Community site: login faq

In some cases one may want to connect to a WebFaction server via SSH on a port other than the standard port 22.

What's the best way to set up a tunnel which would allow this to work reliably and transparently?

asked 13 Aug '13, 19:47

accept rate: 43%

This will be very straightforward. In essence, it boils down to these four steps:

  1. Create a new Custom Application (listening on port) in the Control Panel. This will assign a port to you for your use, and is the port you will connect to via SSH.
  2. Set up key-based authentication so you can successfully "ssh localhost" without being prompted for a password
  3. Create a watchdog script which starts a tunnel from the assigned port to port 22 if one is not already running
  4. Run this script periodically on cron, so that the tunnel starts automatically whenever it's not running

For (1), Create a new application in the control panel of type "Custom Application (listening on port)". This application will have a port assigned. Tick the "Open a port in the server firewall for the application." option when creating the app.

This will open the port on a separate IP address, known as the "open-ports IP address", which will be added to your account free of charge. Note that this is not a dedicated IP address (others will be using the same IP as well); it's just an IP used for external port access.

Record the IP address and Port; they will be needed later. For convenience, this guide will use the IP address "999.999.999.999" and port "77777" in the examples. You will replace them with your IP and port, respectively.

IP:      999.999.999.999
PORT:    77777

For (3), you would set up SSH key-based authentication as described in our documentation.

However, instead of connecting from your local machine to the WebFaction server, you'll be setting this up to allow you to connect from the WebFaction server to itself, via localhost. These commands will do this for you:

mkdir -p $HOME/.ssh
cd $HOME/.ssh
if [ ! -f $HOME/.ssh/id_dsa ]; then ssh-keygen -t dsa -f $HOME/.ssh/id_dsa -N ''; fi
cat $HOME/.ssh/id_dsa.pub >> $HOME/.ssh/authorized_keys
chmod 600 $HOME/.ssh/id_dsa $HOME/.ssh/authorized_keys
chmod 700 $HOME/.ssh
ssh -oStrictHostKeyChecking=no localhost

If this worked, you should now be able to run "ssh localhost" from the WebFaction server to log in via SSH to itself, without a password.

For (4), here is the watchdog script. Be sure to replace "999.999.999.999" with your open-ports IP and "77777" with your port:



if [ -e "${PIDFILE}" ] && (ps -u $(whoami) -f | grep "[ ]$(cat ${PIDFILE})[ ]"); then
  echo "Already running."
  exit 99

/usr/bin/ssh -N "-L 999.999.999.999:77777:" -oServerAliveInterval=60 -oServerAliveCountMax=3 -oBatchMode=yes -oConnectTimeout=10 "localhost" &

echo $! > "${PIDFILE}"
chmod 644 "${PIDFILE}"

This would be saved to a file in your $HOME/cron directory, specifically at:


For (5), here is the crontab entry. As above, replace "77777" with your port:

*/10 * * * * $HOME/cron/ssh_port77777_watchdog.sh > $HOME/cron/ssh_port77777_watchdog.log 2>&1

More information regarding cron jobs is available in our documentation here.

After this is done, wait at least 10 minutes, and then confirm that you have an SSH tunnel connecting from port 77777 to port 22 in your process listing. You can see your process listing using this command:

ps -u $USER -F

If this worked, then the tunnel should stay running and return automatically even if the server is restarted. If it didn't work, feel free to let us know and we'll be happy to take a look.

Also note that if you can't follow these instructions because you are already unable to connect to SSH on port 22 (which is the whole reason for the tunnel in the first place), just let us know and we can assist as well.

Finally, it's worth mentioning that once you've done this, you might not want to add "-p 77777" and "-P 77777" manually to the ssh and scp commands every time you connect to the server. For convenience, you could then make an alias in $HOME/.ssh/config, which looks something like this:

Host wf
    HostName 999.999.999.999
    Port 77777
    User foo

and then just "ssh wf", which will use the correct port and user from $HOME/.ssh/config to connect. This also works with scp, allowing for convenient file transfer as well.

Hope that helps!

permanent link
This answer is marked "community wiki".

answered 13 Aug '13, 20:07

accept rate: 43%

edited 13 Sep '15, 02:31

What does "localhost" do in the SSH command? I'm trying to figure out if I need that part when I tunnel from WebFaction to another server.

With a custom app (listening on port), I'm using:

/usr/bin/ssh -N "-L port IP, not open in firewall):(remote host):(remote port)" username@hostname &

EDIT: Didn't mean to post this as an answer below. Tried to delete it but got a 403 error. Please delete my answer.

(08 May '14, 01:04) Ange1Rob0t

"localhost" is the hostname to which you are connecting when you establish the tunnel from the WebFaction server. The username is omitted because you're connecting with your main account user, ie the user that you're logged in as when you run the command.

(08 May '14, 17:44) seanf

For clarity on (1), the open port IP address will be listed at the bottom of the applications page, it is NOT the standard server host IP.

(13 Jan '15, 15:38) shadowhand

Thanks! With one extra step, I used the above method to poke a hole in a firewall, allowing me ssh access to the server behind the firewall via the open port.

After doing all of the above, on the protected firewall, I used a remote forward:

ssh -N -R your_ssh_host.webfaction.com:22:localhost:22 host.webfaction.com

Now I can ssh to the webfaction open IP address + open port while travelling. The connection is forwarded (ultimately) to the protected firewall.

(19 Dec '17, 02:47) helmingstay
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 13 Aug '13, 19:47

question was seen: 6,829 times

last updated: 19 Dec '17, 02:47