- 192.168.1.52：Raspberry Pi / Raspbian
If you have IPv6, you don't even need port forwarding! Simply get your permanent IPv6 address (based on your MAC address, so it's guaranteed to stay the same unless your ISP doesn't know how IPv6 works) and use this to tunnel in. As your IPv6 address is public-facing and allows the world to access you without having to go through your local NAT, you don't need to bother enabling port-forwarding anywhere. It will "just work."
Note, however, that IPv6 is still not really supported globally, and both your home internet connection and remote internet connection need to have fully-working IPv6 in order to do this.
However, if you're like most people and only have IPv4, there's still a way! Some routers allow you to forward specific source ports to specific destination ports, like so:
In this example, port
22 is passed directly to my machine
sheepdog, while port
292 is being forwarded to port
Lastly, if your router does not have this feature, you can just change the port, as SSH is not limited to just running on port
22. You can set it to anything you want (that's not being used).
/etc/ssh/sshd_config (you need root to edit, so
sudo nano /etc/ssh/sshd_config), there is a line at the top of the file:
# What ports, IPs and protocols we listen for Port 22
Change this to whatever you want:
# What ports, IPs and protocols we listen for Port 2992
Restart the SSH server with
sudo service ssh restart, and forward the port on the router.
However, for this use case, I would consider if SSH tunnels are the right thing to do. Perhaps you should set up a dedicated VPN server on your home network? This will allow you to access your entire home network from anywhere, provided you have the proper security credentials needed by the VPN. Additionally, there is slightly less overhead with a VPN; you'd typically only need to forward one port for one machine.
An easy way to solve this problem is to map different ports from your router to the port 22 of your machines. For example, you can have the following settings in your router (assuming your router has IP
1. 188.8.131.52:22 --> ubuntu:22 2. 184.108.40.206:8888 --> raspberrypi:22 3. 220.127.116.11:9999 --> windows:22 (or some other port)
Then when you use ssh, specify the port you want to use by typing
$ ssh <username>@<router ip> -p <your port>
Now you should be able to connect to all your machines.
Was doubting whether this would fit better as a comment rather than an answer, but I'll post it here anyway.
Some things you should think about before doing this:
If you know one of your computer is always up, you also have the possibility to use it as an ssh proxy.
let's say your have a domain name setup for your external IP address (i.e myhome.dyndns.com or whatever), what you will do is connect on one computer (let's say raspberry is always up, and you forward the port from your router to it), the your ssh connections will be:
school --> (router, transparent here) --> raspberry --> ubuntu or windows
now, in your ~/.ssh/config at school, add the lines:
Host ubuntu 192.168.1.51 Hostname ubuntu (change to match your setup) User myraspberryuser (change it ;-) ) IdentityFile ~/.ssh/id_rsa (The path to your private key, on the school computer, better on an usb key if public computer) ForwardAgent yes RequestTTY yes ProxyCommand ssh -W %h:%p %[email protected]
To connect then:
ssh-add ~/.ssh/id_rsa # to do only once per session ssh [email protected] (login without password)
From now, if you type ssh ubuntu, the computer will first connect to the raspberry, and then start an ssh session to the ubuntu computer.
I recommend you, whatever the port you choose to forward, to disable password in /etc/sshd.conf to permit only login through ssh key. This way, if you setup the key on the raspberry and on ubuntu, with the parameter 'ForwardAgent', you will have to only unlock the key and then no password is required to connect. This way, even if bots are trying to login on your ssh, they will never be able to login since you disallow password logon.
Bonus, this works also with scp, scp foo ubuntu:/tmp/foo will use the same setup without further parameters. Bonus 2, this setup does not require any change at home, if tomorrow you and another computer, just copy/paste the code in your ssh config, change the host and ip, that's it, no need to open a new port on the router
I do this--I leave the rpi up and plugged directly into the router all the time (since it's the cheapest to run) and just ssh into it, then bounce from it to the others--it never needs much attention.
It's also possible to VNC/RDP a GUI over an ssh pipe, kinda fun, or forward a port that lets you browse to a server on your desktop computer while keeping it private.
The reason I added this answer is go give you some suggestions.
1) Use a different port than 22. You can leave it 22 on the PI, but change the incoming port on your router to something over 10,000... Otherwise you'll get dozens to hundreds of attacks a day--and once you're known to be running an SSH host the second an exploit is found, you're owned.
2) Use certificates instead of username/password--completely disable username/password login.
3) If your ip address can change, use a dyndns type service to get yourself a DNS hosthame (I use noip, it's free and they support a Linux client to update your ip address--I think you can just apt-get it on the pi now). There are still a few other companies that offer this for free.
4) Keep your pi (or whatever you ssh into) up to date (sudo apt-get update). I believe ssh is pretty well vetted by now, but I also believed that of https...