Master SSH Tunneling: Forward, Reverse, SOCKS Proxy & Auto‑Reconnect Scripts

SSH Tunnel Techniques

1. Using SSH for Forward Connections

In a forward connection the client connects to the server and mirrors the address and port of a machine reachable from the server (including the server itself) to a port on the client.

ssh -L [clientIP:]clientPort:targetIP:targetPort user@serverIP -p [sshPort]

When the client IP is omitted it defaults to 127.0.0.1, so the service is only reachable locally. The server IP can be a domain name. Example: your local IP is 192.168.1.2, you SSH to 8.8.8.8, and 8.8.8.8 can reach 8.8.4.4. To expose 8.8.4.4:80 to another machine in your LAN you can run: ssh -L 192.168.1.2:8080:8.8.4.4:80 [email protected] This maps the remote 8.8.4.4 HTTP service to local port 8080 bound to 192.168.1.2. Other LAN machines can browse to http://192.168.1.2:8080. The same method works for FTP, SSH, RDP, etc., but not for VPN protocols that require GRE.

2. Using SSH for Reverse Connections

A reverse connection mirrors the client‑side address and port to the server side. It is useful when the client is behind NAT and cannot be reached directly from the Internet.

ssh -R [serverIP:]serverPort:clientIP:clientPort user@serverIP -p [sshPort]

If the server IP is omitted it defaults to 127.0.0.1, making the tunnel accessible only from the server itself. Specifying the server’s public IP allows anyone to reach the forwarded service. Example: your LAN IP is 192.168.1.2, you SSH to an external server 8.8.8.8, and a LAN machine 192.168.1.3 should be reachable from the Internet. Run: ssh -R 8.8.8.8:8080:192.168.1.3:80 [email protected] This maps the internal machine’s port 80 to 8.8.8.8:8080, so any external host can access the internal web service via the public port.

3. Using SSH as a SOCKS Proxy

If a machine inside the LAN can reach the Internet but you cannot, you can create a SOCKS5 proxy through SSH. ssh -D [localIP:]localPort user@serverIP -p [sshPort] The command opens a local listening port that forwards traffic through the SSH tunnel. Configure browsers (Firefox, Chrome, IE) to use a SOCKS5 proxy at the specified local port; no additional plugins are required. Tools like Sockscap can also wrap applications with the proxy.

4. Converting SOCKS Proxy to HTTP Proxy

Privoxy can turn a SOCKS5 proxy into an HTTP proxy. After installing Privoxy, edit its configuration file and add a line such as: forward-socks5 / [localIP]:[localPort] . Then restart Privoxy. The HTTP proxy will be available at 127.0.0.1:8118. Adjust the listen-address directive to allow other LAN IPs to use the proxy.

5. SSH and SSH Server on Windows

Windows also provides SSH clients and servers. PuTTY supplies plink.exe as a command‑line client (options are case‑sensitive) and WinSSHD offers a simple SSH server with default Windows authentication.

6. Persistent Connections and Auto‑Reconnect Scripts

To keep tunnels alive, you can write scripts that automatically reconnect on failure.

Windows example (using plink with password parameter):

:1
plink -pw "password" -D 7070 user@serverip
goto 1

Linux example using sshpass and a monitoring loop:

sshpass -p password ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -l root -R 10002:127.0.0.1:12580 -N 66.160.159.139 -p 56789

Autossh script (autossh.sh):

#!/bin/bash

while [ '' == '' ]
do
ssh_d_process_num=`ps aux|grep -E 'ssh \-' |grep -v grep |wc -l`
if [ "$ssh_d_process_num" == "0" ]; then
/home/user/sshpass -p "password" ssh -D 7070 user@ServerIP &
fi

sleep 300
done

7. Advanced Reverse Connections with Autossh

When a LAN machine A cannot be accessed directly, you can create an encrypted tunnel to a public machine C and then reach A through C. Example commands:

ssh -g -N -f -R 10001:localhost:12580 [email protected] -p 56789

On C you can verify the listening port with netstat -ntpl. Enable GatewayPorts yes in sshd_config and restart SSH to allow external access.

For automatic reconnection use autossh:

autossh -M 2222 -f -NR 10001:localhost:12580 [email protected] -p 56789

Similarly, you can expose a web service running on A’s port 80 through C:

autossh -M 2222 -f -NR 88:localhost:80 [email protected] -p 56789

Configure Nginx on C as a reverse proxy to forward traffic to the internal service.