0 SSH reverse tunnels: a safe baseline (with rollback) - kevwells.com

SSH reverse tunnels: a safe baseline (with rollback)

by

Problem: You need to reach a service on a host behind NAT. A reverse tunnel lets the hidden host dial out to a bastion, exposing its local port only on that bastion.

1) One approved pattern

On the hidden host (client), create a reverse tunnel to the bastion. This exposes client’s local SSH on bastion port 8022, but only on localhost there:

ssh -N -o ExitOnForwardFailure=yes \
    -o ServerAliveInterval=30 -o ServerAliveCountMax=3 \
    -R 127.0.0.1:8022:127.0.0.1:22 user@bastion.example.com

2) Lock it down (server)

On the bastion’s sshd_config:

AllowTcpForwarding remote
GatewayPorts no
PermitOpen 127.0.0.1:8022

In ~/.ssh/authorized_keys for that user, restrict the key:

from="client.ip",no-agent-forwarding,no-X11-forwarding,no-pty,permitopen="127.0.0.1:8022" ssh-ed25519 AAAA... comment

3) Make it persistent (client)

Use a systemd service instead of autossh:

# /etc/systemd/system/revtun.service
[Unit]
Description=Reverse SSH tunnel to bastion
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/usr/bin/ssh -N -o ExitOnForwardFailure=yes -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -R 127.0.0.1:8022:127.0.0.1:22 user@bastion.example.com
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable --now revtun

4) Using the tunnel

# From an admin box that can reach the bastion:
ssh -J admin@bastion.example.com admin@127.0.0.1 -p 8022

5) Rollback

# Client
sudo systemctl disable --now revtun

# Bastion (optional hard stop)
sudo pkill -f "ssh -N .* -R .*:8022:"

# Remove key restrictions or the user if no longer needed.

6) Pitfalls

  • Don’t set GatewayPorts yes unless you deliberately want the port exposed to the world.
  • Limit what can be forwarded with PermitOpen and authorized_keys options.
  • Rotate the tunnel port and key if it leaks; treat bastion access as privileged.

Security gaps in Linux and cloud systems risk downtime, data compromise, lost business — and compliance failures.

With 20+ years’ experience and active UK Security Check (SC) clearance, I harden Linux and cloud platforms for government, corporate, and academic sectors — ensuring secure, compliant, and resilient infrastructure.

Contact for Contract Assignments

Related posts:

  1. Secure SSHFS mounts (read-only, fstab, pitfalls)