You can do it easily, without any expense.
1) At home, get a (free) dns from no-ip.com. You will be given a name like
my_name.no-ip.biz
2) Set it up, either on your router or on your pc; this way, even if your ISP changes your IP address, the moniker above always points to your home. The site no-ip.com has instructions on how to do this.
3) in your router, forward ports 6521 and a port for ssh (2222?) to your pc.
4) At work: set up a reverse tunnel to the moniker above, at first with ssh, and just check it works;
5) now download autossh for your distro, a small wrapper which uses port 6521 (that's why!) to check that the connection is still active, and if it is not it kills the running instance of ssh and starts a new one.
Typically, I write an executable called auto with this content:
#!/bin/sh
/usr/lib/autossh/autossh -M 6521 -f -p 2222 -2 -N -R 8400:localhost:22 my_name@no-ip.biz -i /home/myname/.ssh/id_rsa
This sets up a passwordless ssh connection (see the use of the cryptographic key **id_rsa) without terminal (-N), in protocol 2 (-2), using port 6521 to check that the connection is still active, and redirecting to my home port 22 all that is sent to port 8400 at work.
I put this line
su myname -c /home/myname/bin/auto
to execute the executable file auto in /etc/rc.local automatically at boot, as myself instead of root. I can now connect to my work pc with the command:
ssh -Y myname_at_work@localhost -p 8400 -i /home/myname/.ssh/id_rsa_work
where I now have to use the passwordless key for work. I have found that this connection is always, always up. Truly satisfactory.
Best Answer
I think the problem with your example is the final arguments; you are
ssh
ing to B, when you should be listing the "final destination", albeit the port-forwarded host/port, which is port 10000, but should belocalhost
, notB
, asB
is resolved from the perspective ofA
, and port 10000 onB
is probably not open externally. E.g., corrected:To prove it to myself, I setup the same experiment, albeit slightly simpler since my username is the same on all hosts, and I'm using agent forwarding; note that my
hophost
(yourB
) accepts ssh on a non-standard port, 2222.On C:
Then on A:
Alternatively, you can encode a bunch of this into your
.ssh/config
on A:Then your command on A is simply
Note I also included two alternative
ProxyCommand
versions. The first usesnc
in case yourssh
version is older than 5.3, when the-W
option was added. The other uses a proxy script I've used for a long time to both hop-through some hosts (as in this example) and usecorkscrew
to get out from firewalls which block outboundssh
. You can see thessh-proxy
script on my github. It simplifies~/.ssh/config
entries when you want to use a proxy forHost *
entries, but I don't promise that it always works in all situations, as I've modified it over time as I've needed to for different situations, so any of the options might be fragile or even busted, but it might help.