Reverse SSH Tunneling, Bypassing Firewalls and NAT

Sometimes we want to connect to a machine using SSH but can't because it is behind some firewall or NAT router. This is a common situation when you want to connect to office computers which are usually behind a firewall or NAT router, from an outside computer. Reverse SSH tunnelling is a way to  do so. In this article we will set up a Reverse SSH tunnel.

Reverse SSH tunneling is way to ssh to a remote linux machine that sits behind a firewall or a NAT(Network Address Translation) router. In order to create a reverse SSH tunnel, you must have ssh access to a middle computer you can connect to and that can connect to your desination computer.

Let's assume for simplicity the following 3 computers: 

Destination Machine(that we want to connect to)

Middle Machine

Home Computer

The middle computer can connect to home as well as the destination computer. But the home computer cannot connect to destination computer directly. We will make it possible using the middle computer. Follow the following steps to do so:


First make sure that the ssh server on the destination machine has GatewayPorts turned on. If you are using an openssh server you can find it in the file /etc/ssh/sshd_config. Open it.

[destination computer]$ vi /etc/ssh/sshd_config

Make sure it has the following line

GatewayPorts   yes

If its missing then add that line and restart the ssh server(you will have to be root to do so)

[destination computer]$ service sshd restart

Step 2

First of all type the following command on the Destination( computer

[destination computer]$ ssh  -R    4040:localhost:22     middle-machine-user@

PS: To use Ports below 1024 you will have to login as root

This will open a port 4040 on the middle machine( and all the connections through port 4040 on the middle machine will be forwarded to "localhost" (local for destination computer i.e. destination computer itself) at port 22. 

Step 3

Now we will connect to the middle computer at port 4040. And from Step 1 we have already confirmed that all the traffic on the middle computer through port 4040 will be forwarded to the destination computer using port 22. So, after running the following command from the 3rd computer, home computer you will be connected to the destination computer directly(which was earlier not possible)

[home computer]$ ssh destination-user@ -p4040

OR you can connect to middle computer like you normally do. 

[home computer]$ ssh middle-machine-user@

and after successfully connecting to your middle computer. Run the following command

[middle computer]$ ssh destination-user@localhost -p4040

destination-user  - user on the destination machine(

middle-machine-user - user on the middle machine(

1 Comment

/me (not verified)
May 27th, 2010 01:55 pm
"Reverse SSH tunnelling is a way to do so [in poorly secured environments]"

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <img> <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <h1> <h2> <h3> <h4> <h5> <h6> <p> <br>
  • You may post code using <code>...</code> (generic) or <?php ... ?> (highlighted PHP) tags.
  • Image links with 'rel="lightbox"' in the <a> tag will appear in a Lightbox when clicked on.

More information about formatting options

Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.