I help my friend (christine) with computer tasks on her machine (x1-laptop) when she is at home, as follows:

So,

"christine" is her username on
"x1-laptop" which is her machine
"christine@x1-laptop.id_ed25519" is the private ssh key
"christine.dyndns.net" is dynamic dns url at her house
"23022" is the port forwarded to port 22 on x1-laptop on her router firewall
5900 is the standard vnc port

I then VNC to localhost:5900 with Remmina. All good. Works very well.

Now though, she is in a hotel, on their wifi, presumably behind a firewall of some kind.

How can she ssh to my machine from there, such that I can provide assistance with VNC?

assume:
I will temporarily forward port 33022 on my firewall to port 22 on my machine, and enable password only ssh login.
My username on my machine is nedlud.
My dynamic dns is nedlud.dyndns.net

I'm after the cli string that I can email to her, she pastes it into a terminal, and I can then use Remmina in the same way.

MTIA.

In the same manner I think a reverse ssh tunnel will work. Have your friend log into by Trying:

You can have her make a reverse tunnel from her system to your publicly facing address:

Then while that connection is open, you can then connect to that tunnel on port 2022 on the localhost address for your system:

So there are two connections, one from her system through to your publicly facing system. Then following that connection back to its source for the VNC tunnel.

Edit:

Or more efficiently:
And then connect to VNC at localhost.

Thank you both.

christine does not have an account on my machine. I first tried

which gave:


Dropping the x11vnc command

Worked as needed. I could then VNC to localhost:5900 with Remmina, and had simultaneous access to her desktop.

So, thanks again. HOWEVER:

In order to make this work, I had to:

Log in to my router, temporarily enable port forwarding to my machine (I don't usually expose my machine to incoming from wan at all)
Edit /etc/ssh/sshd_config to enable password ssh login (no point sending private key by email)
Restart sshd.
Temporarily change my password.
Reverse all the above when done.

Which is obviously a drag. I could create a "christine" account on my machine and save one step, but that might introduce other required steps, and I'm looking for a better way, without, even temporarily, opening a port to my machine. I'm thinking that could be achieved with an intermediate host, and will start a new thread requesting help with that.

Once you are connected can you generate her SSH key pair over on her machine for her so that you can
then turn off password authentication on the forwarded port?

One suggestion would be TeamViewer, it is free for personal use and does not require an open port or even be installed.

Yes, thanks for further suggestions, I could do that (generate ssh key on remote). In fact I have intermittent physical access to her machine.

However I'm reluctant to: open a port to my machine, leave sshd running on my machine, create other account on my machine, to enable her to login to my machine at all. This is due to a general caution, and that she is even less knowledgeable and more prone to security blunders than I am.

As for TeamViewer, while I'm grateful for the suggestion, and have frequently used it to provide remote assistance to people even less capable than I, I won't consider it for this case because:

I hate the idea of routing through a third party.
Uses TeamViewer time increasing chance TV will designate my use as non-personal, and I won't be able to use it for helping others without paying TV.
christine is personal friend and I won't expose her to privacy compromises I wouldn't tolerate myself.