Jump to content

SSH Port Forwarding:Management

From jb-vpn.uk Wiki

This document describes how to manage SSH port forwards.

Management Script Usage

[edit]

The management script is available at /usr/local/bin/ssh-port-forward-manager.sh or via the alias ssh-forward.

List All Port Forwards

[edit]
sudo ssh-port-forward-manager.sh list
==== or ====
sudo ssh-forward list

This displays all configured port forwards with their status (Active/Inactive).

Add a New Port Forward

[edit]
sudo ssh-port-forward-manager.sh add <name> <external_port> <vpn_ip> [ssh_port]

Example: 

==== Add SSH forward for a Raspberry Pi at 10.8.0.3 on external port 22223 ====
sudo ssh-forward add raspberrypi 22223 10.8.0.3 22

== Add SSH forward for a server using non-standard SSH port ==
sudo ssh-forward add server 22224 10.8.0.4 2222

Parameters:

  • name: Unique name for the device
  • external_port: Port on VPS (must not be in use)
  • vpn_ip: Device's VPN IP address
  • ssh_port: SSH port on device (optional, defaults to 22)

Remove a Port Forward

[edit]
sudo ssh-port-forward-manager.sh remove <name>

Example: 

sudo ssh-forward remove raspberrypi

This removes the port forward from both the configuration file and iptables rules.

Apply All Port Forwards

[edit]
sudo ssh-port-forward-manager.sh apply

This reads the configuration file and applies all port forwards. Useful after:

  • Manual edits to the configuration file
  • System reboot (automatically done by iptables-restore.sh)
  • VPN restart

Save Current Rules

[edit]
sudo ssh-port-forward-manager.sh save

Saves current iptables rules to /etc/iptables/rules.v4 for persistence.

Adding a New Device

[edit]

Prerequisites

[edit]

Device must be connected to OpenVPN VPN

[edit]
  * Device should have a .ovpn configuration file

  * Device should be connected and have a VPN IP address

  * Verify connection: ping <VPN_IP> from VPS

Device must have SSH enabled

[edit]
  * SSH service should be running on the device

  * SSH should be accessible from the VPN network

Choose an external port

[edit]
  * Must not conflict with existing services

  * Recommended range: 22222-22299 for SSH forwards

  * Check availability: sudo ssh-forward list

Step-by-Step Guide

[edit]

Verify device is on VPN:

[edit]
=== Check VPN connection ===
   cat /etc/openvpn/server/ipp.txt | grep <device_name>
   
=== Ping device ===
   ping -c 2 <VPN_IP>

Test direct SSH connection:

[edit]
=== From VPS, test SSH to device via VPN ===
   ssh -o ConnectTimeout=5 user@<VPN_IP>

Add the port forward:

[edit]
   sudo ssh-forward add <device_name> <external_port> <VPN_IP> [ssh_port]

Verify the forward:

[edit]
=== List all forwards ===
   sudo ssh-forward list
   
=== Test from external location ===
   ssh -p <external_port> user@<VPS_PUBLIC_IP>

Configure IONOS firewall (if applicable):

[edit]
  * Log in to IONOS Cloud Panel: https://dcd.ionos.com/

  * Navigate to: Server & Cloud → Servers → [Your VPS] → Firewall

  * Add rule: TCP port <external_port> → Allow

  * Set appropriate priority

Example: Adding a Raspberry Pi

[edit]
==== 1. Verify Raspberry Pi is on VPN (assume it gets 10.8.0.3) ====
ping -c 2 10.8.0.3

== 2. Test direct SSH (using root for Cursor compatibility) ==
ssh root@10.8.0.3

== 3. Add port forward ==
sudo ssh-forward add raspberrypi 22223 10.8.0.3 22

== 4. Verify ==
sudo ssh-forward list

== 5. Test from external location ==
ssh -p 22223 root@87.106.61.62
[edit]
  • [[Documentation:Overview](Overview|- System architecture
  • [Configuration]])(configuration.md) - Configuration file format
  • [Best Practices](best-practices.md) - Security and best practices
Retrieved from "https://wiki.jb-vpn.uk/index.php?title=SSH_Port_Forwarding:Management&oldid=225"