How to Set Up a Reverse SSH Tunnel to Reach Machines Behind Firewalls

What Is Reverse SSH?

SSH is a secure protocol for remote login and file transfer, but firewalls that block inbound connections prevent direct access to servers located behind them. Reverse SSH solves this by having the server behind the firewall initiate an SSH connection to a client machine, effectively creating a tunnel that allows the client to reach the server.

-R [bind_address:]port:host:hostport Specifies that the remote (server) side should forward the given port to the local host and port. The SSH daemon listens on the remote port, and each incoming connection is forwarded through the encrypted channel to the specified host and port on the client side.

How to Create a Reverse SSH Tunnel

Run the following command on the remote server (the machine behind the firewall):

ssh -fN -R 7000:localhost:22 username@yourMachine-ipaddress

This command tells the server to listen on port 7000 and forward any connections on that port to its own SSH port (22) on the client machine.

From your local machine, connect to the forwarded port: ssh username@localhost -p 7000 Although the command appears to connect to localhost, the request is tunneled to the remote server, giving you access to the server’s SSH service.

If you cannot rely on a friend’s machine behind the firewall each time, set up an always‑on machine (referred to as machine_z) that is not restricted by the firewall. Create the reverse tunnel on machine_z once, and later connect to machine_z on the designated port to reach the remote server.

Recommended Settings on the Always‑On Machine

Configure TCPKeepAlive, ClientAliveInterval, ClientAliveCountMax, and GatewayPorts with appropriate values in /etc/ssh/sshd_config (or /etc/ssh/ssh_config).

After modifying these parameters, restart the sshd daemon to apply the changes.

Run the initial reverse‑SSH command with nohup so the session persists after you log out.

Reference: https://bbs.huaweicloud.com/blogs/371112