Remote access via protocol SSH through Wi-Fi — an indispensable tool for administering servers, configuring network equipment, or working with remote devices without a physical presence. However, incorrect configuration can open the door to hacker attacks or lead to the leakage of confidential data. In this article, we'll discuss how to organize secure SSH distribution over Wi-Fi taking into account all the nuances: from the choice of equipment to the intricacies of port forwarding and traffic encryption.
The unique feature of SSH is that it was originally designed for secure system management, but when transmitted over wireless networks, it requires additional precautions. You will learn how to avoid common mistakes (such as using a standard port) 22 (or weak passwords), which router settings are critical, and how to test the connection. This material is relevant for home networks, small offices, and even public access points, taking into account their specific needs.
1. Preparing the equipment: what you will need to distribute SSH
Before you begin setup, make sure you have everything you need. Minimum hardware and software requirements:
- 📡 Router with port forwarding support (port forwarding). Most modern models (for example, ASUS RT-AX88U, TP-Link Archer C7, Keenetic) have this feature. Older devices (made before 2018) may not support it or require firmware from the manufacturer.
- 💻 Server device, to which SSH access will be opened: this can be a computer running Linux/Windows (with installed
OpenSSH Server), Raspberry Pi, NAS system or even some models of network printers. - 📱 Client device for connection: laptop, smartphone (with an application like Termius or JuiceSSH) or tablet. It is important that the client has an SSH client installed.
- 🔌 Stable power supply for the server. If you are distributing SSH with Raspberry Pi or mini PC, use an uninterruptible power supply (UPS) - a sudden power outage can damage the file system.
Also, check that your internet service provider's plan doesn't block incoming connections. Some operators (especially mobile ones) close all ports by default for private users. Check this in your account or with support.
⚠️ Attention: If you are setting up SSH access to a router (for example, with firmware OpenWRT or DD-WRT), make sure a strong password is set for the web interface. Otherwise, an attacker could gain control of the entire network without even connecting via SSH.
2. Setting up an SSH server: basic commands and configuration
Before forwarding ports, you need to configure the SSH server on the device you want to access. Let's look at an example. Linux (distributions Ubuntu/Debian) And Windows 10/11.
For Linux (Ubuntu/Debian)
1. Install OpenSSH Server, if it is not already installed:
sudo apt update && sudo apt install openssh-server
2. Check the service status:
sudo systemctl status ssh
3. Open the configuration file for editing:
sudo nano /etc/ssh/sshd_config
In the file sshd_config It is recommended to change the following parameters (uncomment the lines by removing the symbol #):
- 🔒
Port 2222- replace the standard port22to a non-standard (for example,2222) to reduce the number of bot attacks. - 🚫
PermitRootLogin no- Disable login under the userroot. - 🔑
PasswordAuthentication no- Disable password authentication (use keys only). - 📜
AllowUsers your_username— allow access only to specific users.
After making changes, restart the service:
sudo systemctl restart ssh
For Windows 10/11
1. Enable the component OpenSSH Server through Settings → Applications → Additional components → Add component.
2. Start the service in Control Panel → Administrative Tools → Services (find sshd and set the startup type Automatically).
3. Open the port in the firewall:
netsh advfirewall firewall add rule name="OpenSSH" dir=in action=allow protocol=TCP localport=22
3. Forwarding ports on a router: step-by-step instructions
Port forwarding (port forwarding) is a key step that allows external devices to connect to your SSH server over the internet. Here's the process:
- Find out the local IP address of the server.
On Linux/MacOS run the command
ip aorifconfigOn . Windows —ipconfigVcmd. Remember the address (for example,192.168.1.100). - Reserve an IP address in the router.
Go to your router's web interface (usually
192.168.1.1or192.168.0.1), find the sectionDHCP Reservation(or similar) and bind the server's MAC address to a fixed IP address. This will prevent the address from changing upon reboot. - Set up port forwarding.
Find it in the router menu
Port Forwarding(orVirtual servers). Add a rule:- 🌐 External Port:
2222(or another one if you changed it). - 🏠 Local IP: your server address (for example,
192.168.1.100). - 🔌 Local port (Internal Port):
22(or2222, if changed). - 📡 Protocol:
TCP.
- 🌐 External Port:
Example of setting up a router TP-Link:
| Parameter | Meaning | Note |
|---|---|---|
| Service Port | 2222 | External port for connection |
| Internal Port | 22 | SSH port on server |
| IP Address | 192.168.1.100 | Local IP of the server |
| Protocol | TCP | SSH only works over TCP |
Make sure the server is turned on and connected to the router|Check that the server's IP address is reserved in DHCP|Save forwarding settings and reboot the router|Check the external IP address (for example, on the 2ip.ru website)-->
⚠️ Attention: If you have white dynamic IP (changes when reconnecting), use the service DDNS (For example, No-IP or built into the router). This will allow you to connect using a domain name instead of an IP. For gray IP (Behind the provider's NAT) port forwarding is not possible - a VPN or cloud server will be required as an intermediary.
4. Security: How to protect SSH from hacking
An open SSH port on a router is one of the most common reasons for home networks being hacked. Hackers scan the internet for vulnerable servers and brute-force passwords. To minimize the risks, follow these recommendations:
- 🔐 Use keys instead of passwords.
Generate a key pair on the client (
ssh-keygen -t ed25519) and add the public key to~/.ssh/authorized_keyson the server. This completely eliminates the risk of password guessing. - 🚪 Restrict access by IP.
In the file
/etc/hosts.allowSpecify allowed IP addresses (eg.sshd: 192.168.1.0/24for local network orsshd: 89.123.45.67for a specific external IP). - 🛡️ Install fail2ban.
This utility blocks IP addresses after several unsuccessful login attempts. Installation on Ubuntu:
sudo apt install fail2bansudo systemctl enable fail2ban - 🔄 Update your SSH server regularly.
Vulnerabilities in older versions
OpenSSHare actively used. Update packages with the commandsudo apt upgrade.
For additional protection, you can set up two-factor authentication (2FA) by using Google Authenticator or hardware keys YubiKeyInstructions for setting up 2FA for SSH are available in the official documentation. OpenSSH.
What to do if your SSH server is hacked?
If you notice suspicious activity (unknown processes, modified files in /home), immediately:
1. Disconnect the server from the network.
2. Check the authentication logs (/var/log/auth.log).
3. Reinstall the system or restore from a backup.
4. Change all passwords and SSH keys on all devices on the network.
Don't try to "clean" the system manually—attackers often leave backdoors.
5. Connecting to SSH via Wi-Fi: Practical Examples
Now that the server is configured and the port is forwarded, you can connect to it. Let's look at a few scenarios.
Connecting from a computer (Linux/MacOS/Windows)
Use the command:
ssh your_username@your_external_ip -p 2222
If you have configured DDNS, replace IP with the domain name (eg. user@myhost.ddns.net -p 2222).
Connecting from a smartphone (Android/iOS)
Install the application Termius or JuiceSSH:
- Create a new connection (
New Host). - Specify external IP or domain, port (
2222), username. - If you use keys, import the private key into the application.
- Connect and confirm the server fingerprint.
Connecting from another network (for example, from work)
If your provider issues gray IP, port forwarding won't work. In this case:
- 🌍 Use cloud server (For example, AWS EC2 or DigitalOcean) as an intermediary (jump host).
- 🔗 Set up VPN (For example, WireGuard or OpenVPN) and connect to the local network, and then to SSH.
- ☁️ Use services like ngrok or Cloudflare Tunnel to create a secure tunnel.
6. Troubleshooting: Why SSH over Wi-Fi isn't working
If the connection fails, please check the following:
| Symptom | Possible cause | Solution |
|---|---|---|
| The connection is reset after entering the password | SSH client and server version mismatch | Update OpenSSH on the server and client |
| "Connection timed out" | The port is not forwarded or blocked by the provider | Check your router settings and contact your provider. |
| "Permission denied (publickey)" | Incorrect permissions on keys or file authorized_keys |
Do it chmod 600 ~/.ssh/authorized_keys And chmod 700 ~/.ssh |
| The connection only works in a local network. | The external IP is grayed out or forwarding is configured incorrectly. | Use a VPN or DDNS with external IP verification |
To check the port's availability from the Internet, use the command:
nc -zv your_external_ip 2222
Or online services like canyouseeme.org.
If the problem persists, check the SSH server logs:
sudo tail -f /var/log/auth.log
7. Alternative ways to distribute SSH without port forwarding
Port forwarding isn't the only way to set up remote access. Let's look at alternatives that may be useful in specific scenarios.
- 🔄 Reverse SSH.
If your server is behind NAT, it can initiate a connection to an external host itself. For example:
ssh -R 2222:localhost:22 user@external-server.comAfter that you will be able to connect to
external-server.com:2222and get to your server. - ☁️ Cloudflare Tunnel (Zero Trust).
A free service that creates a secure tunnel to your server without opening any ports. Installation required.
cloudflared. - 🔗 VPN server on the router.
For example, OpenVPN or WireGuard on routers with OpenWRTOnce connected to the VPN, you'll be connected to your local network and can use SSH as usual.
- 📡 Local network via Hamachi/ZeroTier.
These services create a virtual network over the internet. Convenient for temporary access.
Each of these methods has its pros and cons. For example, Reverse SSH requires an external server, and Cloudflare Tunnel Depends on the third party. The choice depends on your goals and level of paranoia 😉.
FAQ: Frequently asked questions about distributing SSH over Wi-Fi
❓ Is it possible to share SSH over Wi-Fi without a router (directly from a laptop)?
Yes, but it's less secure. You can create a hotspot on your laptop (for example, via hostapd on Linux or "Mobile Hotspot" on Windows), but:
- Your laptop will be directly accessible from the network.
- There is no protection at the router level (firewall, port forwarding).
- Recommended for use only for temporary tasks on trusted networks.
❓ Which port is better to use instead of the standard 22?
Any port above 1024 (For example, 2222, 2022, 443). Port 443 (HTTPS) can be useful if your ISP blocks other ports but is often scanned by bots. Just be sure not to use ports occupied by other services (e.g., 80, 3389).
❓ Is it possible to share SSH via Wi-Fi in a public place (hotel, airport)?
Technically yes, but it is extremely risky:
- Public networks often block non-standard ports.
- Your traffic may be intercepted (use a VPN!).
- Better to use Cloudflare Tunnel or ngrok to create a secure tunnel.
❓ How do I restrict access by time (for example, only from 9:00 to 18:00)?
Set up cron to automatically enable/disable SSH or use pam_time:
- Edit
/etc/security/time.conf, adding the line: - Add to
/etc/pam.d/sshdline:
sshd;;!;Wd0900-1800
account required pam_time.so
❓ What should I do if my ISP blocks all incoming ports?
In this case, port forwarding is not possible. Alternatives:
- Use reverse SSH (reverse SSH) to an external server.
- Set up VPN (For example, WireGuard) on the router.
- Get a cheap VPS (from $3/month) and use it as a middleman.