How to Establish a Reverse SSH Tunnel Using PuTTY for Remote Server Access


2 views

When your local machine lacks a public IP address (common with residential ISPs or corporate NAT setups), you'll need to create a reverse SSH tunnel to expose local services to a remote server. Here's the technical flow:

LAPTOP (private IP) --initiates--> SERVER (public IP:6000)
Data flows: SERVER:6000 -> LAPTOP:7000 via established tunnel

Launch PuTTY and navigate to these configuration sections:

1. Session:
   - Host Name: your-server.com
   - Port: 22 (default SSH)

2. Connection -> SSH -> Tunnels:
   - Source port: 6000 (server-side)
   - Destination: localhost:7000 (local machine)
   - Select "Remote" radio button
   - Click "Add" button

For production environments, consider these additional parameters:

# Command-line equivalent (using plink):
plink -ssh -R 6000:localhost:7000 user@your-server.com -N -f

On your server, check if the tunnel port is listening:

$ netstat -tulnp | grep 6000
tcp   0   0 127.0.0.1:6000   0.0.0.0:*   LISTEN   1234/sshd

Important security measures for reverse tunnels:

1. Add to ~/.ssh/authorized_keys on server:
   restrict,port-forwarding,from="your-laptop-ip" ssh-rsa AAAAB3...

2. Consider port knocking for additional security:
   $ knock your-server.com 1000,2000,3000 -d 500

If connections fail, check these elements:

1. Server sshd_config must contain:
   GatewayPorts yes
   AllowTcpForwarding yes

2. Test basic connectivity first:
   $ telnet your-server.com 22

When your local machine sits behind NAT or firewall restrictions without a public IP, traditional SSH tunneling won't work. This is where reverse tunneling becomes essential - it allows your local machine to initiate an outbound connection that then becomes a conduit for inbound traffic.

Before starting, ensure you have:

  • PuTTY installed on your Windows machine
  • SSH access to the remote server
  • Administrative privileges to open ports

Here's how to configure the tunnel in PuTTY:

1. Launch PuTTY and navigate to Connection -> SSH -> Tunnels
2. In "Source port", enter the remote server's listening port (6000)
3. In "Destination", enter localhost:7000
4. Select "Remote" radio button
5. Click "Add" to create the tunnel
6. Save this session for future use

After connecting, verify the tunnel is active:

# On the remote server
netstat -tuln | grep 6000
ssh -N -R 6000:localhost:7000 user@remote_server

For developers needing to expose a local web server:

# Local machine running web server on port 8000
putty -ssh user@remote_server -R 8080:localhost:8000

# Now external users can access via:
http://remote_server:8080

For persistent connections, consider these options:

# In /etc/ssh/sshd_config on the remote server:
GatewayPorts yes
ClientAliveInterval 60
TCPKeepAlive yes

Common pitfalls include:

  • Firewall blocking the port - verify with telnet
  • GatewayPorts not enabled on server
  • PuTTY crashing - try the plink alternative