Reverse SSH tunnel: how can I send my port number to the server?

Question

I have two machines, Client and Server.

Client (who is behind a corporate firewall) opens a reverse SSH tunnel to Server, which has a publicly-accessible IP address, using this command:

ssh -nNT -R0:localhost:2222 insecure@server.example.com

In OpenSSH 5.3+, the 0 occurring just after the -R means "pick an available port" rather than explicitly calling for one. The reason I'm doing this is because I don't want to pick a port that's already in use. In truth, there are actually many Clients out there that need to set up similar tunnels.

The problem at this point is that the server does not know which Client is which. If we want to connect back to one of these Clients (via localhost) then how do we know which port refers to which client?

I'm aware that ssh reports the port number to the command line when used in the above manner. However, I'd also like to use autossh to keep the sessions alive. autossh runs its child process via fork/exec, presumably, so that the output of the actual ssh command is lost in the ether.

Furthermore, I can't think of any other way to get the remote port from Client. Thus, I'm wondering if there is a way to determine this port on Server.

One idea I have is to somehow use /etc/sshrc, which is supposedly a script that runs for every connection. However, I don't know how one would get the pertinent information here (perhaps the PID of the particular sshd process handling that connection?) I'd love some pointers.

Thanks!

Wouldn't a VPN be more appropriate? OpenVPN is super simple to configure. — Ben Lessani, Jun 27 '12 at 21:12
Sounds interesting. I don't know much about VPN. Is this something that could work even if the Client machine is configured to use DHCP? — Tom, Jun 27 '12 at 21:25
Yes, it runs off another TUN/TAP interface, so other interfaces are irrelevant. — Ben Lessani, Jun 27 '12 at 21:28
@sonassi, it looks like this VPN thing will do the trick. Thanks for the info. — Tom, Jun 28 '12 at 00:22
I've added an answer below specifically guiding you through the VPN process with OpenVPN (based on Debian/Ubuntu) — Ben Lessani, Jun 28 '12 at 11:22

score 3 · Answer 1 · answered Jun 27 '12 at 23:18

3

If the clients each have different usernames, you can use netstat to find out what port that user's sshd process is listening on. For example:

% sudo netstat -tlpn | grep 'sshd: mgorven@'
tcp        0      0 127.0.0.1:22220         0.0.0.0:*               LISTEN      5293/sshd: mgorven@
tcp        0      0 127.0.0.1:5120          0.0.0.0:*               LISTEN      5293/sshd: mgorven@

answered Jun 27 '12 at 23:18

mgorven

30,036
7
76
121

You can, but this requires running netstat as root on the bastion server, which is ideally avoided – Chris Stratton Jun 08 '20 at 21:52

score 3 · Answer 2 · answered Jun 28 '12 at 01:52

3

You could alter the ephemeral port range (/proc/sys/net/ipv4/ip_local_port_range for Linux) and then use statically allocated ports outside that range.

answered Jun 28 '12 at 01:52

Mark Wagner

17,764
2
30
47

No need to change the ephemeral range for that. By default the ephemeral range ends at 61000, so there is thousands of available port numbers above that. I have often used `echo $[61002+RANDOM%4532]` to pick a port number in that range. – kasperd Jul 01 '17 at 18:00
The problem with statically allocated ports is that a client will be unable to reconnect if and forward that port if the server is still holding a previous connection using it. If the client doesn't shut down cleanly, the server may preserve that for a few minutes. – Chris Stratton Jun 08 '20 at 21:53

Ben Lessani · Accepted Answer · 2014-08-10T16:24:51.960

Wouldn't a VPN be more appropriate? OpenVPN is super simple to configure. Here is a sample config and some links to guide your through the certificate creation process:

apt-get install openvpn
mkdir /etc/openvpn/easy-rsa
mkdir -p /etc/openvpn/ccd/client_server
touch /etc/openvpn/ipp.txt
cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca 
./build-dh
./build-key-server server
cd /etc/openvpn/easy-rsa/keys
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile ca.crt

Then create a new file /etc/openvpn/client_server.conf and put the following in it, changing the SERVER_IP_ADDRESS as appropriate

local SERVER_IP_ADDRESS
port 8443
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
pkcs12 /etc/openvpn/easy-rsa/keys/server.p12
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
server 192.168.100.0 255.255.255.0
client-config-dir /etc/openvpn/ccd/client_server
ccd-exclusive
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
reneg-sec 0

Then build a key per user who is going to connect, and create the config file in the ccd dir

./build-key-pkcs12 user1@domain.com
echo "ifconfig-push 192.168.100.2 255.255.255.0" > /etc/openvpn/ccd/client_server/user1@domain.com

The IP address MUST be suitable for a /30 subnet (see http://www.subnet-calculator.com/cidr.php), as there is only 2 addresses available (server and client) per connection. So your next available client IP would be 192.168.100.6 and so on.

Then you now have static IPs per connecting user.

Then supply the user1@domain.com.p12 file to the end-user and use the following config file

client
dev tun
proto udp
remote SERVER_IP_ADDRESS 8443
pkcs12 user1@domain.com.p12
resolv-retry infinite
nobind
ns-cert-type server
comp-lzo
verb 3
reneg-sec 0

Thanks for the thorough answer! I do have two questions about this, though. A) Specifying the 255.255.255.0 for the client's ifconfig-push line does not seem to work, but it does work if I specify a second IP address. Why is this? And B) does this approach mean that 4 IP addresses are used per connection? — Tom, Jun 28 '12 at 18:01
On some Linux systems, the syntax for the ifconfig-push line is different. Eg. `ifconfig-push 192.168.100.2 192.168.100.3` - I've no idea why it differs on platforms. And yes, it means 4 IPs are used per client (wasteful, but the nature of the beast). — Ben Lessani, Jun 28 '12 at 18:07

score 2 · Answer 4 · edited Jun 30 '17 at 10:26

2

I want the same setup like you, I increased the log level of the SSH server to DEBUG, and it showed in the logs what was the local port of the client

for example:

client command: ssh -N -R0:127.0.0.1:5522 connector@example.com

server log:

Jun 30 11:28:59 debsid sshd[27577]: debug1: Local forwarding listening on 127.0.0.1 port 35391

there you see the port number

edited Jun 30 '17 at 10:26

Frederik

3,293
3
30
46

answered Jun 30 '17 at 09:38

deeler

21
1

score 0 · Answer 5 · answered Jun 27 '12 at 23:39

0

You should be able to extract the relevant information from the output of:

lsof -i tcp

Run as root.

answered Jun 27 '12 at 23:39

Thor

465
5
14

score 0 · Answer 6 · answered Feb 04 '19 at 21:41

Run this script on the server:

sudo lsof -i -n | grep "sshd" | grep "(LISTEN)" | awk '{print $2}' | while read line; do sudo lsof -i -n | egrep $line | sed 3~3d | sed 's/.*->//' | sed 's/:......*(ESTABLISHED)//' | sed 's/.*://' | sed 's/(.*//' | sed 'N;s/\n/:/' 2>&1 ;done

You may or may not need the two sudo's. Remove if you don't.

PS - This is a modified version of a solution I found elsewhere a while back. I think it may have come from StackOverflow, but I can't find the original reference.

Reverse SSH tunnel: how can I send my port number to the server?

6 Answers6

Linked