SSH Port Forwarding:Management: Difference between revisions
Content added - troubleshooting guide: SSH Port Forwarding Management (11 sections) |
Major update - troubleshooting guide: SSH Port Forwarding Management (32 sections) |
||
| Line 1: | Line 1: | ||
This document describes how to manage SSH port forwards. | This document describes how to manage SSH port forwards. | ||
| Line 11: | Line 9: | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
sudo ssh-port-forward-manager.sh list | sudo ssh-port-forward-manager.sh list | ||
= or = | ==== or ==== | ||
sudo ssh-forward list | sudo ssh-forward list | ||
</pre> | </pre> | ||
| Line 25: | Line 23: | ||
'''Example:''' | '''Example:''' | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
= Add SSH forward for a Raspberry Pi at 10.8.0.3 on external port 22223 = | ==== Add SSH forward for a Raspberry Pi at 10.8.0.3 on external port 22223 ==== | ||
sudo ssh-forward add raspberrypi 22223 10.8.0.3 22 | sudo ssh-forward add raspberrypi 22223 10.8.0.3 22 | ||
= Add SSH forward for a server using non-standard SSH port = | == Add SSH forward for a server using non-standard SSH port == | ||
sudo ssh-forward add server 22224 10.8.0.4 2222 | sudo ssh-forward add server 22224 10.8.0.4 2222 | ||
</pre> | </pre> | ||
| Line 79: | Line 77: | ||
=== Prerequisites === | === Prerequisites === | ||
= '''Device must be connected to OpenVPN VPN''' = | ==== '''Device must be connected to OpenVPN VPN''' ==== | ||
* Device should have a <code>.ovpn</code> configuration file | * Device should have a <code>.ovpn</code> configuration file | ||
| Line 86: | Line 84: | ||
* Verify connection: <code>ping <VPN_IP></code> from VPS | * Verify connection: <code>ping <VPN_IP></code> from VPS | ||
= '''Device must have SSH enabled''' = | == '''Device must have SSH enabled''' == | ||
* SSH service should be running on the device | * SSH service should be running on the device | ||
* SSH should be accessible from the VPN network | * SSH should be accessible from the VPN network | ||
= '''Choose an external port''' = | == '''Choose an external port''' == | ||
* Must not conflict with existing services | * Must not conflict with existing services | ||
| Line 100: | Line 98: | ||
=== Step-by-Step Guide === | === Step-by-Step Guide === | ||
= '''Verify device is on VPN:''' = | ==== '''Verify device is on VPN:''' ==== | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
=== Check VPN connection === | |||
cat /etc/openvpn/server/ipp.txt | grep <device_name> | cat /etc/openvpn/server/ipp.txt | grep <device_name> | ||
=== Ping device === | |||
ping -c 2 <VPN_IP> | ping -c 2 <VPN_IP> | ||
</pre> | </pre> | ||
= '''Test direct SSH connection:''' = | == '''Test direct SSH connection:''' == | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
=== From VPS, test SSH to device via VPN === | |||
ssh -o ConnectTimeout=5 user@<VPN_IP> | ssh -o ConnectTimeout=5 user@<VPN_IP> | ||
</pre> | </pre> | ||
= '''Add the port forward:''' = | == '''Add the port forward:''' == | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
sudo ssh-forward add <device_name> <external_port> <VPN_IP> [ssh_port] | sudo ssh-forward add <device_name> <external_port> <VPN_IP> [ssh_port] | ||
</pre> | </pre> | ||
= '''Verify the forward:''' = | == '''Verify the forward:''' == | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
=== List all forwards === | |||
sudo ssh-forward list | sudo ssh-forward list | ||
=== Test from external location === | |||
ssh -p <external_port> user@<VPS_PUBLIC_IP> | ssh -p <external_port> user@<VPS_PUBLIC_IP> | ||
</pre> | </pre> | ||
= '''Configure IONOS firewall (if applicable):''' = | == '''Configure IONOS firewall (if applicable):''' == | ||
* Log in to IONOS Cloud Panel: https://dcd.ionos.com/ | * Log in to IONOS Cloud Panel: https://dcd.ionos.com/ | ||
| Line 141: | Line 139: | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
= 1. Verify Raspberry Pi is on VPN (assume it gets 10.8.0.3) = | ==== 1. Verify Raspberry Pi is on VPN (assume it gets 10.8.0.3) ==== | ||
ping -c 2 10.8.0.3 | ping -c 2 10.8.0.3 | ||
= 2. Test direct SSH (using root for Cursor compatibility) = | == 2. Test direct SSH (using root for Cursor compatibility) == | ||
ssh root@10.8.0.3 | ssh root@10.8.0.3 | ||
= 3. Add port forward = | == 3. Add port forward == | ||
sudo ssh-forward add raspberrypi 22223 10.8.0.3 22 | sudo ssh-forward add raspberrypi 22223 10.8.0.3 22 | ||
= 4. Verify = | == 4. Verify == | ||
sudo ssh-forward list | sudo ssh-forward list | ||
= 5. Test from external location = | == 5. Test from external location == | ||
ssh -p 22223 root@87.106.61.62 | ssh -p 22223 root@87.106.61.62 | ||
</pre> | </pre> | ||
Latest revision as of 13:44, 1 January 2026
This document describes how to manage SSH port forwards.
Management Script Usage
[edit]The management script is available at /usr/local/bin/ssh-port-forward-manager.sh or via the alias ssh-forward.
List All Port Forwards
[edit]sudo ssh-port-forward-manager.sh list ==== or ==== sudo ssh-forward list
This displays all configured port forwards with their status (Active/Inactive).
Add a New Port Forward
[edit]sudo ssh-port-forward-manager.sh add <name> <external_port> <vpn_ip> [ssh_port]
Example:
==== Add SSH forward for a Raspberry Pi at 10.8.0.3 on external port 22223 ==== sudo ssh-forward add raspberrypi 22223 10.8.0.3 22 == Add SSH forward for a server using non-standard SSH port == sudo ssh-forward add server 22224 10.8.0.4 2222
Parameters:
name: Unique name for the device
external_port: Port on VPS (must not be in use)
vpn_ip: Device's VPN IP address
ssh_port: SSH port on device (optional, defaults to 22)
Remove a Port Forward
[edit]sudo ssh-port-forward-manager.sh remove <name>
Example:
sudo ssh-forward remove raspberrypi
This removes the port forward from both the configuration file and iptables rules.
Apply All Port Forwards
[edit]sudo ssh-port-forward-manager.sh apply
This reads the configuration file and applies all port forwards. Useful after:
- Manual edits to the configuration file
- System reboot (automatically done by iptables-restore.sh)
- VPN restart
Save Current Rules
[edit]sudo ssh-port-forward-manager.sh save
Saves current iptables rules to /etc/iptables/rules.v4 for persistence.
Adding a New Device
[edit]Prerequisites
[edit]Device must be connected to OpenVPN VPN
[edit] * Device should have a .ovpn configuration file
* Device should be connected and have a VPN IP address
* Verify connection: ping <VPN_IP> from VPS
Device must have SSH enabled
[edit]* SSH service should be running on the device
* SSH should be accessible from the VPN network
Choose an external port
[edit]* Must not conflict with existing services
* Recommended range: 22222-22299 for SSH forwards
* Check availability: sudo ssh-forward list
Step-by-Step Guide
[edit]Verify device is on VPN:
[edit]=== Check VPN connection === cat /etc/openvpn/server/ipp.txt | grep <device_name> === Ping device === ping -c 2 <VPN_IP>
Test direct SSH connection:
[edit]=== From VPS, test SSH to device via VPN === ssh -o ConnectTimeout=5 user@<VPN_IP>
Add the port forward:
[edit]sudo ssh-forward add <device_name> <external_port> <VPN_IP> [ssh_port]
Verify the forward:
[edit]=== List all forwards === sudo ssh-forward list === Test from external location === ssh -p <external_port> user@<VPS_PUBLIC_IP>
Configure IONOS firewall (if applicable):
[edit]* Log in to IONOS Cloud Panel: https://dcd.ionos.com/
* Navigate to: Server & Cloud → Servers → [Your VPS] → Firewall
* Add rule: TCP port <external_port> → Allow
* Set appropriate priority
Example: Adding a Raspberry Pi
[edit]==== 1. Verify Raspberry Pi is on VPN (assume it gets 10.8.0.3) ==== ping -c 2 10.8.0.3 == 2. Test direct SSH (using root for Cursor compatibility) == ssh root@10.8.0.3 == 3. Add port forward == sudo ssh-forward add raspberrypi 22223 10.8.0.3 22 == 4. Verify == sudo ssh-forward list == 5. Test from external location == ssh -p 22223 root@87.106.61.62
Related Documentation
[edit]- [[Documentation:Overview](Overview|- System architecture
- [Configuration]])(configuration.md) - Configuration file format
- [Best Practices](best-practices.md) - Security and best practices
- Troubleshooting - Troubleshooting guide