I currently have a DSL modem at home that has a static IP (say
This modem is connected to a wireless router which has a few machines connected to it.

For sake of simplicity, from now on, I refer to the network behind as home-net

My goal is to be able to ssh into any machine behind home-net without resorting to ugly port-forwarding and port mappings.

Towards implementing this, My plan is:

  • Add entry home-net to hosts on any machine I want to ssh from
  • Set up port-forwarding on home-net router for DNS queries
  • A machine (on the same network) running bind receives these DNS queries and resolves them to LAN IPs

I don't fully understand how to implement it..I'm hoping that a DNS query would be sent to home-net asking for the system in question (example pc1) which would get forwarded to the machine running bind that will resolve this to some LAN IP..I'm not sure whether this is sufficient to solve the problem though..

I haven't been able to implement or test this yet..Sadly, setting up a DNS server using bind seems to be far more complicated than I estimated..

My questions are:

  • Is it possible to use this single static IP to ssh into any machine in home-net without port-forwarding?
  • Would this setup even work?
  • Is there an easier way to do this?
  • 1
    This is one problem that IPv6 solves. Ask your ISP for it today. Commented Jan 6, 2014 at 2:36
  • 1
    What is so ugly about port forwarding?
    – Scandalist
    Commented Jan 6, 2014 at 2:37
  • I have to remember the machine-port mapping for each machine..I have about 8 machines on the wireless network :( Commented Jan 6, 2014 at 2:38
  • 1
    I don't think what you're proposing makes sense. Can you please walk us through in detail what you expect to happen when you run "ssh [email protected]" after you've implemented your plan?
    – sciurus
    Commented Jan 6, 2014 at 2:44
  • Editing original question with explanation Commented Jan 6, 2014 at 2:52

4 Answers 4


Everything in your question is completely wrong.

My goal is to be able to ssh into any machine behind home-net without resorting to ugly port-forwarding and port mappings.

The only way around this is to have multiple public IP addresses. If you only have a single IP as is typical for residential ISP connections, you must resort to port forwarding.

But, there is another way which I will describe below.

Towards implementing this, My plan is:

  • Add entry home-net to hosts on any machine I want to ssh from
  • Set up port-forwarding on home-net router for DNS queries
  • A machine (on the same network) running bind receives these DNS queries and resolves them to LAN IPsIf you s

Here's everything that is wrong with the above.

  • Your /etc/hosts file is used for DNS resolution on that local system only. It has nothing to do with any other system. Other systems have no way of reaching this file.
  • You can port forward 53 to a running bind on your network. It can even return LAN IPs as you are describing. The problem is these LAN IPs will do you no good outside of your network unless they are ISP-assigned public IPs. You cannot connect into them from the outside. Simplifying a lot - basically, IPs in the 192.168.X.X range are a private range and cannot be routed out on to the public Internet.

Now, all is not lost. If you want to create a path into your network from outside, it's possible, and the way to do it is through VPNs. OpenVPN can do this and it's worth looking into.

A quick overview to get you started on research:

  • You can set up an OpenVPN server on a system on your network, and open a port to it. Set this up as a "bridged" VPN on a Linux box on the same subnet that your home network is on ( would be typical, check your router.) You'll need to look into a dynamic DNS provider such as DynDNS or EasyDNS and have ddclient configured as well.
  • You'll then need to set up an OpenVPN client on a laptop or other system you'll connect to it from the outside.
  • When you fire up the OpenVPN client, you'll be connected to your home network via a VPN. You'll even get an IP from your home router.

If I'm understanding your proposed solution correctly, the answer is no, this will not work unless you port forward ssh. Even if you got the home-net IPs, they would be unroutable from the external client's perspective, because they are not publicly routable addresses. Your client could format a packet with a home-net IP as the destination, but the first router it gets to will drop it.

DNS really has little to nothing to do with the issue or solutions to it, but consider that you can't set domain-specific DNS servers on most client OS's so the client would have to be configured to use home-nets bind instance for all queries, not just those for home-net addresses.

In the end, you still need to forward the ports for each machine you wish to ssh into though, or you won't be able to connect.

If you can get a DNS registration, you can create subdomains and point them to different port forward rules on your router (each of which takes you to a different host), but that will still require one port forward rule for every host you plan to connect to.

Consider creating a single server that you ssh into, and then from there, ssh into other interior servers. This cannot be accomplished without forwarding tcp22 on that server through your router, or setting it as a DMZ host, where all unsolicited traffic that does not match a forwarding rule will be directed. Be sure to lock it down if you take that approach.


Hide the ugliness in ssh config on the client by using ProxyCommand.

This requires a single port-forwarded ssh to act as "proxy". Sample ssh client config for one of your home servers:

$ cat ~/.ssh/config
Host friendlyname1 friendlyname2  # optional
Hostname              # ip of home server
# works best if you configure ssh keys authentication to [email protected]
ProxyCommand ssh -W %h:%p [email protected]

Now ssh root@friendlyname1 or ssh [email protected] would just work. Behind the scenes ssh client will first connect to [email protected] and from there to


Couldn't you just set up a home DNS server and then make some SRV records:

$ORIGIN home-pc.net.
@           SOA etc... etc...
_ssh._tcp   SRV 1 0 22 server1.home-pc.net.
            SRV 2 0 22 server2.home-pc.net.
            SRV 3 0 22 server3.home-pc.net.
            SRV 4 0 22 server4.home-pc.net.

or do still I not understand how SRV records work? :P

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .