By default, an SSH tunnel only listens on the localhost, typically the loopback IP address 127.0.0.1. This configuration restricts the tunnel to local access, preventing other hosts from connecting. To allow public access, the tunnel must be set to listen on an external IP address, making it reachable from other systems.

Allowing public access requires specifying the desired IP address when creating the tunnel. This change ensures that the tunnel can accept connections from remote hosts. Additionally, you need to configure the firewall to permit incoming connections on the specified port.

Configuring an SSH tunnel for public access involves setting the correct listening IP and adjusting the firewall. These steps enable secure access to the tunnel from external locations, expanding the utility of SSH in network management.

Steps to enable public access to SSH tunnel:

  1. Identify the external IP address of your host.
    $ ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:0c:29:08:63:73 brd ff:ff:ff:ff:ff:ff
        altname enp2s1
        inet 192.168.111.27/24 brd 192.168.111.255 scope global dynamic noprefixroute ens33
           valid_lft 66553sec preferred_lft 66553sec
        inet6 fe80::fc5d:1d5c:ae0e:68f1/64 scope link noprefixroute 
           valid_lft forever preferred_lft forever
  2. Create an SSH tunnel that listens on this external IP address.
    $ ssh -fN -D 192.168.111.27:8080 192.168.111.29
    user@192.168.111.29's password:
  3. Verify that the tunnel is active and listening on the specified IP.
    $ ss -natp | grep 8080
    LISTEN 0      128    192.168.111.27:8080         0.0.0.0:*    users:(("ssh",pid=2966,fd=4))
  4. Configure the firewall to allow incoming connections to the tunnel port if firewall is enabled.
    $ sudo ufw allow 8080 # Ubuntu and Debian variance
    $ sudo firewall-cmd --zone=public --permanent --add-port=8080/tcp && sudo firewall-cmd --reload # CentOS and Red Hat variance
  5. Test access to the tunnel from a remote host to confirm connectivity.
    $ curl --proxy socks5://192.168.111.27:8080 https://ifconfig.me
    115.131.92.137
Discuss the article:

Comment anonymously. Login not required.