Reverse SSH tunnel for Bitcoin Core daemon

If your Bitcoin Core daemon runs behind NAT and your ISP doesn't provide a public IP address, you may run it as a Tor hidden service to make it publicly available. However, that might not be sufficient for some use cases and thus a reverse SSH tunnel might come handy.

Prerequisites

• Bitcoin Core daemon running on a Linux machine behind NAT.
  • Let's call the machine node.
• A server with public IP address you have full access to.
  • Let's call the server vps.

Instructions

vps

1. Create system user bitcoin if not already present.
2. Edit /etc/ssh/sshd_config:
   • Allow remote hosts to forwarded ports by setting GatewayPorts option to yes.
   • Append bitcoin user to AllowUsers if you already use this option.
3. Restart SSH daemon for changes to take effect:

   $ sudo systemctl restart sshd.service

4. Open TCP port 8333 in your firewall.

node

1. Install autossh if not already present.
2. Use ssh-keygen to generate SSH key for user bitcoin.
3. Append the following snippet to /home/bitcoin/.ssh/config:

   Host vps
     HostName #FIXME
     RemoteForward 8333 localhost:8333
     ServerAliveInterval 30
     ServerAliveCountMax 3

   Replace #FIXME with the IP address of your vps.
4. Use ssh-copy-id to copy generated SSH key to vps.
5. Copy bitcoind-tunnel.service to /etc/systemd/system/bitcoind-tunnel.service
6. Reload systemd services:

   $ sudo systemctl daemon-reload

7. Start the service and enable it at startup:

   $ sudo systemctl start bitcoind-tunnel.service
   $ sudo systemctl enable bitcoind-tunnel.service

That's it, your node is publicly available! You may check it via bitnodes.io.

Resources

• Directions for setting up a reverse ssh tunnel as a systemd service in Linux
• SSH tunnelling for fun and profit: AutoSSH