Apologies if the terminology is incorrect, suggestions for better thread title welcome.

I administer (a grand word for my amateur efforts) a server (oakdrum) on a friend's (christine) LAN, which is used to backup her laptop (x1-laptop), and for syncthing, DLNA server, samba etc.

She lives 500 miles from me. After initial setup at her house with physical access, I setup port forwarding on her router so that I could ssh into (oakdrum), and (x1-laptop) for remote assistance via vnc. Having done so, I could also access the web GUI (no telnet or ssh available) of her router from my machine (lutyens) with:

... and configuring a manual proxy in my browser:

... then access her router GUI at 192.168.1.1 on my local machine (lutyens)

This week after a fault her ISP sent her a new router. She's tech-phobic, but swapped it out plug for plug with the broken one. She has WAN access with the default config of course, but (oakdrum) has a different IP so her backup doesn't work, and now I can't get to her LAN.

The limit of her capability is copy pasting a string in the terminal.

assume:
I will temporarily forward port 33022 on my firewall to port 22 on my machine, and enable password only ssh login.
My username on my machine (lutyens) is nedlud.
My dynamic dns is nedlud.dyndns.net


I'm after the cli string that she can use on her laptop (x1-laptop) to ssh to my machine (lutyens), and anything I need to run on (lutyens), such that I can browse to her router config page, and re-establish port forwarding.

MTIA.

You probably want to use a reverse SSH session.

You'll get many hits if you search for it, but here's a random one which explains the basics of it: https://ryan.himmelwright.net/post/s...se-ssh-tunnel/

Yes, that'd be the way to go. Have her system connect to yours using -R option.

Much of that can actually be put in her ~/.ssh/config file so that she only has to type a 'ssh lutyens' or some other shortcut, and that can in turn be put in a script for a .desktop file to click on. For example:

Then once that connection is established, connect almost the same as before, but to localhost instead of oakdrum and specify the port of the tunnel:

Setting up reverse tunnels is rather simple but not deceptively so.

Thank you very much. Hoping it will go well and quickly when I do it for real, I have practised this from my laptop (on public wifi) to simulate, and a VM on my main machine, which I'll use for the real exercise, to avoid exposing my main machine, enabling password ssh, having to provide/change my password etc.

The only things I had to tweak were adding her username when setting up the tunnel for the browser, and specifying the port.

Substituting what worked in my practice run with the dummy hosts and users in the OP, this worked:

christine copy pastes:

Then I:

I could then, with browser settings:

...browse "from" (x1-laptop), proved by visiting whatismyip.com.

So I'm confident that when I do this for real, I'll be able to access her router admin page, which is what I need to achieve. Don't think I'm missing anything, and I'll mark as solved when it's done.

Thanks again!

Just a FYI that you have posted your real username and URL which essentially points a neon target at your server. Changing ssh ports is not a real deterrent.

Thanks Michael, Good of you to take the trouble. However all host names, usernames and ports in my OP are dummies, though accurately describing the commands entered.

I hope to do this thing this evening, and assuming it's successful, I'll add a post describing everything, with "generic specifics", if that makes sense.

Interesting scenario!

I've not a lot of direct experience with ssh tunneling myself... but would having something like tailscale installed on the respective machines help at all? That way they can all 'see' each other on a flat VPN network, with no port forwarding at the router level. Seems like it'd be near ideal for a use case like this...

I'd strongly recommend that the OP go back through his original post and redact the host names and other potentially exposing information. It seems to me that the OP would be best served by investing in some high-quality uninterruptible power supplies a couple of good brands are CYBERPower and APC the latter of which is a synder electric product line.

Thanks for the suggestion, but I don't want to use anything needing third party server, or proprietary (especially with it's roots in Google) if I can help it. I usually use vnc over ssh to provide remote assistance to (christine) so she has to do literally nothing to set up the connection. I'm experimenting with self hosted RustDesk, but haven't figured out how the ssh keys work yet.

As in https://www.linuxquestions.org/quest...6/#post6498905, all host and user names are dummies. Am I missing something?

I'm not seeing how that's directly relevant?

Christine won't be ready to do this for a few days, and when it's done I'll post full details.

This worked for me. I've explained this as best I can, but clearly I only have a tenuous grasp of how it's working, so suggestions for corrections or improvements are welcome.

To establish an ssh connection to (first, from) a remote machine behind third party firewall, with no pre-existing setup on the remote machine (other than in assumptions below). This could be due to circumstances described in the OP, or perhaps remote machine is on hotel or coffee shop etc. wifi. I (nedlud) wish to provide remote assistance to (christine).

Assumptions:

- The remote machine has a public IP, which may be unknown to you.
- An ssh server is running on the remote machine, which may be on a non-standard port, allowed by the remote machine's internal firewall.
- Remote machine ssh server is configured for password authentication and you know the username and password of the remote user, or for public key access and you have the private key.
- The remote user can open a terminal and copy/paste, or type a string, but nothing more technical.


LOCAL machine:
hostname: lutyens
username: nedlud
ssh port: 33022
dynamicdns: nedlud.ddns.net

In my case host (lutyens) is a VM with password authenticated ssh, to avoid having to change anything on main machine, and to make things simpler for (christine)

REMOTE machine:
hostname: x1-laptop
username: christine
ssh port: 55022


From remote host (x1-laptop), user (christine) runs in terminal the string that (nedlud) has sent her by email or other means:


ssh options with extracts from man ssh:

-f Requests ssh to go to background just before command execution. This is useful if ssh is going to ask for passwords or passphrases, but the user wants it in the background...
-N Do not execute a remote command. This is useful for just forwarding ports...
-p 33022 Port to connect to on the remote host. (i.e. remote from host (x1-laptop) in this example, i.e. your local machine (lutyens). ssh is on port 33022. Omit for standard port 22).
-R 2222:localhost:55022 x1-laptop [bind_address:]port:host:hostport - 2222 is arbitrary, any non privileged port (above 1024). (x1-laptop) ssh is on 55022. Use 22 for standard ssh port 22.


(nedlud) checks it worked:


(nedlud) can now ssh to (x1-carbon) with:

OR
Or as in OP, (nedlud) can now browse via (x1-carbon) with proxied browser on whichever LAN (x1-carbon) is on, e.g. to access router firewall config page and establish port forwarding to enable direct ssh to (x1-carbon), initiated from (lutyens) as usual and provide remote assistance.



ssh options with extracts from man ssh:


-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding. This works by allocating a socket to listen to port
on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the
connection is forwarded over the secure channel, and the application protocol is then used to determine where to
connect to from the remote machine. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a
SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the con‐
figuration file.
-f Requests ssh to go to background just before command execution. This is useful if ssh is going to ask for passwords or passphrases, but the user wants it in the background...
-C Requests compression of all data...
-q Quiet mode. Causes most warning and diagnostic messages to be suppressed.
-N Do not execute a remote command. This is useful for just forwarding ports...
-p 2222 christine@localhost specifies the arbitrary port used for the reverse tunnel established from (x1-carbon)