*edited 5apr25 to add sshtunnel user<\/p>\n\n\n\n
Some cell carriers and ISPs do carrier-grade network address translation (CGNAT) so you don’t get a public IPv4. So to connect to a computer (or network) behind CGNAT, you need a virtual private server (VPS) or some other machine that is<\/em> reachable directly. You can then create a tunnel between the CGNAT’d machine to the exposed machine and use that tunnel to connect directly. There are many ways to skin a cat (Cloudflare, Tailscale, Headscale, RealVNC) but my method uses SSH and OpenVPN since it doesn’t rely on cloud services. I used to use autossh (of which there are various<\/a> guides<\/a>), but systemd renders it<\/a> unnecessary<\/a>, and was more complicated (some solutions use old initd methods). I use the guide here<\/a>, but will recreate it here in case it disappears. (credit: https:\/\/blog.stigok.com<\/a>). Options used:<\/p>\n\n\n\n Create a service file in \/lib\/systemd\/system or \/etc\/systemd\/system called ssh-reverse.service Just add the ports you want to forward (in my case ssh and openvpn) and put in the ip address of the VPS. You will need to adjust the \/etc\/ssh\/sshd_config<\/mark> settings on the VPS to allow port forwarding as follows:<\/p>\n\n\n\n-g Allows remote hosts to connect to local forwarded ports\n-N Do not execute a remote command\n-T Disable pseudo-terminal allocation\n-o Used to give options in the format used in the configuration file (man ssh_config)\n ServerAliveInterval Interval in seconds to ping the server while connection has been inactive\n ExitOnForwardFailure Whether to terminate the connection if it cannot set up all requested port forwards\n-R Forward given remote TCP port (22221) to the local port (22)\n-v Verbose mode. More v's increase verbosity.<\/code><\/pre>\n\n\n\nsudo nano \/etc\/systemd\/system\/ssh-reverse.service<\/code><\/mark> and put in the following:<\/p>\n\n\n\n[Unit]\nDescription=Reverse SSH connection\nAfter=network.target\n\n[Service]\nType=simple\nExecStart=\/usr\/bin\/ssh -vvv -g -N -T -o "ServerAliveInterval 10" -o "ExitOnForwardFailure yes" -o StrictHostKeyChecking=no -R 21194:localhost:1194 -R 20022:localhost:22 sshtunnel@12.34.56.78\nRestart=always\nRestartSec=5s\n\n[Install]\nWantedBy=default.target<\/code><\/pre>\n\n\n\nAllowAgentForwarding yes\nAllowTcpForwarding yes\nGatewayPorts yes\nX11Forwarding yes\nTCPKeepAlive yes\nClientAliveInterval 300\nClientAliveCountMax 2\nPermitTunnel yes<\/code><\/pre>\n\n\n\n