Run script over SSH action does not work over cellular network

When I am on my home local wifi network with my iPhone, The Run script over SSH action works perfectly. For example it puts my iMac to sleep.

But if I try to run it when I am remote using a cellular connection it does not work and I get the error message "Run Script Over SSH could not connect to the SSH server.

For that to work you need at least three things:

  1. The machine you’re connecting via SSH must be available from the Internet. If it’s inside your LAN you will need to forward some external port of your router to port 22 of your machine (I recommend not using 22 as external port).
  2. Externally your machine needs either a fixed IP or a dynamic DNS domain
  3. Your shortcut will need to detect if you are in your LAN or not, and then use either the internal (LAN) IP or the external one (IP or domain) to connect to your machine.

Without knowing your competency level about networking, this can be either pretty simple or a bit of a challenge. I’ll try to word this according to the latter.

tldr/techincal version; (not recommended) port forward port 22 on your router to your iMac and use your public ip to connect. (recommended) use other services that can provide secure way to receive commands and trigger actions, e.g. Keyboard Maestro.

Long Version/Beginner Friendly

I would assume that the host part of the Run Script Over SSH is something like 192.x.x.x or Leddys_iMac.local. This represents your address of your iMac on your wifi network and is known only by devices within your home network.

When you’re on your wifi, your phone will ask – connect me to 192.x.x.x on port 22. Your router will know which computer is it and will forwards the connection.

Now, when you’re on cellular, there’s a lot more in between your phone and your iMac. You have your cellular service provider (CSP), your home internet service provider (ISP) and their networking devices, your modem and then your router.

If you simple ask for the same connection, that goes to your CSP, which does not know what you’re asking about. Since it does not know anything from your home network. You need to tell your cellular provider to connect you to your ISP by providing it your public ip address.

It doesn’t end there. This public ip address might not be the actual address to your home network. Your ISP may or may not be allowing direct connection to your home network. For the sake of discussion, let assume that your ISP is pretty lenient and allows external connections to your home network.

So far your connection path looks like this:

iPhone > CSP > ISP Network

On this path, your public ip is the ip address of your modem. it looks more like this:

iPhone > CSP > ISP Netwok > Modem (public ip)

Your modem will forward your connection to your router:

iPhone > CSP > ISP Netwok > Modem (public ip) > Router

Looking back at the Run Script over SSH action. After changing the host to your public ip. And by default on port 22. On the connection path above, when then connection reaches the router, your router says – okay I see you want to go through port 22. I don’t know where that goes, sorry. That’s where you get something like connection refused.

This time, you’ll need to tell your router that if something’s trying to connect to port 22, direct it to your iMac. This is called port forwarding. Consult your router’s manual on how do that.

Once that’s done. You should be able to connect to your iMac from outside your home.

iPhone > CSP > ISP Netwok > Modem (public ip) > Router > iMac

This I need to say, not to fear-monger but for awareness. Forwarding ports on your router to your computer opens it up for hacking. If you are to do this, learn how to protect your network.

My preferred method of triggering stuff on my home machines is via remote triggers. Now, personally, I have a custom setup for this but one easy enough example is Keyboard Maestro’s Remote Trigger. This will provide a url that you can use on the ‘Get Contents of URL’ action and it will run the macro.

Hope this helps.



For completeness, another option that could be considered is a VPN (Virtual Private Network) connection. Many modern home routers have VPN servers built in, or you can install them on other computers on the network (but then you have to port forward for that VPN service on your NAT router).

Your iPhone can support VPN connections via the OS, or an additional VPN client app. The particular flavour of VPN would determine this and there are many guides on the web for the various VPN servers and how to set them up and configure them.

For a VPN, your phone will establish a secure, private connection back to your VPN server on your network. It isn’t just a security through obscurity setup, but a more rigorous setup. Your web traffic then gets tunnelled to this server and it makes web requests on your behalf and sends the results back to your phone. Because it is in on your home network, it allows you to access home network resources.

Because of the security involved, use of a VPN is often put forward as a preferred solution for remote access to any resources on a home network, and it gives you more than just access to SSH to a computer.

Dynamic DNS

Dynamic DNS was mentioned above, but let’s look at whwat it is and why it is important…

Note also, that regarding any of these solutions, for a home Internet connection, you probably are not issued a fixed IP Address for your connection. You should also look to see if your router has support for Dynamic DNS. If not, like a VPN, you can also add the setup for Dynamic DNS on a device inside your home network. What this service does is keep an online record for a domain name and whenever your external IP address at home changes, a device on your network tasked with doing so updates the online record so the domain always stays liked to the correct IP address.

If you don’t use this setup, while your ISP might lease the same IP address to you for long periods, all it takes is a subtle shift in the network config or demands and the automated assignment process might give you a different address from their list of available addresses, and at that point you will be trying to connect to another network on that IP address rather than your own.

SSH Keys

If you do want to use SSH and port forward directly to your device, I would fully support the recommendations of @atnbueno to map an external port of something other than 22 to your internal computer’s port of 22. It is like waving a flag to net scanners saying “direct access to my computer here” if you use the standard port number externally.

In addition, you should NOT put any direct connection out there if you are using a user ID password that are anything other than astronomically hard to guess.

The recommended approach is instead to use SSH keys to secure your login. This works by generating special sets of data using using public key cryptography that are shared to the relevant devices. It gives you a method of authentication that is much more secure than even complex IDS and passwords due to the nature of the setup and the lengths of the data involved (there is lots of public key cryptography and SSH key info out there if you want to understand why). In fact you should consider using SSH keys rather than usernames and passwords regardless.

The setup of SSH keys for Shortcuts connections had come up a few times in the past, so I ended up writing a blog post to refer people to. If you want to make you SSH access easier and way more secure, I would recommend walking it through.

Once setup, if you are making it available online, you probably want to look at disabling credential-based access over SSH.

I hope that adds some useful additions to the great info posted above. Remote access is very useful, but you want to ensure that whatever you do, you do it securely.

I have remote access to devices on my home network using the above methods and some more remote access options besides. I see in various logs how often automated scripts are trying to get into my network and it is unsettling to say the least. Without the protections, my network and devices would absolutely belong to someone else at this point.

Securing your access is critical to making this safe and worthwhile.


Thank you for the great info on this @atnbueno @supermamon @sylumer
I’ll try these ideas out and see what works for me.

So I went with Remote Trigger on Keyboard Maestro as my original intent was to trigger a KM macro. So that worked great. My only concern after reading everyone’s replies to my question is that remotely accessing anything on your home computer can be dicey security wise. I put the URL trigger that KM supplied for my macro in Data Jar so it is not in my actual Shortcut. Then I get the Data Jar value and put that in the Get Contents of action. It works great on or off wifi. Just like I wanted. But let me know if there is still a potential security risk.
Thanks again for all your suggestions.

Have you read the read before use section for remote triggers?

The forum discussion links prior to it are also worth a look after you have read that section.

You are not opening ports and generic services, so there is no open door as such. You are just offering specific macros, which makes things safer. But take note of Peter’s advice in that above link as to what you make available.

Yep. There are good safety tips there. Thanks for the heads up.