunnel


You are at work and you need to access your laptop at home. If you have a public IP address, then you can create an SSH tunnel from your office machine to your home desktop and access it remotely. But most of the people don’t have a public IP address; they have an ISP assigned dynamic IP address.

If you have a dynamic IP address for your private network, then the method described above won’t work for you. So, how can you access your home machine from anywhere in the world? You need to use a reverse SSH tunnel. This requires that your laptop is always turned on (so that it can accept the request from the server) and that it has a public IP address or domain name and port forwarding is enabled on your router.

There have been times when I needed to SSH into my home server and perform some admin tasks. For example, if my home server downloaded something from the Internet and I wanted to download the same thing on my laptop, I would need to use SFTP to transfer the file.

But there are some limitations to this approach. My laptop is behind a firewall at work and it prohibited me from directly connecting to the ports on my laptop. There were two ways around this. One, I could setup an OpenVPN server on my home server, connect to it using OpenVPN client on my laptop (I did this recently) or two, I could setup reverse SSH tunneling so that all requests made to a specific port on my home server would be forwarded to a port number of my choice on my laptop. This way, even if I was not able to connect directly to my laptop at work because of firewall restrictions, I could still connect through reverse SSH tunneling and forward all traffic through the SSH connection. The only requirement is that you are able to make an outbound SSH connection from your laptop (which generally should not be a problem).

Reverse SSH Tunneling has been around for a long time. The idea is to start a SSH connection from a server to your local machine, so that you can use this connection to access the server, tunneling through the SSH connection.

The reason why I am interested in this concept is because by using Reverse SSH tunneling, I can access local development environment from anywhere, as long as my home laptop is still on.

Assuming your work place has an internet connection, and you have a laptop at home that is connected to the internet through some means (e.g., WiFi), you can set up a reverse ssh tunnel from your home laptop to your work place such that all traffic to go through the tunnel.

To do so:

Make sure you have SSH client installed on your home laptop. If not, install it with brew install ssh or apt-get install openssh-client if you are on Ubuntu.

Then run the following command in the terminal of your home laptop:

ssh -R 8080:localhost:22 @

One of the issues I have been facing lately is that my ISP blocks all inbound connections to my home network. This makes it impossible for me to access services at home from the internet (HTTP, SSH, RDP, etc). The only available solution for me is to setup a reverse SSH tunnel.

The idea is very simple. You connect from your laptop at work to a server on the internet that has SSH access enabled and listen on a random port (e.g.: 9999) and forward all traffic from this port to your local HTTP server on port 80. Then you configure your firewall to allow incoming connections on this specific port (9999) and route them to another server which has SSH installed on it.

SSH tunnels are great. They let you do things that might not usually be possible. For example, if your laptop is on a network with a firewall that blocks a port you want to use, you might be able to create an SSH tunnel that routes through that machine to another network.

The reverse SSH tunnel is a little different, but still useful in some cases. The idea is, you have a server somewhere on the internet, and another machine behind a restrictive firewall. You want to access the second machine from the first one, but can’t. The first step is to create a SSH tunnel from the second machine back to itself:

ssh -R 1234:localhost:22 username@server

Now anyone who connects to port 1234 on server will get connected to port 22 (SSH) on the second machine. This allows us to connect from server to itself via the client’s network! This can be useful for example if you’re stuck at work and need access to your university’s network but can’t VPN in because they don’t allow it (yes this happens). Just make sure your university has outgoing ssh connections open, which they usually do.

So how do we use this? Well, once we have our tunnel running on server, we just

If you’re stuck in a place that doesn’t allow SSH access to your machine at home, but you have SSH access to another machine (for instance, your work machine), this tutorial will show you how to setup a reverse SSH tunnel.

This all started because I wanted to be able to use Visual Studio Code Remote Development over SSH, but the network I was on didn’t allow outbound connections on that port. This tutorial will walk through using a reverse SSH tunnel to bypass that restriction.

One of the most common use cases for reverse SSH is to securely access your remote computer which is behind a firewall or a router. This can be done by setting up an SSH tunnel that forwards traffic to a specific port on your remote machine.

First, you will need a VPS somewhere in the Internet. We recommend using DigitalOcean or Linode. You will also need the IP address of the VPS and the username and password that is used to log in to it.

Then, make sure that you have openssh-client installed on your local machine. If you are on Linux or Mac, this should already be installed by default. If you are on Windows 10, you can install OpenSSH Client with this command:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

Now, log in to your VPS using SSH:

ssh root@vps_ip_address

You will be asked for the password of root user. Please enter it. Then, create a new user and give them sudo rights:

adduser Gio

usermod -aG sudo Gio

su Gio

The above commands will create a new user called Gio and then switch over to that user so we


Leave a Reply

Your email address will not be published.