SSH Port Forwarding:Quickstart

The SSH port forwarding system has been refactored from hardcoded iptables rules to a flexible, configuration-driven system. This makes it easy to add SSH access to multiple devices on your VPN.

• Hardcoded iptables rules in /etc/iptables/rules.v4

• Manual rule management

• Difficult to add new devices

• Configuration file: /etc/ssh-port-forwards.conf

• Management script: ssh-forward (or ssh-port-forward-manager.sh)

• Easy to add/remove devices

• Automatic rule application

Your Synology NAS SSH forward has been migrated automatically:

• Device: synology

• External Port: 22222

• VPN IP: 10.8.0.2

• SSH Port: 22

• Access: ssh -p 22222 user@87.106.61.62

No changes needed - everything continues to work as before!

=== Check if device is connected ===
   cat /etc/openvpn/server/ipp.txt
   ping -c 2 10.8.0.3  # Replace with your device's VPN IP

   sudo ssh-forward add raspberrypi 22223 10.8.0.3 22

   sudo ssh-forward list

   ssh -p 22223 user@87.106.61.62

  * Log in to https://dcd.ionos.com/

  * Navigate to: Server & Cloud → Servers → [Your VPS] → Firewall

  * Add rule: TCP port 22223 → Allow

=== List all SSH port forwards ===
sudo ssh-forward list

== Add a new device ==
sudo ssh-forward add <name> <external_port> <vpn_ip> [ssh_port] # Remove a device
sudo ssh-forward remove <name>

== Reapply all forwards (after manual config edit) ==
sudo ssh-forward apply

• 22222-22299: Reserved for SSH port forwards

• 22222: Synology NAS (already in use)

• 22223+: Available for new devices

Location: /etc/ssh-port-forwards.conf

Format:

device_name:external_port:vpn_ip:ssh_port

Example:

synology:22222:10.8.0.2:22
raspberrypi:22223:10.8.0.3:22

   ping -c 2 <vpn_ip>

   sudo ssh-forward list
   iptables -t nat -L PREROUTING -n | grep <external_port>

   sudo ssh-forward apply

See the complete documentation: [SSH Port Forwarding Management](index.md)

---

Quick Reference: ssh-forward or /usr/local/bin/ssh-port-forward-manager.sh