ssh reverse proxy to enable remote access behind a LAN and firewall

So say you are behind a typical NAT/LAN setup whether at home, work or while travelling.  What if you have a computer or server that you need to connect to from the outside?

Yes you could use a VPN but a quick and dirty, temporary and secure way is to use SSH's Reverse Tunneling Proxy feature.

Requirements

On the remote ssh server host you need the GatewayPorts option enabled in sshd_config (be sure to restart sshd after making the change)

Your sshd_config needs this:

GatewayPorts yes
 

On the client / machine that is behind the firewall run the SSH command

ssh -R 33000:localhost:3389 username@remoteip

33000 means when we connect to remoteip:33000 we will be connected to port 3389 o the localhost.

Now we can change the localhost to another IP on our LAN if we wanted to.

Now if we connected to remote ip's 3389 we could connect to RDP even though the machine is firewall'd (this works even if all ports are closed and nothing is forwarded to your machine since the ssh -R reverse proxy command is what handles our inbound connections through the remoteip).


Tags:

ssh, proxy, enable, lan, firewallso, nat, travelling, server, vpn, tunneling, feature, requirements, gatewayports, enabled, sshd_config, restart, sshd, firewall, localhost, username, remoteip, ip, rdp, ports, forwarded, handles, inbound, connections,

Latest Articles

  • Proxmox How To Purge Ceph
  • VMWare ESXi/VSphere Disable Balloon Segfault in Services Solution
  • Apache Linux Debian Ubuntu Container how to manually restart without killing
  • Docker enable UTF8 in Container to stop seeing gibberish ? characters
  • Debian 8 How To Use Apt Update Archive sources.list
  • Debian Live CD Password
  • Forbidden You don't have permission to access this resource. [authz_core:error] [pid 338:tid 338] [client 1.2.3.4:55046] AH01630: client denied by server configuration:
  • The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection.
  • Asterisk RTP/audio not working in either direction in Docker NAT with a NAT client
  • dovecot: imap(root@localhost)<3702>: Error: Mailbox INBOX: mmap(size=352609044) failed with file /var/spool/mail/root/Maildir/dovecot.index.cache: Cannot allocate memory
  • Asterisk cannot find soundfile file.c:824 ast_openstream_full: File for-tech-support does not exist in any format
  • Apache Error solution - mktemp: failed to create directory via template '/var/lock/apache2.XXXXXXXXXX': No such file or directory
  • sysctl settings to reduce buffers and caches in Linux
  • Find /dev/sd block device of ata device - ata6: SATA link up 1.5 Gbps (SStatus 113 SControl 310) ata6.00: qc timeout (cmd 0xec) ata6.00: failed to IDENTIFY (I/O error, err_mask=0x4) ata6.00: revalidation failed (errno=-5)
  • Stuttering Audio on VOIP phones when first answering a call slow and fast audio
  • How to distribute the Microsoft VC Visual Studio Redistributable Files On Your Own
  • Nvidia video resolution and codec encode decode support matrix eg. h264 4k h265 HEVC VP9 Card List from GTX, RTX, Quadro
  • Japan and China ping time observations
  • ffmpeg convert to another format eg h265 to h264
  • Apache stop bots and hackers by using forensic logging.
    • Copyright © realtechtalk.com 2026