Reverse SSH Tunnel: Export Your Mac Laptop To The Internet

As most professional programmers, we use Macs quite a lot in daily work. Do you know we can easily export mac laptop to the internet? Trusted people can access our laptop directly from anywhere. Definitely for temporary use. It could be ssh operations or various web services.

Here is A Simple And Complete Guide in 10 min. Share it, if you like it.

Original Article:

Let’s say you’re working remotely. And you need to share some of your work with your colleagues or clients. What you would do? Take screenshots with a lot of explanations? Start a EC2 instance, do the setup again and migrate your current work there? It takes money and time. Much extra time. Worse than that, it compromises our result. What if we can easily export our laptops directly to the audience?

Here we just focus on Mac OS X. The same technique shall apply to all linux boxes. Theoretically speaking, it would work for Ubuntu or CentOS with some minor changes.

In below example, we try to achieve this:

  • Export ssh service of our mac laptop. Tech geeks are addicted to ssh. Right?
  • Export a web service. Here we use apache for instance. It is installed by default in Mac OS X.

The main trick is ssh reverse tunnel.

Preparation Before We Start

  • A VM in public cloud: We need a public IP to do the proxy. Don’t worry, the resource overhead is very small.
  • Root access of the VM: Need this to configure sshd, and/or iptables.

1. Configure Your Public VM

  • Make sure, sshd config file contains GatewayPorts clientspecified.
# mac: vim /etc/sshd_config # Ubuntu/CentOS: vim /etc/ssh/sshd_conf
  • If the VM has iptables enabled, make sure it allows incoming traffic for port 40062 and 8088.
# Use ufw for Ubuntu env ufw allow 40062/tcp ufw allow 8088/tcp # Or use iptables directly iptables -A INPUT -i eth0 -p tcp --dport 40062 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 40062 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 8088 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 8088 -j ACCEPT

We use 40062 to do ssh reverse tunnel, so that people can ssh to our laptop. About web services, we start apache in laptop. It listens on port 80. Then do port forwarding from 8088 to 80 in this VM.

For better security, you only allow traffic from trusted source ip address.

2. Enable SSH Service In Your Laptop

For security concern, Mac OS doesn’t enable ssh remote login. Let’s turn it on: System Preferences -> Sharing -> Remote Login. Then verify by “telnet localhost 22“.

3. Start SSH Reverse Tunnel In Your Laptop

# Replace below with your VM's public IP export vm_ip=YOUR_VM_IP # Perform ssh reverse tunnel # Parameters: -R(reverse tunnel), -4(ipv4) # Here we choose 40062 to do the tunnel. ssh -4 -v -p 22 -fN \ -o "PubkeyAuthentication=yes" \ -o "StrictHostKeyChecking=false" \ -o "PasswordAuthentication=no" \ -o "ServerAliveInterval 60" \ -o "ServerAliveCountMax 3" \ -R $vm_ip:40062:localhost:22 root@$vm_ip # Verify connection telnet $vm_ip 40062

Show Time! Run this: ssh -p 40062 root@$vm_ip from any machine. Input root password of your laptop. Then people can ssh your laptop now!

4. Export Website To The Internet

We want to simulate how to export web services. Mac OS X preinstalls apache.

Let’s start apache in our laptop.

# Start apache service in mac sudo apachectl start # Verify apache works curl http://localhost

In VM, do ssh tunnel from $vm_ip:8088 to port 80 in our laptop.

# ssh tunnel for port forwarding ssh -v -N -p 40062 -f root@$vm_ip \ -L *:8088:localhost:80 -n /bin/bash

In any other machines, visit http://$vm_ip:8088 in web browser.

What If I Don’t Need It Anymore

Simply kill process in your laptop, which runs ssh reverse tunnel.

# Find pid in mac ps -ef | grep 40062 # Kill process. If it fails, use 'kill -9' kill $pid # Verify it's done ps -ef | grep 40062 telnet $vm_ip 40062

Use autossh To Handle SSH Connection Unstable Issue

Quite natural, ssh connection may break up in our laptop. Network turbulence or the computer goes to idle or hibernate.

autossh: Automatically restart SSH sessions and tunnels1. Let’s do the auto connection by autossh2.

# Install autossh brew install autossh # Verify installation which autossh

To take effect, let’s make a small change in Step #2 of ssh reverse tunnel.


ssh -4 -v -p 22 -fN \ -o "PubkeyAuthentication=yes" \ -o "StrictHostKeyChecking=false" \ -o "PasswordAuthentication=no" \ -o "ServerAliveInterval 60" \ -o "ServerAliveCountMax 3" \ -R $vm_ip:40062:localhost:22 root@$vm_ip
autossh -M 40063 -4 -v -p 22 -fN \ -o "PubkeyAuthentication=yes" \ -o "StrictHostKeyChecking=false" \ -o "PasswordAuthentication=no" \ -o "ServerAliveInterval 60" \ -o "ServerAliveCountMax 3" \ -R $vm_ip:40062:localhost:22 root@$vm_ip

Make sure your VM won’t block the traffic of port 40063. Let’s verify the change, by telnet $vm_ip 40062.

Originally published at on October 10, 2016.