![[rss feed 圖案]](/~ckhung/i/rss.png)
Forward and reverse SSH tunnels in pictures
Say you have an SSH account on the server penguin.tw . What can you use that SSH account for while sitting at your home?
If there is some private service running on the server,
say postgresql at port 5432, which is only available to people
who are physically present at the server,
then you can create a forward SSH tunnel from your home
to that service on the server so that it appears as if
you were sitting in front of the server,
and therefore are allowed to access the private postgresql service
from port 5508 of your local computer.
ssh -4fNL 5508:localhost:5432 ckhung@penguin.tw
If you have a service running (say, at port 6080)
on your laptop computer at home, which you wish the world to see,
but you don't have a static IP address at home,
then you can create a reverse SSH tunnel from your laptop computer
to some arbitrary port (say 4380) on the server
so that it appears as if the wonderful service were running at the server
and therefore is available to the whole world through the server's IP address.
ssh -4fNR '*:4380:localhost:6080' ckhung@penguin.tw
The latter is what I did during the pandemics when classes were held remotely. I run a VNC session on my laptop computer at home. I run noVNC so that I can access the VNC desktop, from the same laptop locally, using a web browser instead of a specialized VNC client. But I don't have a static IP address at home. How are the students supposed to access the VNC desktop on my laptop? So finally I open a reverse SSH tunnel from my laptop at home to a server at my University so that the (read-only) noVNC service becomes visible to my students working from their homes or dormitories.
To summarize, forward SSH tunnel makes a private service on the server available to you at home, whereas reverse SSH tunnel makes a private service on your local computer at home available to the world through the server.
