This example assumes you need to work from home, and thus need to have a permanent tunnel to allow you to SSH in to your work computer.

This guide uses a passphraseless private key, which typically isn't a good thing. (See my notes on passphraseless keys and cron here: UsingSSHAgentWithCron).

We assume your work computer is work.fqdn, with a non-routed RFC1918 private IP of 192.168.0.1. Your external NAT IP from work on to the Internet is 1.2.3.4.

We assume your home computer is home.fqdn, with a non-routed RFC1918 private IP of 10.0.0.10. Your home computer also has a publically routed external static IP address of 9.8.7.6, so are able to make an SSH connection outbound from your work computer in to your home computer.

+----------------+ Ext. IP          +--------------+
|  WORK          | 1.2.3.4          |  HOME        |
|  work.fqdn    ==========SSH=======>> home.fqdn   |
|  192.168.0.10  |          Ext. IP |  10.0.0.10   |
+----------------+          9.8.7.6 +--------------+

We are going to use your ability to SSH from work.fqdn to home.fqdn to create and maintain a permanent tunnel, allowing you to SSH from home.fqdn to work.fqdn.

• First, install the autossh package on work.fqdn:

sudo apt-get install autossh

• Create an autossh user on both computers:

sudo useradd -r -d /var/lib/autossh -s /usr/sbin/nologin autossh
sudo mkdir -m 0700 -p ~autossh/{.ssh,bin}/

• Create an SSH key pair on work.fqdn:

sudo ssh-keygen -t rsa -b 4096 -N '' -f ~autossh/.ssh/id_rsa_autossh

• Add the host SSH fingerprints of home.fqdn to your autossh user on work.fqdn:

sudo bash -c 'ssh-keyscan -t rsa,dsa,ecdsa -p 22 9.8.7.6 > ~autossh/.ssh/known_hosts'

• Add ~autossh/bin/tunnel script on work.fqdn:

#!/bin/bash

set -Eexuo pipefail

pgrep -u autossh autossh >/dev/null \
  || autossh \
       -f \
       -c arcfour \
       -F /dev/null \
       -4 \
       -x \
       -a \
       -g \
       -n \
       -N \
       -o PreferredAuthentications=publickey \
       -o LogLevel=QUIET \
       -o TCPKeepAlive=yes \
       -o ServerAliveInterval=60 \
       -o BatchMode=yes \
       -o ExitOnForwardFailure=yes \
       -R 10.0.0.10:2022:127.0.0.1:22 \
       -i ~/.ssh/id_rsa_autossh \
       -l autossh \
       -p 22 9.8.7.6 \
       /usr/sbin/nologin

• Fix up file permissions for the autossh user on work.fqdn:

sudo chmod 0700 ~autossh/bin/tunnel
sudo chmod 0600 ~autossh/.ssh/{known_hosts,id_rsa_autossh,id_rsa_autossh.pub}
sido chown -R autossh:autossh ~autossh/

• Add the SSH public key from work.fqdn to the autossh account on home.fqdn (replace the ssd-rsa AAA...AAA with the contents of the SSH public key from work.fqdn; ~autossh/.ssh/id_rsa_autossh.pub):

cat << 'EOT' > ~autossh/.ssh/authorized_keys
from="1.2.3.4",no-agent-forwarding,no-pty,no-user-rc,no-X11-forwarding,command="/usr/sbin/nologin" ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA autossh@work.fqdn ~autossh/.ssh/id_rsa_autossh.pub
'EOT'
sudo chown -R autossh:autossh ~autossh/
sudo chmod 0600 ~autossh/.ssh/authorized_keys

• Enable GatewayPorts in /etc/ssh/sshd_config on home.fqdn:

sudo grep -vq GatewayPorts && sudo bash -c 'echo "GatewayPorts clientspecified" >> /etc/ssh/sshd_config'
sudo perl -pi -e 's/^[#\s]*(GatewayPorts)\s+.*$/$1 clientspecified/g' /etc/ssh/sshd_config
sudo service ssh restart

• Add the tunnel script to the autossh user's crontab on work.fqdn:

echo '*/5 * * * * ~/bin/tunnel >> ~/tunnel.log 2>&1' | sudo crontab -u autossh

To check that the work crontab has worked okay and correctly established the tunnel (you may need to wait up to 5 minutes), execute the following command on home.fqdn:

sudo netstat -ltnp | grep autossh

You should now be able to execute ssh -p 2022 10.0.0.10 at home in order to SSH to your computer at work.

If you're the lazy type, you may wish to make life a little easier and add something like the following to your ~/.ssh/config file on your home computers:

Host work
  Hostname 10.0.0.10
  Port 2022
  User YOUR_USERNAME_AT_WORK
  DynamicForward 127.0.0.1:1080
  ForwardAgent yes
  TCPKeepAlive yes
  ServerAliveInterval 60
  LogLevel QUIET

You can type ssh work from a home computer, and have the added benefit of a free SOCKS proxy listening on port 1080 on localhost which is useful to point your web browser at so you can use your company Intranet site or monitoring web UI etc.

If you're naughty and want to circumvent work restrictions on outbound SSH connections, you can use https://github.com/yrutschle/sslh to configure your home.fqdn SSH server to listen on port 443, and then use https://github.com/proxytunnel/proxytunnel in your work ~/.ssh/config file with the ProxyCommand directive.