how to ssh two computers behind NAT and Firewall, without third computer

I am trying to ssh into my Linux box at home. My home is a dorm-style environment - NAT and Firewall with personal laptop running Arch Linux. My work is corporate style Windows 7 - NAT and proxy firewall, no admin rights.

I am able to connect the two running Team Viewer portable. However, this does not suit what I'm really looking for. I am looking to simply SSH into my Linux box at home, leaving my Linux box logged out completely - basically headless when I'm not there.

I've read up on tunneling, however if I understand tunneling correctly I need a 3rd party server that both computers can connect to. I have no such server and don't wish to pay for such a thing either.

What is the simple and secure solution to SSH'ing into my laptop from work? Is there a free and secure 'third server'? I have been up and down Google, but seem to be getting more and more confused.

user1026169

Posted 2012-08-08T18:36:29.827

Reputation: 393

2Do you have access to the router? You usually need to adjust NAT settings to point your public IP address at your internal SSH server to do something like this. – jmreicha – 2012-08-08T18:55:16.297

No, I have no router access and can't adjust the NAT settings. – user1026169 – 2012-08-08T19:07:30.023

Then in this case you will likely have to proxy through a third server to connect if the Team Viewer option won't work. – jmreicha – 2012-08-08T19:15:52.177

who provides a server that i can use only as a proxy for ssh? – user1026169 – 2012-08-08T19:19:30.630

I bet a cloud based VPS would do the trick. – jmreicha – 2012-08-08T19:22:12.717

The VPS's I found are all minimum $5/month. Thats out of my price range for this sorta thing. – user1026169 – 2012-08-08T19:34:58.057

Outside of a paid service I'm not sure where else you could get something like that. – jmreicha – 2012-08-08T19:43:28.930

If you have physical access at work, you can boot off a live CD and compile and run pwnat. – Mechanical snail – 2012-08-16T07:18:09.137

Answers

pwnat is an open-source tool that supposedly addresses this problem. It says :

pwnat is a tool that allows any number of clients behind NATs to communicate with a server behind a separate NAT with no port forwarding and no DMZ setup on any routers in order to directly communicate with each other. The server does not need to know anything about the clients trying to connect.

There is no middle man, no proxy, no 3rd party, no UPnP/STUN/ICE required, no spoofing, and no DNS tricks.

More importantly, the client can then connect to any host or port on any remote host or to a fixed host and port decided by the server.

pwnat establishes this kind of connection :

Machine A (IP: 192.168.1.3) -> NAT A (IP: 122.x.x.x) -> Internet -> NAT B (IP: 59.x.x.x) -> Machine B (192.168.2.10)

pwnat is distributed only for Linux, but the article PWNAT: Windows Complied Version contains the Windows version. See also, by the same author PWNAT : Example.

The method used by pwnat is unbelievably clever, but there is no guarantee that it will work with your environment.

harrymc

Posted 2012-08-08T18:36:29.827

Reputation: 306 093

1Note: pwnat is dependent on ICMP to work. Specifically, icmp echo and Time exceeded messages. This works because ICMP is stateless. – shadowbq – 2012-08-13T13:22:44.960

Doesn't work for me. NAT routers are not smart enough to implement standards, nor smart enough to understand the author of pwnat. +1 still for cleverness. – quantum – 2012-08-18T03:01:17.070

I have also tried pwnat with no success. But it's possible I have something wrong in my configuration. Is there anyone who has had success who can give support? – robguinness – 2013-05-02T06:56:22.900

I personally think that tunnelling is your best option, even though you don't already own a third server.

Amazon EC2 offers a Free Tier pricing option allowing new customers to run a micro instance of Linux/Windows for up to 750 hours / month, free, for one year. I haven't used the service myself but assume that if you only run the virtual server when needed, you get an SSH tunnel up and running for free. You might even find the service cheap enough to warrant paying for?

Hak5 produced a good introduction to tunnelling (with persistence). You could also setup a CRON triggered script to attempt connections to the virtual server so that you have access to the laptop within minutes of starting the EC2 instance...

danielcraigie

Posted 2012-08-08T18:36:29.827

Reputation: 2 451

1Also note, 750 hours is 31.25 days... So basically you get one t2.micro instance for free, for a year. – Attie – 2018-02-19T18:05:16.633

Thank you, I found a free VPS with some help from a few forums. – user1026169 – 2012-08-22T23:06:36.697

The best option would be set up port forwarding if you can, but if your campus does the firewalling and you can not do any port forwarding yourself then use this suggestion.

Yes, there is a free 3rd server, and you are already using it, TeamViewer. Make sure you have TeamViewer installed as a service (or whatever the equivalent is for Linux, I only use the windows version). Then install the VPN driver at work and at home. You will then be able to connect using a VPN from work and your home machine will have a 7.x.x.x ip address. Then if you want to get in to a terminal session run SSH over the VPN link.

The install VPN option is under advanced settings. enter image description here

That will add a "VPN" option for the types of connections you can do. enter image description here

Scott Chamberlain

Posted 2012-08-08T18:36:29.827

Reputation: 28 923

1Thanks very much for the detailed help and screenshots. I'm using TeamViewer portable though, and have no admin rights. The VPN option is greyed out and I can't use it. – user1026169 – 2012-08-08T19:21:17.960

You should just be able to set up port forwarding (port 22) on your home router / firewall. And then connect to your home public ip address when you're at work. You could use something like dyndns if you don't have a static public ip at home.

NetworkFish

Posted 2012-08-08T18:36:29.827

Reputation: 31

Port forwarding is not possible on either of my machines due to the network that serves them. I have no-ip setup, however there are no ports that I can use to connect the machines. – user1026169 – 2012-08-08T19:09:00.617

You can use a public XMPP/Tox server as the "third server". Namely, there are projects like Tuntox and PPPoAT (PPP over Any Transport), which use these instant messaging protocols as transport layers.

I've tried the PPPoAT, which supports XMPP and, unlike PWNAT, this mechanism does indeed work for me.

To use it, you need two XMPP accounts on any public server – one for the server you want to login to, another for your client. After you start pppoat on the server, then on the client (both with appropriate config parameters), you can immediately start connection like e.g.

ssh username@10.0.0.2

It'll be slower than direct connection, of course, and the speed will most likely depend on the XMPP server you choose, but for normal console activity it's good enough.

As for security, SSH can work in totally insecure network, since it already implements its own encryption, so whether the XMPP-based connection is secure is actually irrelevant when you use SSH.

Ruslan

Posted 2012-08-08T18:36:29.827

Reputation: 1 168