SSH to home computers
Solution 1
If you have IPv6, you don't even need port forwarding! Simply get your permanent IPv6 address (based on your MAC address, so it's guaranteed to stay the same unless your ISP doesn't know how IPv6 works) and use this to tunnel in. As your IPv6 address is public-facing and allows the world to access you without having to go through your local NAT, you don't need to bother enabling port-forwarding anywhere. It will "just work."
Note, however, that IPv6 is still not really supported globally, and both your home internet connection and remote internet connection need to have fully-working IPv6 in order to do this.
However, if you're like most people and only have IPv4, there's still a way! Some routers allow you to forward specific source ports to specific destination ports, like so:
In this example, port 22 is passed directly to my machine sheepdog, while port 292 is being forwarded to port 22 on coyote.
Lastly, if your router does not have this feature, you can just change the port, as SSH is not limited to just running on port 22. You can set it to anything you want (that's not being used).
In /etc/ssh/sshd_config (you need root to edit, so sudo nano /etc/ssh/sshd_config), there is a line at the top of the file:
# What ports, IPs and protocols we listen for
Port 22
Change this to whatever you want:
# What ports, IPs and protocols we listen for
Port 2992
Restart the SSH server with sudo service ssh restart, and forward the port on the router.
However, for this use case, I would consider if SSH tunnels are the right thing to do. Perhaps you should set up a dedicated VPN server on your home network? This will allow you to access your entire home network from anywhere, provided you have the proper security credentials needed by the VPN. Additionally, there is slightly less overhead with a VPN; you'd typically only need to forward one port for one machine.
Solution 2
An easy way to solve this problem is to map different ports from your router to the port 22 of your machines. For example, you can have the following settings in your router (assuming your router has IP 1.2.3.4)
1. 1.2.3.4:22 --> ubuntu:22
2. 1.2.3.4:8888 --> raspberrypi:22
3. 1.2.3.4:9999 --> windows:22 (or some other port)
Then when you use ssh, specify the port you want to use by typing
$ ssh <username>@<router ip> -p <your port>
Now you should be able to connect to all your machines.
Solution 3
If you know one of your computer is always up, you also have the possibility to use it as an ssh proxy.
let's say your have a domain name setup for your external IP address (i.e myhome.dyndns.com or whatever), what you will do is connect on one computer (let's say raspberry is always up, and you forward the port from your router to it), the your ssh connections will be:
school --> (router, transparent here) --> raspberry --> ubuntu or windows
now, in your ~/.ssh/config at school, add the lines:
Host ubuntu 192.168.1.51
Hostname ubuntu (change to match your setup)
User myraspberryuser (change it ;-) )
IdentityFile ~/.ssh/id_rsa (The path to your private key, on the school computer, better on an usb key if public computer)
ForwardAgent yes
RequestTTY yes
ProxyCommand ssh -W %h:%p %[email protected]
To connect then:
ssh-add ~/.ssh/id_rsa # to do only once per session
ssh myuser@ubuntu (login without password)
From now, if you type ssh ubuntu, the computer will first connect to the raspberry, and then start an ssh session to the ubuntu computer.
I recommend you, whatever the port you choose to forward, to disable password in /etc/sshd.conf to permit only login through ssh key. This way, if you setup the key on the raspberry and on ubuntu, with the parameter 'ForwardAgent', you will have to only unlock the key and then no password is required to connect. This way, even if bots are trying to login on your ssh, they will never be able to login since you disallow password logon.
Bonus, this works also with scp, scp foo ubuntu:/tmp/foo will use the same setup without further parameters. Bonus 2, this setup does not require any change at home, if tomorrow you and another computer, just copy/paste the code in your ssh config, change the host and ip, that's it, no need to open a new port on the router
Solution 4
I do this--I leave the rpi up and plugged directly into the router all the time (since it's the cheapest to run) and just ssh into it, then bounce from it to the others--it never needs much attention.
It's also possible to VNC/RDP a GUI over an ssh pipe, kinda fun, or forward a port that lets you browse to a server on your desktop computer while keeping it private.
The reason I added this answer is go give you some suggestions.
1) Use a different port than 22. You can leave it 22 on the PI, but change the incoming port on your router to something over 10,000... Otherwise you'll get dozens to hundreds of attacks a day--and once you're known to be running an SSH host the second an exploit is found, you're owned.
2) Use certificates instead of username/password--completely disable username/password login.
3) If your ip address can change, use a dyndns type service to get yourself a DNS hosthame (I use noip, it's free and they support a Linux client to update your ip address--I think you can just apt-get it on the pi now). There are still a few other companies that offer this for free.
4) Keep your pi (or whatever you ssh into) up to date (sudo apt-get update). I believe ssh is pretty well vetted by now, but I also believed that of https...
Solution 5
Was doubting whether this would fit better as a comment rather than an answer, but I'll post it here anyway.
Some things you should think about before doing this:
- You'll open up your systems to the internet, so you'd better make sure they're well-patched and your security configuration is hardened (e.g. don't allow root login and use pubkeys instead of passwords).
- Your public IP (see whatismyip.com) can change, depending on your ISP it could change daily or almost never. This means that you'll have to find a way of figuring out your public IP. You could visit whatismyip.com from your home network daily, create some app, or use Dynamic DNS (DynDNS) to map your changing public IP to a static domain name.
- If you want to use IPv6 to bypass all the hassle related to IPv4 and NATing, you'll need your devices, router, ISP, ... to talk IPv6 as well. There are some services that can help you when your ISP doesn't support IPv6, but your devices and router will have to talk it anyway.
- The more ports and devices you open to the internet, the bigger your attack area becomes. I would suggest using a jump-box in your network, and only allowing SSH access to that device from the internet. The jump-box would basically be one very hardened system that you port-forward over your router to the internet. Once connected to that box, you'll be able to SSH to your internal network through it. The jump-box could basically be another Raspberry Pi. I would suggest using a dedicated device, to be able to harden it as much as possible (amongst others by running as few services as possible).
- (4a) Instead of having a jump-box you SSH into, you could also set up a VPN-server which allows you to browse your home network from your device at school (if outbound VPN connections are allowed).
Related videos on Youtube
06 : 04
07 : 59
![How to Install SSH Server on Windows 10 - Remote into your computer using a Command Line [OpenSSH]](https://i.ytimg.com/vi/HCmEB5qtkSY/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLACcxgYtJCsYA_Vo0Xw9Tu5DaIIrw)
07 : 45
10 : 21
03 : 52
Comments
-
TSpark over 1 year
I have multiple machines at home that I would like to access from school using SSH and VNC. In order to do that I gave them static IPs:
- 192.168.1.50: Windows
- 192.168.1.51: Ubuntu
- 192.168.1.52: Raspberry Pi /Raspbian
I know that SSH uses port 22, so I can forward this port to 192.168.1.51:22 on my router, but this way I will not be able to SSH to my Raspberry Pi. Is there any way that I could set this up to be able to access both machines?
-
Admin over 7 yearsYou can use different ssh ports. I don't know how difficult is on windows, but on linux is reall easy to change it to a non stardard port. This way you can forward port 22 to win machine (no changes there), and the other port (non-standard) to the RaspberryPi. -
Admin over 7 years@bistoco The other side is worth mentioning, too: Why putting SSH on another port than 22 is bad idea
-
Admin over 7 years@Melebius, it's old but still a good reading, the key part for me there is "The basic argument I've tried to make: don't do security-through-obscurity.", this is about a need and solving it easily. That said, maybe he don't have to change ubuntu or pi ports, just forward different router-ports to each 22 machine port.
-
Admin over 7 years@bistoco Agree. However, the OP is about to expose SSH access to the outer world and security must be always considered in such a case. Also setting different ports on the computers does not solve the OP’s problem since (s)he needs to enable different ports (= port forwarding) on his/her router.
-
Admin over 7 years@Melebius Off topic, but I never use 22, just because automated bots won't knock on my server 24/7. It won't keep a real attacker (or well-written script) out, but it does reduce the number of my log entries.
-
Admin over 7 yearsDo note: an i.p. address of 192.168.x.y can not be addressed from the outside world. 192.169 and like addresses are internal to your LAN. You must connect via your public facing i.p. address, alluded to by others, e.g., the "whatismyip." Not sure if this is clear in the previous comments. Other issues: you might be violating your user agreement with your internet provider if you connect in this fashion. I'd never do it because of the security concerns mentioned by others.
-
Admin over 7 yearsif you're exposing your PC to internet SSH access, an easy/secure way to make sure only you can access the machine is to disable password access from the internet and instead only allow access with an authorized key. the only downside (afaik) is, you will need to manually add a key (at home) for each external computer you wish to use to access the network.
-
Admin over 7 yearsIt's not really security through obscurity if you need to use alternative ports as security is not your constraint, the resource (port number) is. I would advise the use of denyhosts or fail2ban. I would not advise using an authorised key unless you are very careful in the keeping of that key, don't leave it on a school computer. I always have a honeypot on 22 for the bots to find anyway and limit the windows these ports are open.
-
André Borie over 7 yearsYou could use an IPv6 tunnel broker to obtain IPv6 addresses if your ISP doesn't support IPv6.
-
Liu Siyuan over 7 yearsBy "this feature", you mean forwarding a port to a different port?
-
Kaz Wolfe over 7 years@LiuSiyuan Yep. I know it's odd, but I have seen some routers that can't handle it. My old ISP-provided router couldn't even try.
-
TSpark over 7 yearsIs there any downside of using a machine as an intermediate for SSH ? Let's say I use my Raspberry Pi to connect to other computers inside the network, will its performance affect the task ?
-
Kaz Wolfe over 7 years@jjmontes If your ISP is competent, you'll get a full /64 (or maybe less, but still enough to assign one to every machine)
-
potens over 7 yearsYes, the raspberry could limit the throughput since it must serve as server and client. If you are confident enough, you can achieve the same result with ssh tunnels. This way, the raspberry act only as a server but your school pc must do two clients.
