Friday, December 30, 2016

Reverse proxy to a NAT'ed machines

I am running some webapps that I need to demonstrate to other people without giving them my home IP address.

My setup:
I have a virtual machine running the webapps, behind NAT at home.

  • I do not want to send my IP address to people I’m demonstrating the application to.
  • I do not want to open a port then do port forwarding.

The three solutions I thought of are Reverse SSH tunneling, VPN, and tor hidden services.

I love tor hidden services and I do use it but I will not be covering that in this blog post. I do not want the people I’m demoing the project to go download Tor. I also don’t want to set up Tor socks proxy for them.

Reverse SSH solution:
CLIENT is behind a NAT with a webapp running on port 8000. SERVER (SSH server & reverse proxy server) has a public IP address that client can SSH into.

You can read more information about reverse SSH tunneling here: and

Tools: Just an SSH server and a client.

ssh -R 8001:localhost:8000 user@SERVER

8001 is the port that’s opened on the SERVER
8000 is the port open on CLIENT, running a webapp

Server can now access localhost:8001 in order to access webapp on CLIENT, running on port 8000.

Note: You can also do the following:
ssh -R 8001: user@SERVER

In this case, when SERVER visits localhost:8001, the SERVER is able to access webapp running on on the CLIENT network.


VPN solution:
In this solution, SERVER is an OpenVPN server and is running reverse proxy. CLIENT has a webapp running on port 8000.

In this case, the CLIENT will VPN into the SERVER. Reverse proxy running on the server will be able to access any ports open on the CLIENT.

OpenVPN 2.4 and OpenVPN-install script

On CLIENT and SERVER, add OpenVPN repositories as described here:

I was using Ubuntu 14.04, so I ran the following commands on my SERVER and CLIENT:
sudo -s
wget -O -|apt-key add -
echo "deb trusty main" > /etc/apt/sources.list.d/openvpn-aptrepo.list

To install OpenVPN run the following commands:
apt-get update && apt-get install openvpn

We will now have openvpn on CLIENT and SERVER.

On the server, we will be using OpenVPN-install script from here:

Simply following the steps here:

I ran the following on the server:
chmod +x

Please select whatever options meet your requirements.
At the end, you’ll have a client.ovpn file in ~/.
Transfer the file to your CLIENT machine.

I do not want CLIENT traffic to leave through SERVER. I did that by changing the OpenVPN server configuration file.
You will need to edit /etc/openvpn/server.conf

Comment out the following lines by adding # at the start of the line:
push "dhcp-option DNS X.X.X.X”
push "dhcp-option DNS X.X.X.X”
push "redirect-gateway def1 bypass-dhcp"

It should look like these afterwards:
#push "dhcp-option DNS X.X.X.X"
#push "dhcp-option DNS X.X.X.X"
#push "redirect-gateway def1 bypass-dhcp"

Run the following commands on the SERVER to make sure openVPN server is up and running:
service openvpn restart
service openvpn status

We need to change an iptables rule to allow traffic from SERVER to CLIENT.
If you run ‘iptables -t nat -L’, you’ll see the following:
SNAT       all  --          anywhere             to:YOUR_SERVER_IP

We will drop that rule. Dropping this rule will also disable CLIENT traffic to go through SERVER.

We can drop the rule with the following command:
iptables -t nat -D POSTROUTING -s -j SNAT --to-source YOUR_SERVER_IP

You will also need to remove iptables command from /etc/rc.local afterwards.

Now, when CLIENT is VPN’ed into SERVER, it will use its own gateway for internet traffic instead of VPN server. SERVER will also be able to access any open ports on CLIENT.

On the client:
As root, run ‘openvpn --config client.ovpn’ to connect to SERVER. You can now set up the reverse proxy to allow SERVER to access CLIENT webapp.


Reverse Proxy:
You can learn more about setting up reverse proxy here:

(Just like the post here: This post is for documenting solutions to my problems. Hope it helps out. Shout out to MSPaint. )


  1. Depending on the web app, you may run into trouble with the reverse proxy and session handling. I've been using the SSH tunnel with slightly different syntax:

    ssh -N -L 8001: user@SERVER -p 65535

    Above allows for the use of a non-standard port (65535) for the SSH service. I've used this with both ssh on Linux and PuTTY on Windows (though the last switch might be a capital "P", IIRC).

    One other tool to consider sshuttle, which is SSH based and handles more than a single port.

  2. This comment has been removed by the author.

  3. This comment has been removed by the author.

  4. Virtual Private Network enables you to use internet to connect to machines while making sure that the connections are private.

  5. I think this is one of the most significant information for me. And i’m glad reading your article. But should remark on some general things, visit website

  6. Extremely intriguing online journal. A lot of web journals I see nowadays don't generally give anything that I'm keen on, however I'm most definitely inspired by this one. Recently felt that I would post and let you know. privacyonline

  7. I'm impressed, I must say. Very rarely do I come across a blog thats both informative and entertaining, and let me tell you, you ve hit the nail on the head. Your blog is important.. getmoreprivacy

  8. You have a genuine capacity for composing one of a kind substance. I like how you think and the way you speak to your perspectives in this article. I concur with your mindset. Much obliged to you for sharing. lemigliorivpn

  9. This comment has been removed by the author.

  10. I am so waiting for another blog like this, Totally in awe of the article.
    pneumatic suppliers

  11. After your PC reboots watch that your system connector is dynamic and bundles are streaming. Play out the ipconfig/all check once more.

  12. A simple bookmarking tool that makes it easy to save, organize and share your favorite web pages. Access your bookmarks from any computer, phone or tablet. Listango works on all modern web browsers… vpnveteran

  13. Keep posting the good work. Some really helpful information in there. Bookmarked. Nice to see your site. youtube proxy

  14. This is something that you just read and read. You just can’t get tired of it.

  15. I definitely loved every little bit of it. I have you bookmarked your site to check out the new stuff you post. lesmeilleursvpn

  16. We have read your all the information some points are good. Great post. MelonCube is top notch company which provide affordable minecraft server hosts at reasonable price.

  17. I have read your blog it is very helpful for me. I want to say thanks to you. I have bookmark your site for future updates. Klik hier

  18. Through internet business, firms can move a lot of their client support on line with the goal that clients can get to databases or manuals straightforwardly.

  19. Assume paid for with the help of center, have discovered modern society; believed that protect on your playlists, you could potentially know most of the hassle; assumed ones step quit, much more is unable to drive; Imagine I would like adore, merely the caress. meer informatie

  20. Amazing post! I appreciate your hard work. Thank you for sharing. I have also share some use full information.
    Drone pro review
    mosquitron reviews
    eco beat earphones review
    Coolair review
    Coolair air cooler review

  21. Quicker your website more clients it will have the option to cook flawlessly. VPS hosting is suggested for online business firms or blog proprietors who think that its hard to lease a devoted server. buy