SSH connection through a router applying NAT

Discussion in 'Linux Networking' started by Marco, May 30, 2012.

  1. Marco

    Marco Guest


    I want to be able to connect to my home computer via SSH from
    the outside.

    The problem is that I am behind a NAT. Everybody in this building
    has the same IP to the outside world. Communication within the
    network works. I can ping and connect to other computers. However,
    from the outside I am unable to reach my computer or even ping my
    external IP address.

    I have no access to the router which would enable me to redirect
    incoming requests to a particular port to my computer.

    Is there a possibility to set up access to my computer? If yes, how?
    All instructions I have found suggest reconfiguring the router,
    which is not possible in my case.

    I am willing to provide additional information, just let me know


    Marco, May 30, 2012
    1. Advertisements

  2. Hello,

    Marco a écrit :
    Short answer : not easily, if possible.
    STUN, hole punching...
    Pascal Hambourg, May 30, 2012
    1. Advertisements

  3. Pascal Hambourg a écrit :
    Also : tunnelling, VPN, IPv6...
    Pascal Hambourg, May 30, 2012
  4. Marco

    Marco Guest

    Thanks for your quick response.

    I never heard of stun. Now I read the wikipedia article but
    honestly, I still don't have an idea how this works. I'v found a
    Debian package â€stunâ€. If you have experience with that, can you
    shortly describe how it works? Where do I have to set this up?
    This seems to involve a public third party server, which I don't
    How can a VPN help? I cannot establish a VPN from my computer since
    I am not at home and have no remote access (which is the whole point
    of doing this). And I cannot reach my computer from the outside. If
    I could do VPN, then I could simply SSH into my machine, right?
    Maybe I misunderstand you.
    I never worked with IPv6. “ip addr†lists an IPv6 address for my
    interface. Can you elaborate how this solves my problem? Thanks


    Marco, May 30, 2012
  5. Marco a écrit :
    Sorry I have no experience with STUN.
    Not necessarily. It could be your client host if it has a known public
    address or host name.
    You can establish a tunnel or VPN from your server to an outside public
    endpoint (either a VPN provider or your outside host). Then you can
    communicate with your server from the outside through this endpoint.
    Is it the (useless) link local address or a global address ?
    An IPv6 tunnel broker could provide a global IPv6 connectivity to your
    server (and client, if required). It is another form of tunnelling.
    Pascal Hambourg, May 30, 2012
  6. Marco

    Rick Jones Guest

    Not that I seek to pour cold water on your plans, but when you say
    "Everybody in this building" do you mean a business? If so, you might
    want to make sure you aren't about to violate a company policy or

    rick jones
    Rick Jones, May 30, 2012
  7. [...]

    Since you have no access to the router, the simple answer is

    Only possible scenario I could think of is that your 'home'
    initiates a connection, but where to ?

    Ralph Spitzner, May 31, 2012
  8. Marco

    Chris Davies Guest

    Given these constraints you CANNOT directly get to your home computer
    from outside. The only solution is for your own machine to establish a
    connection to someone on the outside and use that connection to tunnel
    back in again.

    One option is to configure your "outside" machine to use one of the
    DDNS services (such as to track its IP address. Then you
    can use OpenVPN from your home machine to your based system
    to establish the connection. This presupposes that your outside machine
    is not behind NAT but is directly on the Internet. If both systems are
    behind NAT then you can consider the game over.

    There are two important caveats with this:
    1. You should use UDP connections with OpenVPN (rather than TCP)
    2. You should set the "--float" option, and have the --keepalive
    (ping and ping-restart) option quite high - I'd recommend
    "--keepalive 120 300".

    The reasons behind this are principally so that you don't spray other
    users of your dynamic address space with your OpenVPN data packets. The
    down-side is that it will take up to five minutes for your home server
    to connect to your outside machine. (Remember: the average connection
    time will be only 2.5 minutes, though.)

    Chris Davies, May 31, 2012
  9. Marco

    Marco Guest

    No, it's a private flat. In my former flat I connected via the
    telephone line. Here the telephone lines are dead, but Ethernet
    sockets are provided. I guess all the cables gather in the basement
    in a switch (since I see dozens of other computers and my
    neighbours' communication with wireshark) and then go through a NAT
    router to the ISP.

    I don't think I violate any policy when I just try to SSH to my

    Marco, May 31, 2012
  10. Marco

    David Brown Guest

    Viewing your neighbours' communications with wireshark is likely to be
    violating the building's policy, if they have written a decent one. It
    is also possibly a criminal offence in some countries.

    Of course, the people responsible for the network in the building have
    done a poor job if you can view other people's traffic like this. It's
    the sort of incompetent networking administration that gives us the
    botnets we know and love.
    Trying to figure a way to punch holes in the router and firewall is
    almost certainly against policy, and quite possibly illegal (despite the
    incompetence of the network administrators). It is also hard and

    Far and away the easiest, safest, and most legal way is to have a
    third-party machine outside the network, which is accessible from
    anywhere. Your home machine connects to it, your outside client
    connects to it, and the third-party machine connects the two in some way
    (vpn, tunnel, ssh proxy, etc.).

    I believe there are some websites designed for this sort of thing,
    though I haven't tried them. There certainly are for remote desktop
    viewing (mostly targeting windows systems). Remote hosting or cloud
    servers would work fine, if you can find something cheap enough for your
    budget - it would take absolutely minimal resources. Or perhaps you
    have friends or relatives with an ADSL line or other always-on, global
    IP network connection, and can leave a little connector box there? The
    connector box can be as small as a simple wireless router box
    re-programmed with OpenWRT, DD-Wrt, m0n0wall, etc.
    David Brown, May 31, 2012
  11. Marco

    Marco Guest

    There is no written policy. I pay and receive â€internet accessâ€,
    that's all there is.
    I'm not at all interested in what my neighbours are doing. I have my
    own router and network for my computers. While developing I use
    wireshark and I just happen to see my neighbours communication
    (which I filter out anyway). I don't know the laws of the country I
    live in, but my personal sense of right tells me that I am allowed
    to start wireshark in my own network for developing purposes. And
    that's all I do. Honestly, I don't think anyone cares.
    I totally agree.
    As I said, there's no written policy.
    That information is more important than the legal side.
    I will check if there are suitable services for me. Thanks for the
    Most people here are also behind NAT. I start to develop a strong
    dislike against this technology.

    Thanks a lot for taking the time to explain the possibilities.


    Marco, May 31, 2012
  12. Marco

    J G Miller Guest

    So anybody can spy on anybody else's traffic?

    And the man from state security "sitting" in the basement
    can keep an eye and ear on all the messages coming from
    and leaving the building?

    Is this apartment building part of a federal institution? ;)
    J G Miller, May 31, 2012
  13. Marco

    J G Miller Guest

    Ignorance of the law has never been a valid legal defense.
    J G Miller, May 31, 2012
  14. Marco

    David Brown Guest

    I didn't think for a moment that you were doing anything immoral, or
    even questionable, such as spying on your neighbours. All I am doing is
    warning you that sometimes these things are illegal. And you may have
    to be careful - while wireshark is passive, you might also be using
    tools such as nmap, and with such an open network it's easy to
    accidentally "poke" someone else's machine. All you then need is a
    paranoid user whose software firewall throws up warnings, and who then
    complains of a "hacker" in the building. Being right, and knowing the
    building network administrators are clueless, is not going to help if
    things get ugly. Ordinary users don't care, and knowledgeable people
    understand that you are doing no harm - but there is a class in the
    middle of people who know a little and think they know a lot, who can
    cause you trouble.
    NAT has its good points and its bad points. A NAT router won't stop a
    determined attack, and it won't stop attacks that go around it (such as
    trojans), but it provides a fair amount of security and anonymity at
    very little cost. It also lets networks make much more efficient use of
    limited routing resources and global IP addresses.

    But it /is/ a pain when you need access from the outside - such as your
    case here, or when using protocols like bittorrent.

    The best combination is to have a NAT router - but for it to be /your/
    NAT router, so that you can forward ports as and when you like, and to
    have a valid global IP address on the internet side. Unfortunately,
    that's not an option for you at the moment. (If you have Windows PC's
    as well, either your own or perhaps visitors, then I strongly recommend
    you get a cheapo NAT router of your own to protect the Windows machines
    from worms and other malware on the PC's in the building.)
    David Brown, May 31, 2012
  15. The security aspect has very little to do with the address translation.
    Any router with filtering capabilities can do the same; conversely a NAT
    router with inadequate or misconfigured filtering would not defend
    against an externally originated attack.
    Richard Kettlewell, May 31, 2012
  16. Marco

    Whiskers Guest


    Sounds like a job for a "shell account". The precise mechanism would
    have to be researched, of course.
    Whiskers, May 31, 2012
  17. Marco

    Marco Guest

    I don't think it's wise to use the university SSH access for that,
    since we have a policy which restricts the use to study purposes,
    which I cannot guarantee. But I found other shell providers (and
    many of them are free).

    How does it work? My home computer always maintains a connection to
    the shell provider is assume. Then, from a remote computer, I
    connect through the shell provider to my home computer. Does the
    entire communication go through the shell server or is it only used
    to establish a connection to my home computer?

    What is the service I need to set up, a VPN or SSH proxy? If it's
    not too cumbersome, maybe I will go for this solution.

    Marco, May 31, 2012
  18. Marco

    Whiskers Guest

    Or you set up a 'call out' at predetermined times.
    How you achieve the connection is what I would have to research, but
    I'm sure it must be possible - and not too difficult. I would imagine
    (say) an SSH server running on your home computer, and a console in the
    shell account from which you could log in to your home computer.
    As you still won't be able to get a public IP number for your home
    computer (only for your communal internet connection), I think routing
    would have to involve the shell account for every packet.
    More technicalities I'd have to research!
    Whiskers, May 31, 2012
  19. Marco

    J G Miller Guest

    See the current discussion in alt.os.linux on the subject of
    "reverse ssh tunnel"
    J G Miller, May 31, 2012
  20. Marco

    Marco Guest

    Since you phrase the question like this, I blindly assume it is the
    “useless†link local address. ip addr outputs:

    inet6 fe80::21b:77ff:fe14:b9a6/64 scope link valid_lft forever preferred_lft forever

    I can not ping this address from outside, which renders it useless,
    I guess.

    Marco, May 31, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.