Contents x
    Secure Data Transfer with Reverse SSH Tunneling
    • 3 Minutes to read
    • Dark
      Light
    Contents

    Secure Data Transfer with Reverse SSH Tunneling

    • 3 Minutes to read
    • Dark
      Light
    Article summary

    Reverse SSH Tunneling, also known as Remote SSH, operates on a client-server architecture. However, in this context, the roles can be a bit counterintuitive:

    • The "client" (a remote destination host) initiates the connection and it is often behind a firewall or NAT. By setting up the tunnel, the server can connect back to the client bypassing the client's firewall or NAT.
    • The "server" (a source host) receives the initial SSH connection. Once the reverse SSH tunnel is established, this server can access services on the client as if those services were hosted on the server itself.

    By leveraging the robustness of Secure Shell (SSH), reverse SSH tunneling establishes resilient communication channels while upholding data integrity and confidentiality.

    DATADDO TIP

    Reverse SSH tunneling is available for our enterprise clients. To enable reverse SSH tunneling, contact our Solutions Team with the following information:

    • Reverse SSH data destination
    • SSH public key
    • SSH bastion host or proxy server public IP address (CIDR notation)

    SSH Public Key

    To set up a reverse SSH tunnel, you will be asked by our Solutions Team to provide your SSH public key. Depending on your OS, you can find your SSH public key following these guides:

    Linux or macOS

    Create an SSH Public Key

    1. Open a Terminal and generate a new SSH key pair:
      ssh-keygen -t rsa -b 4096 -C "email@example.com"
      Replace email@example.com with your email address which will be used as a label that helps you identify the key later.
    2. Save the key by following the on-screen prompts.
      1. If needed, select a location, otherwise default location for the keys will be ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key).
      2. [Optional] Set a passphrase for extra security. If you press enter without typing a passphrase, the key will not have a passphrase.

    Display Your SSH Public Key

    1. Open a Terminal and navigate to the SSH Directory (usually stored in ~/.ssh) by running:
      cd ~/.ssh
    2. Run ls to list the contents of the directory.
    3. Look for a file named id_rsa.pub, id_ed25519.pub, or similar file with a .pub extension.
    4. Display the public key using cat command:
      cat id_rsa.pub
      If needed, replace id_rsa.pub with your file name.

    Windows

    Create an SSH Public Key

    1. Open PowerShell or Command Prompt and generate a new SSH key pair (this will also work on OpenSSH):
      ssh-keygen -t rsa -b 4096 -C "email@example.com"
      Replace email@example.com with your email address which will be used as a label that helps you identify the key later.
    2. Save the key by following the on-screen prompts. By default, your keys will be stored in C:\Users\YOUR_USERNAME\.ssh\id_rsa (private key) and C:\Users\YOUR_USERNAME\.ssh\id_rsa.pub (public key).
    3. [Optional] Set a passphrase for extra security. If you press enter without typing a passphrase, the key will not have a passphrase.

    Display Your SSH Public Key

    1. Open PowerShell or Command Prompt and navigate to the SSH directory (usually stored in C:\Users\USERNAME\.ssh by running:
      cd C:\Users\USER\.ssh
      Replace USER with your Windows username.
    2. Run dir to list the contents of the directory.
    3. Look for a file named id_rsa.pub, id_ed25519.pub, or similar file with a .pub extension.
    4. Display the public key using type command:
      type id_rsa.pub
      If needed, replace id_rsa.pub with your file name.

    Establishing a Reverse SSH Tunnel

    To allow the server (source host) to communicate with the client (a remote destination host) even if direct connections to the client are blocked by network restrictions, the following processes are involved.

    1. Initiation: The client initiates an SSH connection to the server.
    2. Establishment of Tunnel: During the SSH connection setup, a reverse tunnel is established from the client to the server. This tunnel is specifically set up so that the server can initiate connections back to the client, allowing the server to access resources on the client.
    3. Port Forwarding: Within the SSH connection, port forwarding is configured to redirect traffic from a port on the server to a port on the client. A bidirectional communication between the client and server through the tunnel is established. Services on the client can now be accessed as if they were running on the server.
    4. Encrypted Communication: All communication between the client and server through the reverse SSH tunnel is encrypted using the SSH protocol, ensuring data integrity and confidentiality.
    5. Bypassing Firewall/NAT: Since the SSH connection is initiated from the client side, it can bypass the client's firewall or NAT restrictions.
    6. Data Transfer: Data can be transferred securely between the client and server over the encrypted SSH connection.
    7. Maintaining Connection: The SSH connection remains open as long as needed. If the connection is interrupted, mechanisms such as SSH keep-alive can be used to maintain the connection.
    Was this article helpful?
    What's Next