Jump to content
Please Use CODE Tags

Why does SSH need to be port forwarded?

babadoctor
By babadoctor
in Programming
 Share
Go to solution Solved by LAwLz,

The difference between teamviewer and SSH is where the traffic originates from.

 

With teamviewer, your computer connects to an outside server and tells it which IP and port to send traffic on. When you try to connect to your teamviewer server, you contact the central server (hosted somewhere on the Internet) which connects the two connections to each other.

This is why it does not require port forwarding. Because the connection originates from inside your network. Your router sees that your computer wants to connect to the Internet, so it assigns that connection a dynamic port number which it automatically keeps track of. Since it is your computer starting the connection, your router will know which traffic should be forwarded to it automatically.

 

 

With SSH, there is no middleman. It's not your computer from the inside network that is establishing the connection. Your router will just see an incoming connection on port 22 and then have no idea what to do with the connection. Should this packet on port 22 be sent to computer 192.168.1.6 or should it be sent to 192.168.1.7? Your router will have no idea and just try to process the packets itself, and then probably discard them.

 

There are ways around it with SSH, but they are very complicated so I really don't see why you won't just port forward. Is there any special reason for it?

You will most likely need a VPS or a VPN in order to make it work the way you want. With a VPS you could do the same thing Teamviewer does, but you will have to write the server (middleman) and client (that runs on your SSH server) yourself. I am not aware of any programs that does this already.

 

With the VPN you would have to make sure both the SSH server and client both are on the same network (either a completely separate VPN for the two, or VPN from the client into the server's network) and then you will be able to SSH without port forwarding since you're on the same network.

 

But both solutions are costy. Cost in time, computational resources and money, so I really don't get why you just can't port forward.

Posted
  • Author
1 minute ago, SpaceNugget said:

Its one or the other, if you have a static IP, set up your computer with that IP and ALL traffic on ALL ports goes directly to that computer, no port forwarding required.

 

Otherwise, you can set up port forwarding.

 

If you use a VPS like digital ocean with a static IP that you can SSH to, SSH to it from your work computer with the -R flag to create a reverse tunnel to the work computer, then when you ssh to your middle man from home, you are tunneling through to the computer at your work.

 

But this middle man either needs to have its own IP address or port forwarding rules set up to allow you to connect to it.

Okay, thank you!

OFF TOPIC: I suggest every poll from now on to have "**CK EA" option instead of "Other"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Solution

The difference between teamviewer and SSH is where the traffic originates from.

 

With teamviewer, your computer connects to an outside server and tells it which IP and port to send traffic on. When you try to connect to your teamviewer server, you contact the central server (hosted somewhere on the Internet) which connects the two connections to each other.

This is why it does not require port forwarding. Because the connection originates from inside your network. Your router sees that your computer wants to connect to the Internet, so it assigns that connection a dynamic port number which it automatically keeps track of. Since it is your computer starting the connection, your router will know which traffic should be forwarded to it automatically.

 

 

With SSH, there is no middleman. It's not your computer from the inside network that is establishing the connection. Your router will just see an incoming connection on port 22 and then have no idea what to do with the connection. Should this packet on port 22 be sent to computer 192.168.1.6 or should it be sent to 192.168.1.7? Your router will have no idea and just try to process the packets itself, and then probably discard them.

 

There are ways around it with SSH, but they are very complicated so I really don't see why you won't just port forward. Is there any special reason for it?

You will most likely need a VPS or a VPN in order to make it work the way you want. With a VPS you could do the same thing Teamviewer does, but you will have to write the server (middleman) and client (that runs on your SSH server) yourself. I am not aware of any programs that does this already.

 

With the VPN you would have to make sure both the SSH server and client both are on the same network (either a completely separate VPN for the two, or VPN from the client into the server's network) and then you will be able to SSH without port forwarding since you're on the same network.

 

But both solutions are costy. Cost in time, computational resources and money, so I really don't get why you just can't port forward.

Link to comment
Share on other sites
Link to post
Share on other sites
  • 3 weeks later...
Posted
  • Author

This brings me closer to my answer

http://stackoverflow.com/questions/16908714/how-do-you-create-a-peer-to-peer-connection-without-port-forwarding-or-a-centera

 

Decentralized P2P networking

If I can somehow do this but with ssh...

OFF TOPIC: I suggest every poll from now on to have "**CK EA" option instead of "Other"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
10 hours ago, babadoctor said:

This brings me closer to my answer

http://stackoverflow.com/questions/16908714/how-do-you-create-a-peer-to-peer-connection-without-port-forwarding-or-a-centera

 

Decentralized P2P networking

If I can somehow do this but with ssh...

Read the whole page, its exactly the same problem, it still requires a publicly accessible service (the "third party"). to create that you still need to port forward or have a computer with its own external IP to avoid NAT.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
42 minutes ago, SpaceNugget said:

Read the whole page, its exactly the same problem, it still requires a publicly accessible service (the "third party"). to create that you still need to port forward or have a computer with its own external IP to avoid NAT.

:( 

OFF TOPIC: I suggest every poll from now on to have "**CK EA" option instead of "Other"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Port forwarding is needed due to NAT. If you have 10 users sharing the same IP address, and you get an SSH connection incoming to that single IP address, your router isn't gonna know what the fuck to do with it. When you set your router to forward all port 22 traffic to a specific mac address behind the router, you can accept incoming traffic from that port.

 

Also security reasons.

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Programming

×