How to connect by NoMachine and reverse SSH tunnel

Added on: 2016-01-07 Last Modified: 2020-05-06
ID: AR01N00870 Applies To: NoMachine Software

When the NoMachine (server) computer is behind a NAT router or a firewall and the router does not support UPnP or NAT-PMP, it's possible to use an intermediary host to bypass the firewall by using the reserve SSH tunnel technique.

How to configure reverse SSH tunnel with NoMachine

To configure reverse SSH tunnel you need  three hosts:

1) The source host (A)

2) The intermediary host (B)

3) The destination host (C).


The source Host (A) is the host from which you want to start the NoMachine connection.
It's the device where you have installed NoMachine client or from which you run the connection by web.

The intermediary Host (B) will work as a gateway to the destination host (C).
A working SSH server must be installed on this host. Let's assume it's a Linux host.

The destination Host (C) is the host that you want to access via NoMachine. 
This is the host behind NAT or firewall, where NoMachine server is installed .

To create reverse SSH tunnel on intermediary Host (B):

- add "GatewayPorts yes" to the /etc/ssh/sshd_config file

To create reverse SSH tunnel on Destination Host (C):

- execute this command in a console as root:

   ssh -fN -R *:PortNumber:localhost:4000 usernameOnHostB@IP_HostB

Replace 'PortNumber' with the appropriate number of the port to be mapped to 4000, 'usernameOnHostB' with the name of the user who will connect via NoMachine and IP_HostB with the IP of the intermediary Host (B).


- The connecting user must have the same account (user name and password) on the intermediary Host (B) and on the destination Host (C).

- Example above is tailored for NoMachine connections by NX protocol, which uses by default port 4000.


When the reverse SSH tunnel is created, you should then be able connect to the destination Host (C) via the intermediary Host (B).

To do this, create the NoMachine connection on the source Host (A) by specifying in the client GUI:

- IP address of the intermediate Host (B), i.e. IP_HostB

- number of the mapped port, i.e. PortNumber

- Protocol NX

 and log-in with credentials of the specified account, i.e. usernameOnHostB