ssh tunneling braindump

I have needed at various times to setup a server to tunnel an Internet facing machine to an internal machine using ssh. The actual command had always challenged me and each time I look it up, I don’t find what I really needed.

So this time, for the purposes of documenting what I did, here’s the command I used:

ssh -L -l sshuser -N

The -L is to say that it is local, the is the eth0 on the Internet facing machine with the 10000 the port ssh will listen to. The incoming ssh request will then be routed to on the inside to the standard port 22. the -l sshuser is a user on the machine who has to be logged in. The logging in will require a password, but if the shared rsa keys are set up between the machine and for the user ID sshuser, then no password is needed.

To generate the rsa keys, on, run as user sshuser, ssh-keygen. Do bother with a pass phrase. The resultant file is called, found in sshuser’s .ssh directory on, is to be transferred to’s sshuser’s .ssh directory and named as authorized_keys. Appended to that authorized_keys file if needed. Ensure that the authorized_keys file has a 0600 permission on it.

That should do it. There, documented for all.


  1. passphrase.
    If you control, as you’re the only root user, the machine where the private key is located then you can probably don’t use a passphrase. However if you’re not root, or have any reason to suspect that the machine can be compromised please use a pass phrase, you can use ssh-add with an ssh-agent (all distros start one by default) and only have to type it once. You can even use the same password as the user and use some pam magic to save even this one time.

  2. Thanks for the suggestion and point noted. This set up is meant for incoming SSH requests and each of those requests have to log in on their own accord. The tunneling is to keep the channel up.

  3. alternative settings
    You can try using it without the proxy. Most sites works, but everything under is inaccessible and there may be other affected sites as well. Seems to be a common problem with the local ISPs.
    You can also try shvpncust. No proxy needed. Seems to work with all sites.
    I didn’t test this with a prepaid card, so YMMV.

Leave a Reply