OpenSSH is secure enough to be accessible over the open Internet, if configured properly. So setting up a reverse tunnel that is publicly accessible is fine, if the forwarded port is secured properly.
Some tips for securing OpenSSH:
Protocol 2
PermitRootLogin no
HostBasedAuthentication no
PasswordAuthentication no
UsePrivilegeSeparation yes
PubkeyAuthentication yes
- Set up SSH keys for all users who will access SSH remotely
- Restrict users that can log in with
AllowUsers
Since you have not provided additional information, I will elaborate on my comment as to what I think is happening here.
Just to preface this, please forgive me for assuming you have made this mistake, I'm just going on what you're saying:
I'm layman in this subject (Computer Network)."
I believe that you are trying to use your home computer's private IP address when trying to SSH into it from work. This would produce one of two behaviors depending on the network configuration at your home and workplace:
- Your home and office networks use the same private IP address space, in which case, you will either be attempting to connect to a machine at your office that just happens to have the same private IP as your home computer1 or (more likely), you will not find such a machine on your office network and will get something along the lines of "Host unreachable" or "No route to host".
- Your home and office networks use different private IP address spaces (the by far more likely scenario), in which case, you're attempting to reach a machine in a different private network and you'll get the "Network unreachable" error.
Then why did it work before?
My guess is, this happened at a time you had brought your laptop to work, in which case, both devices were on the same private network. When you reported it "working" you were thinking that the issue has to do with your SSH daemon rather than with your network configuration.
So how can I work around this?
There are several solutions. Here are some that I can think of:
- As per Red Cricket's comment, make sure your laptop is connected to your company's VPN before you leave the house in the morning. This will make both devices appear to be on the same private network.
- Shell out for a static IP address provided by your ISP. This may be too costly and too risky2 for the benefits you get, though. It's up to you to decide.
- Look at a dynamic DNS service. Most of these come at a cost, too; but there seem to be some sites willing to offer up the service for free. Again, you need to mind your security and privacy in this case.
- You can use Dropbox to run simple commands/scripts on your laptop. DISCLAIMER: I have not tried this method and am not necessarily vouching for its success/security.
Note that in both solutions 2 and 3 above, you'll need some mechanism to forward the SSH port that your laptop listens on (this is port 22 by default) from your gateway router (where the connection will come) to your laptop. This can often be accomplished from within the router itself. In your router's interface, look at NAT (network address translation) options. In some routers, this may be filed under a "Gaming" category.
1 Of course that office machine may or may not have an SSH daemon running. So you'll either be asked to provide credentials for the user you're trying to log in as (the odds of those being the same as your laptop's credentials are also slim) or you'll get a "Connection refused" error since there is no SSH listener running (on the standard SSH port) of that device.
2 Your device having a static IP makes it a stationary target for attackers, so you might want to think about firewalling and tight access control in that case.
Best Answer
It should work fine, it's not more secure than using a different port for ssh (or less secure for that matter). And no, outbound TCP sockets are not the same as inbound TCP sockets - so it should not interfere with your outbound network traffic.