0

I have installed a number of Ubuntu-based systems for relatives and friends, to which I occasionally need remote SSH access via the Internet for administration purposes. However, most of these are effectively firewalled, because their ISPs do not allow incoming connections (and they don't have static IP addresses as well).

I own a Linux server which is accessible from the Internet and has a static IP address. Is it possible to somehow make these computers "phone home" to my server for port-forwarding whenever they're online so that I could SSH back to them?

I've tried using autossh with remote port forwarding (i.e. the -R command line option), but this has proven to be not very reliable due to frequent connection losses whereby re-connections are unable to bind to the specified ports:

error: bind: Address already in use
error: channel_setup_fwd_listener_tcpip: cannot listen to port: 30000

What other approaches could I use? Some kind of VPN? IPsec? Or is there some kinds of specialized software I should look for? I don't want to rely on any other service providers for this.

Improve this question

1 Answer 1

Reset to default
2

The way I would do this would be to set up an OpenVPN server and then set each client up as an OpenVPNclient. This will provide additional security (encryption) and allow you to support a wider range of systems (does not require SSH). Its also easy to explain to your friends and considered a best practice.

Bonus that you can create .ovpn config files which are fairly easy for people to install remotely - way easier then talking them through public/private key generation and forwarding commands. It can also be installed on dd-wrt routers to allow access to entire networks.

Improve this answer
3
  • 1
    "This will provide additional security (encryption)" -- ssh already provides encryption. "...allows you to support a wider range of systems (does not require SSH)" -- ssh clients are installed by default on more systems than is openvpn, including Ubuntu distros which is what the OP is dealing with. I would also suggest OpenVPN in this situation for ease of re-connect and more transparent access, but neither security nor wide support are advantages of OpenVPN over ssh.
    – user4556274
    Commented Apr 22, 2017 at 9:27
  • @user4556274 SSH is good, but can't be guaranteed totally secure. CVE-2008-0166,CVE-2011-0766, CVE-2012-5975 compromised credentials happen. (My point is OpenVPN provides a super stantial additional layer of security). The question is not so much if SSH or OpenVPN is more widely installed, rather it's if an automated SSH tunnel system is installed. I acknowledge I could have worded it better.
    – davidgo
    Commented Apr 22, 2017 at 9:41
  • 1
    the point is not that ssh has never had flaws; both openssh and openvpn have CVE entries. That does not change that both protocols provide end-to-end encryption, so "encryption" is not an advantage of one over the other. Note that CVE-2012-5975 is not a flaw in the protocol, nor in OpenSSH (which is what the OP will have), but in a commercial SSH server. CVE-2011-0766 is also a flaw in an implementation other than OpenSSH.
    – user4556274
    Commented Apr 22, 2017 at 9:58

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .