Let a Remote Server Use Your Local Internet Over SSH TUN
Imagine you have a remote server behind a restrictive firewall, but your local machine has a decent internet connection. With SSH TUN and a bit of NAT, you can let that remote server send its traffic through your local connection. This post shows you how.
Why This Setup Is Useful
- No Extra VPN Software: Use the SSH daemon you already have.
- Firewall-Friendly: SSH (port 22) is often allowed even where VPN ports are blocked.
- Encryption: Traffic is protected by SSH.
- Temporary or Quick Usage: Great for brief tasks or tests.
Step 1: Configure the Remote Server
You’ll need to enable TUN support in the SSH daemon on the remote server, so it can create a TUN interface. Edit /etc/ssh/sshd_config:
# /etc/ssh/sshd_config
PermitTunnel yesThen restart SSH:
sudo systemctl restart sshStep 2: Open the TUN Tunnel from Your Local Machine
On your local machine (the one with the better internet connection), run the following command. This requires sudo because creating TUN interfaces typically needs elevated privileges:
sudo ssh -w 0:0 [email protected]This creates a tun0 interface on both your local machine and the remote server. If tun0 is already used, try -w 1:1 (which makes tun1), etc.
Step 3: Assign IP Addresses
Use a second terminal or a multiplexer (like tmux/screen) so the SSH session stays alive. You’ll configure tun0 on both sides:
On Your Local Machine (new terminal):
sudo ip addr add 10.0.0.1/24 dev tun0
sudo ip link set tun0 upOn the Remote Server (inside the SSH session or another SSH window):
sudo ip addr add 10.0.0.2/24 dev tun0
sudo ip link set tun0 upTip: You can pick any private subnet you like (e.g., 10.8.0.x, 10.0.9.x, etc.), as long as it doesn’t conflict with existing networks on either side.
Step 4: Enable IP Forwarding Locally
Your local machine must act like a router for the remote server. Enable IP forwarding:
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forwardIf you want this to persist, put net.ipv4.ip_forward=1 in /etc/sysctl.conf.
Step 5: Set Up NAT (Masquerading) on Your Local Machine
To let the remote server access the Internet via your local machine, use NAT. Suppose your local Internet interface is eth0:
sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADEThis rewrites (masquerades) any packets from 10.0.0.x so they appear to come from your local machine’s IP on eth0. If you’re using nftables or a different interface name, adjust accordingly.
Step 6: Change the Remote Server’s Default Route
Finally, on the remote server, tell it to send all its Internet traffic through 10.0.0.1 (your local TUN IP):
sudo ip route replace default via 10.0.0.1 dev tun0Any traffic from the remote server now goes through tun0 to your local machine, which NATs it out to the Internet!
Verification
On the remote server, try:
ping 8.8.8.8If you see replies, you’re golden. To verify which public IP it’s using, run:
curl ifconfig.meIf it shows your local machine’s IP, the remote server is successfully borrowing your connection.
Teardown Steps
When you’re ready to remove the setup:
- Restore the remote server’s default route to whatever it was before, for example:
sudo ip route replace default via ORIGINAL_GATEWAY dev eth0 - Remove the NAT rule on your local machine:
sudo iptables -t nat -D POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE - Disable IP forwarding (optional):
echo 0 | sudo tee /proc/sys/net/ipv4/ip_forward - Close/exit the SSH session that created the
tun0interface. It should go down automatically.
