I have been trying to access my home linux desktop remotely using ssh. The problem is that my cable modem assigns my router a private IP address 172.xx.xx.xx. The router runs Tomato firware and is set up with DDNS and port forwarding. If I use the 172.xx.xx.xx router address, I can access my desktop from any computer connected wired or wireless on my LAN. On the LAN, access to the desktop using ssh, sshfs mounting, and even serving web pages works. The problem is that I cannot access anything remotely.

My ISP does not assign a publicly routable IP address to the router, and the cable modem offers no configurable options for port forwarding or bridge mode. If I run nmap on the public IP address of my cable modem, it shows all ports as being filtered.

As a test, I installed Bittorrent Sync on my home desktop. Files I place in the sync folder are remotely accessible without making any changes to the router, modem, ports, or firewall. Somehow the Bittorrent Sync application is able to find my desktop and open up a two way connection to it. However, I don't want full, duplicate copies of every file on two machines. What I want is to mount a remote directory using sshfs and move select files to/from that directory. If Bittorrent Sync is able to access my desktop, it seems like there should be a way for ssh to do the same. The folks at DynDNS told me that I am SOL unless my router has a public IP address, so maybe what I want is impossible.

My modem originally doubled as a router, so I had my modem/router combo -> another router -> my network. I was able to change my cable modem's functionality as switch the routing completely off, and then the modem was forced to have a public IP address so that the other router would function. I was able to set my port forwarding through my standalone router, and have external facing SSH.

Be wary about this, though. SSH's defaults are not safe, and I was attacked. Switch the port to a more obscure one in the least, and above all else don't allow SSH as root.

If you can't configure port forwarding in the cable modem, and you can't configure the cable modem to push the public IP to your router, then you might have to go about this in the other direction.

Where are you trying to access your system from? Do you have access to ANY machine outside of your network that you could tunnel the connection through? If you have access to a machine outside of your network, you could configure your desktop to open and maintain a permanent reverse ssh tunnel to that machine, and then you could connect to your desktop from outside your network through the tunnel.

For example, I have my laptop configured to open and maintain a permanent reverse ssh tunnel to my home server. It sets up the tunnel autonomously on boot and keeps it open until the machine is shut off (closing and re-opening the tunnel if it ever gets cut off). This allows me to ssh from my home server into the laptop regardless of what network the laptop is on or how they have the firewall/routing configured (unless of course they block outbound connections on the port I'm using to open the tunnel from the laptop side). In this example my laptop would be your desktop, and my server would be some machine you have access to outside of your home network.

and better yet, disable passwords and require a keyfile.

Does your ISP require that you use their cable modem? Many allow you to get your own, allowing you to have one that is more amenable to acting like a router.

1 members found this post helpful.

what suicidaleggroll stated is correct if you have no management access to the router. also read the links in my sig for more details on this.

Thank you for all the replies and links with more information. I was totally ignorant about what was going on. Marking SOLVED. My problem is that my ISP appears to have a firewall set up blocking incoming connections, and I have no access to open incoming ports to my router at home. I didn't realize that bittorrent sync is working by using a relay server to connect to my computer at home.

After reading and learning some more, I purchased a VPS hosting service and used it to set up my own relay for ssh tunneling. I disabled port 22 on the VPS and I am using a non-standard port for the connection. I set up keys and a ssh config file to make the ssh connection without a password. I can now use sshfs to mount my home computer as a local directory on my laptop while traveling.

The VPS is actually one of the coolest technology purchases I have made recently. It gives me a full Debian Wheezy system with root access. It is like having a personal swiss army knife of on the internet. Right now, I am just using the VPS to relay the ssh connections, but I think I will install owncloud on it and sync some directories. I currently pay for backup service on Amazon S3 servers and the VPS will also allow me to do my own backups using rsync and ssh to any device that I have root access to, regardless of what firewall is present.

congratz, and glad you were able to get a working setup to bypass the ISPs fire/paywall.