Untitled

# SSH Reverse Tunnels

	                                  SSH ->
	Local Host (NAT/Firewalled) --> Internet --> Remote Host
	                        <- Reverse Port Forward

## Basic Usage

1. Create an ssh key with no passphrase: `ssh-keygen -f ~/.ssh/redir -t rsa -N ''`
2. Add `~/.ssh/redir.pub` to remote host's `~/.ssh/authorized_keys`. If using lower ports, do this for `root` user.
3. Create the tunnel: `ssh -i ~/.ssh/redir -R *:80:localhost:80 root@remotehost`
4. Now any traffic on remote host's port 80 will ride ssh back to 127.0.0.1:80 of the Local Host
5. If it isn't working, make sure ports are not already in use with `netstat -plant | grep <port>`
6. If that doesn't work, check ingress firewall/security group rules for remote host

## Daemonized Tunnels

Here's a basic tunnel that will be daemonized in the background:

 `ssh -i ~/.ssh/redir -fnNT -R *:80:localhost:80 root@remotehost`

If you want a lot of control over the daemonized tunnel , like checking the status or stopping it on command, you can use a control socket:

 * Start the tunnel: `ssh -i ~/.ssh/redir -M -S my-socket -fnNT -R *:80:localhost:80 root@remotehost`
 * Check the status: `ssh -S my-socket -O check root@remotehost`
 * Close the socket: `ssh -S my-socket -O exit root@remotehost`

 ## Config File Settings

Add the following to ~/.ssh/config

	 Host tunnel
		HostName remotehost
		IdentityFile ~/.ssh/redir
		RemoteForward 80 localhost:80
		user root

Now you can start your tunnel with `ssh -fnNT tunnel`

We can also make some aliases to add to `~/.bashrc` or `~/.bash_aliases` (depending on your setup):

	alias tunnel-start='ssh -M -S my-socket -fnNT tunnel`
	alias tunnel-check='ssh -S my-socket -O check root@remotehost
	alias tunnel-stop='ssh -S my-socket -O exit root@remotehost

## Initialize on Startup

Let's tie this all together into a small bash script that will run on startup and reconnect if the tunnel is down

	#!/bin/bash
	cmd="ssh -fnNT tunnel"
	while true; do
		pgrep -fx "$cmd" >/dev/null 2>&1 || $cmd
		sleep 10
	done