Bypass DS-Lite via reverse SSH Tunnel

Question

My ISP unfortunately only provides a DS-Lite connection (no IPv4 address, only a IPv6 address) which makes it impossible to create IPv4 port forwardings to access devices in my local network.

But I have a vServer with an IPv4+IPv6 address and a user (non-root) shell. So I thought it would be possible to make a SSH tunnel from a raspberry pi in my local network to the vServer. And then to create a IP forwarding from the raspberry pi to the device I would like to reach in my local network. Is that in general possible? Can I initiate the tunnel from the raspberry pi or must it be initiated by the vServer to the raspberry pi?

Temporarily I created a webserver on the raspberry pi (on port 64321) and I tried the command:

ssh -R 64321:localhost:64321 user@tunnelserver.com

But I could not reach the webserver by entering tunnelserver.com:6421.

Thanks a lot for your help!

Performance will probably be a lot better with a VPN tunnel. Resiliency is probably also a concern. — Daniel B, Apr 02 '16 at 22:10
A VPN Tunnel is not an option because of the user account restrictions. What do you mean by resiliency in regard of SSH? — Patrick, Apr 02 '16 at 22:15

score 1 · Accepted Answer · answered Apr 03 '16 at 09:41

So you don’t have admin access to the VPS, correct? That will keep you from implementing more efficient solutions.

I’m going to point out two obvious mistakes here:

You missed a digit in the port: 64321 in the ssh command line, but 6421 when trying.
Because you didn’t specify a bind_address (as in -R [bind_address:]port:host:hostport), the remote port is listening at localhost. You need to use either 0.0.0.0, [::] or \* to make it listen on all interfaces.

Also, to make this work at all, the GatewayPorts directive in sshd_config (the OpenSSH server configuration file) needs to be set to yes or clientspecified (better). The default value is of course no.

If you make it work, there’s no need for port forwarding. Simple specify the correct target host and port in the -R parameter.

Yes, its not a real vServer more like an "extended webhosting". I just had to add an additional port rule to the firewall and now it works like you described. Thank you very much! For the future - what would be a more efficient solution? A VPN? — Patrick, Apr 03 '16 at 12:20
Yeah, a VPN connection is actually made to transport network data. With SSH, it’s just a byproduct, so there may be performance limitations, both in throughput and latency. With VPN, you could set up port forwards directly on the VPS. Of course it’s a little tricky to get the routing right. — Daniel B, Apr 03 '16 at 12:45

Bypass DS-Lite via reverse SSH Tunnel

1 Answers1