Use Double SSH Tunnels Instead of VPN to Access Private Network

Peter Xie
4 min readMar 26, 2021
Photo by Aaron Burden on Unsplash

During the covid-19 pandemic, most people work from home and VPN is a common approach to access insecure private network servers like an HTTP server without access authentication. Most modem servers have security control and can be moved to the internet for direct access by assigning a public IP address and a domain name, such as JIRA and Confluence servers. So there should be a very limited number of legacy servers that are kept in the private network and are protected by VPN, i.e. only accessible from the private network. In this post, I will explain how you can access private servers directly in a secure way using double SSH tunnels (Local + Remote) as an alternative to VPN.


Double SSH Tunnels

Imagine you have a corporate private network in 10.0.0.x, and you have a PC in the office ( or any device that can run as an SSH client. You can use the office PC to create an SSH tunnel to a public Linux server (accessible on the internet) as a bridge to access other servers or devices in the office private network, such as an HTTP server (

Remote Tunnel

The first step is to create a remote tunnel from the office PC to the public server, e.g. Assume you access the public server with an SSH key (sshkey.pem).

Run this command on your office PC if it is a Linux:
ssh -R 9000: -i sshkey.pem -f -N <username>

  • -R 9000: This creates a remote tunnel and the public server is listening on port 9000. When you access the port 9000 on the public server, it is redirected to the private server on port 80 (HTTP) via office PC Note that for security reasons the port 9000 is listening only on localhost, not all IP addresses on the server. Run netstat -anp|grep 9000 on the public server and you will see that as follows.
  • -f -N This is optional. “The -f option tells the ssh command to run in the background and -N not to execute a remote command.”
Peter Xie

Code Simple | Python and AI Enthusiast |