Whenever you create SSH tunnel or port forwarding, by default it is only available for the local host. This is because unless specified, it listens to the loopback IP address or the localhost. This IP address is not accessible from outside hosts which in turn causes the forwarded port to also not be available from outside.

You can allow public access to your SSH tunnel by creating a port forwarding or tunnel that listens on an accessible IP address and configure necessary firewall rules to allow incoming connection to the tunnel.

Steps to configure public access to SSH tunnel:

  1. Get IP addresses of your host.
    $ ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:0c:29:08:63:73 brd ff:ff:ff:ff:ff:ff
        altname enp2s1
        inet 192.168.111.27/24 brd 192.168.111.255 scope global dynamic noprefixroute ens33
           valid_lft 66553sec preferred_lft 66553sec
        inet6 fe80::fc5d:1d5c:ae0e:68f1/64 scope link noprefixroute 
           valid_lft forever preferred_lft forever
  2. Create a tunnel or port forwarding by specifying IP address to listen to.
    $ ssh -fN -D 192.168.111.27:8080 192.168.111.29
    [email protected]'s password:
  3. Check if tunnel currently running on specified IP address.
    $ ss -natp | grep 8080
    LISTEN 0      128    192.168.111.27:8080         0.0.0.0:*    users:(("ssh",pid=2966,fd=4))
  4. Configure firewall to allow remote access to the tunnel port.
    $ sudo ufw allow 8080 #Ubuntu and Debian variance
    $ sudo firewall-cmd --zone=public --permanent --add-port=8080/tcp && sudo firewall-cmd --reload #CentOS and Red Hat variance
  5. Access tunnel from other host to test.
    $ curl --proxy socks5://192.168.111.27:8080 https://ifconfig.me
    115.131.92.137

Support us on Patreon if this guide has helped you. Thanks!!!

Discuss the article:

Comment anonymously. Login not required.

Share!