Jump to content

SSH Port Forwarding:Management

From jb-vpn.uk Wiki
Revision as of 13:15, 1 January 2026 by Josh (talk | contribs) (Added troubleshooting guide: SSH Port Forwarding Management)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

SSH Port Forwarding Management

This document describes how to manage SSH port forwards.

Management Script Usage

The management script is available at /usr/local/bin/ssh-port-forward-manager.sh or via the alias ssh-forward.

List All Port Forwards

sudo ssh-port-forward-manager.sh list
= or =
sudo ssh-forward list

This displays all configured port forwards with their status (Active/Inactive).

Add a New Port Forward

sudo ssh-port-forward-manager.sh add <name> <external_port> <vpn_ip> [ssh_port]

Example: 

= Add SSH forward for a Raspberry Pi at 10.8.0.3 on external port 22223 =
sudo ssh-forward add raspberrypi 22223 10.8.0.3 22

= Add SSH forward for a server using non-standard SSH port =
sudo ssh-forward add server 22224 10.8.0.4 2222

Parameters: name: Unique name for the device external_port: Port on VPS (must not be in use) vpn_ip: Device's VPN IP address ssh_port: SSH port on device (optional, defaults to 22)

Remove a Port Forward

sudo ssh-port-forward-manager.sh remove <name>

Example: 

sudo ssh-forward remove raspberrypi

This removes the port forward from both the configuration file and iptables rules.

Apply All Port Forwards

sudo ssh-port-forward-manager.sh apply

This reads the configuration file and applies all port forwards. Useful after: Manual edits to the configuration file System reboot (automatically done by iptables-restore.sh) VPN restart

Save Current Rules

sudo ssh-port-forward-manager.sh save

Saves current iptables rules to /etc/iptables/rules.v4 for persistence.

Adding a New Device

Prerequisites

Device must be connected to OpenVPN VPN

   Device should have a .ovpn configuration file
   Device should be connected and have a VPN IP address
   Verify connection: ping <VPN_IP> from VPS

Device must have SSH enabled

   SSH service should be running on the device
   SSH should be accessible from the VPN network

Choose an external port

   Must not conflict with existing services
   Recommended range: 22222-22299 for SSH forwards
   Check availability: sudo ssh-forward list

Step-by-Step Guide

Verify device is on VPN:

   # Check VPN connection
   cat /etc/openvpn/server/ipp.txt | grep <device_name>
   
   # Ping device
   ping -c 2 <VPN_IP>

Test direct SSH connection:

   # From VPS, test SSH to device via VPN
   ssh -o ConnectTimeout=5 user@<VPN_IP>

Add the port forward:

   sudo ssh-forward add <device_name> <external_port> <VPN_IP> [ssh_port]

Verify the forward:

   # List all forwards
   sudo ssh-forward list
   
   # Test from external location
   ssh -p <external_port> user@<VPS_PUBLIC_IP>

Configure IONOS firewall (if applicable):

   Log in to IONOS Cloud Panel: https://dcd.ionos.com/
   Navigate to: Server & Cloud → Servers → [Your VPS] → Firewall
   Add rule: TCP port <external_port> → Allow
   Set appropriate priority

Example: Adding a Raspberry Pi

= 1. Verify Raspberry Pi is on VPN (assume it gets 10.8.0.3) =
ping -c 2 10.8.0.3

= 2. Test direct SSH (using root for Cursor compatibility) =
ssh root@10.8.0.3

= 3. Add port forward =
sudo ssh-forward add raspberrypi 22223 10.8.0.3 22

= 4. Verify =
sudo ssh-forward list

= 5. Test from external location =
ssh -p 22223 root@87.106.61.62

[[Documentation:Overview](Overview|- System architecture [Configuration]])(configuration.md) - Configuration file format [Best Practices](best-practices.md) - Security and best practices

Retrieved from "https://wiki.jb-vpn.uk/index.php?title=SSH_Port_Forwarding:Management&oldid=161"