Before actually setting up SSH for external connections (from the internet) into your own network, we will cover some principles.

When a user connects via SSH from within a local area network into some other machine other than the one he/she operates, we address the internal IP address issued to the machine being connected to by the DHCP of the router. In essence, the user connecting is “inside”, so he/she doesn’t have to address the router directly.

However, to connect via SSH from the outside world (internet), the user has to address the router assigned public IP (which is given to you by the ISP if you setup a static IP plan).

This public IP allows requests to route through your ISP higher network level, through your router and into the exact machine in your local area network you want to target.

In order to facilitate this OUTSIDE -> INSIDE connection scheme, we need to permit requests coming to your router from the outside to be passed on, for which port forwarding exists.

A port is a connection channel bound to some service on the machine, and by letting a port on the router to be addressed, it gives the router the ability to pass the request into a specific machine on the user’s internal network.

On your router interface open WAN -> Virtual Server / Port Forwarding -> Add profile

Service Name – name the connection (choose freely)
External Port – port number used to connect to the router
Internal Port – port number used by the router to connect to the internal network machine
Internal IP – DHCP assigned IP (internal IP) for the machine being addressed
Protocol – TCP (not UDP)

In a previous basic guide for setting SSH connections in an internal network, we showed how to change the port for SSH connections (for basic security reasons).

Now, in the router interface setup for port forwarding rules/profiles, this value needs to be the same in every entry of the Internal Port field, but the External Port field should be different for each internal machine addressed.

The logic is that if two machines of the internal network are configured to be addressed through the router via the same external port number, the router cannot differentiate which one is to be addressed (and will connect to the first one in the port forwarding list).

Now, for succinct and easy SSH connection commands, we need to edit the host block definition (similarly to how we did this in the basic SSH internal connections guide, but with some minor changes).

Edit ssh_config file for external SSH

Host REMOTE_HOST_EXTERN
	HostName PUBLIC_IP
	User	     INTERNAL_HOST_USERNAME
	Port	     EXTERNAL_PORT_NUM
	IdentityFile ~/.ssh/id_INTERNAL_HOST

                              

Notice that the directives and block directive are keywords that are case-sensitive.

To be clear:

HostName directive value -> Static IP assigned to you by your ISP.

User directive value -> username of internal machine

Port value -> external port number (as defined in port forwarding rule)

IdentityFile value -> the ssh-keygen file generated (as described in the basic SSH setup guide)