A fast way to use a ssh-client bypassing ISP NAT+Firewall rules

Question

My home ISP is using a NAT based network, in my in house router the modified the router firmware. Then I don't have access to all router features. Add this to the fact they are blocking all data output to 22 port, then I don't have a easy way to use ssh-client. After 2 weeks of customer service request, I received only one tech visit, and the "professional" don't know what to do.

I know that I can use tools like torsocks to connect ssh via tor relays it works but it is too slow. And normally I use a environment with ssh+tmux+vim to program in a cloud host.

Another option that I have is use the in house ISP modem as bridge. It can solve, but I would need a 5G router, that I haven't here and is a quite expensive in the range to cover that I have. And as they have total remote control to they router software, I don't know when they will remove this option.

Keep in mind that anonymity is not a problem since I am in my house and I just want to access servers that I have legal access.

How can I use a local proxy (and which) to bypass this NAT restriction?

Or there is a faster relay config to solve it ?

Answer 1

If you have the option of changing to a less draconian provider, you should consider it. If your outbound SSH connections are blocked, it's probably by port number rather than by packet analysis (if it is packet analysis, run away!), so you need an SSH server on a different port to jump through.

Once you have a trusted external SSH server that you can connect to on a port other than 22, you can use it to connect to any other SSH server by using ProxyJump or its older (and more powerful) predecessor, ProxyCommand.

ProxyJump from the command line:

ssh -J [email protected]:222 [email protected]

ProxyJump using an entry in ~/.ssh/config

Host final-target
  HostName final-target.example.com
  ProxyJump [email protected]:222
  User ton

ProxyJump for every host you want to connect to:

Host jump-box
  HostName external-jump-box.example.net
  Port 222
  User user1
Host * !external-jump-box.example.net
  ProxyJump [email protected]:222

Specifying a user name is unnecessary if it's the same as the on you use on your local system. If you remove it, remove the User line in your config and/or the username and at-sign (@) where it appears. I've used a separate username for your jump box merely to illustrate how to do that.

(This may create an infinite loop. If so, you'll have to use ProxyCommand. Let me know and I'll document that here too.)

Windows can do this using PuTTY with its plink.exe utility as described in this question about OpenSSH ProxyCommand equivalent in PuTTY.

Answer 2

I have a setup like this. I use my brided ISP modem, and my router with modified firmware to port forward incoming port 22, and other, connections to my natted server. The modem in bridge mode is a must, otherwise you would have to port forward from the modem itself, not the modified router.

You can try using another port if just port 22 is blocked. The firewalls to filter traffic by looking inside every packet is more expensive and the company is not as likely to have one. The fact that you can use torsocks to connect says that they probably are just filtering port 22.

hth!