Providing support on machines via an ADSL line (NAT) without port forwarding

We have often had the need to access client machines that are connected via an ADSL or other consumer type connections, but that typically requires the following to be done.

  1. Setup a dynamic DNS client (e.g. ddclient) on a machine inside the network to update the ddns address of the host whenever the IP address of the router on the client site changes.  See the note about ADSL in South Africa.  For instance could be updated by ddclient if the machine is running Linux. This could be the same machine that will be made accessible from outside the network (which is always a better idea than having this a windows since it will be accessible from the internet).
  2. Setup a port forward on the ADSL router for the port that you wish to access from an outside machine.  To access a web service on an machine behind an ADSL router, set up port 80 to forward to internal IP (e.g. port 80.  Of course, it is entirely feasible to set up port 88 to translate to 192.168.10:80 as well.  It makes a lot of sense to forward port 22 to this the machine, since ssh is secure and setting up a tunnel allows other services to be used as well via this port.

The above is totally in order if the machine that is set up internally is properly secured.  Using ssh to connect to the server with a password is however potentially a weak link, since the only thing between a hacker and access to the machine is a password. There are better ways to make a secure connection.

Using digital keys allows the connection to be made only from machines that have the key, provided we’re seeking ssh access.  If we want to access a database or webservice or another insecure service, making a persistent connection from inside to a designated server outside provides a very good and safe connection without any of the disadvantages of the above mentioned options.

AutoSSH persistent tunnels provide a great way to achieve this.  It doesn’t require a ddns client or port forwarding to deal with the NAT.  The connection is established automatically when the inside machine starts.



Note about ADSL in South Africa (and possible elsewhere)

In South Africa all ADSL connections are essentially from Telkom despite other ISPs reselling them.  Telkom changes the IP address every 24 hours in a crude attempt to prevent self-hosting on inhouse servers via relatively low cost ADSL services.  Using DDNS to fix this works well, except that for about 5 minutes per day when the update happens the potential is there to have the DNS still pointing at the old address (which has now been assigned to a new client) and any connection then routing to a different server than the intended one.  The place where this can potentially cause real trouble is if both the “old” client and the “new” one are running an email server and emails are delivered to the wrong server, which will probably bounce the messages back to the sender.