set up SSH tunnel for machines behind NAT

Quick ssh forwarding setup:

0. Topology

          ┌───────────┐
          │ MACHINE A │
          │           ├─────────────┐
          │  (HOME)   │             │
          │           │    ssh -p 23456 user@machineB
          └─────┬─────┘             │
                │ :23456◄───────────┘
                │
                │
   $autossh -L 23456:localhost:12345 jump@relay
                │
         ┌──────┼──────┐
         │      └──────┼───┐
         │             │   ▼
         │   RELAY     │:12345
         │             │   ▲
         │      ┌──────┼───┘
         └──────┼──────┘
                │
                │
   $autossh -R 12345:localhost:22 jump@relay
                │
                │ :22
          ┌─────┴─────┐
          │ MACHINE B │
          │           │
          │  (WORK)   │
          │           │
          └───────────┘

Both MachineA and MachineB are behind NAT, i.e. they can not directly connect to each other, neither can the RelayServer to connect directly to them.

We want to access MachineB(workplace) from MachineA(home)

Prerequisites

autossh: Automatically restart SSH sessions and tunnels

Install autossh on both MachineA and MachineB.

1. User and Certs

create a non-root user on RelayServer

[me@relayserver]$ sudo useradd -m jump
[me@relayserver]$ sudo passwd jump
[me@relayserver]$ sudo passwd jump

Make sure ssh login via password is disabled:

# /etc/ssh/sshd_config

PasswordAuthentication no

Install the ssh pubkeys of both MachineA and MachineB to RelayServer,i.e.

[me@relayserver]$ cat machineA_ssh.pub >> ~/.ssh/authorized_keys

2. Set up the tunnel

On MachineB

1

autossh -M0 -R 12345:localhost:22 -oServerAliveInterval=20 -oServerAliveCountMax=3 jump@relayserver

On MachineA

# append to .ssh/config

Host forward_to_machineB
    Hostname vnil.de
    User jump
    ServerAliveInterval 20
    ServerAliveCountMax 3
    ExitOnForwardFailure yes
    LocalForward 23456 localhost:12345

Host tunnel_machineB
    Hostname localhost
    User <UserNameOnMachineB>
    Port 23456

Connect!

On MachineA(Home) first¹

1

autossh -M0 forward_to_machineB

then (in another terminal)

1

ssh tunnel_machineB

Main Ref: “SSH access to office host behind NAT router” - https://superuser.com/a/277220

I’d like to run it in a tmux session to keep the connection alive.. ↩︎

[+] click to leave a comment [+]

the comment system on this blog works via email. The button
below will generate a mailto: link based on this page's url 
and invoke your email client - please edit the comment there!

[optional] even better, encrypt the email with my public key

- don't modify the subject field
- specify a nickname, otherwise your comment will be shown as   
  anonymous
- your email address will not be disclosed
- you agree that the comment is to be made public.
- to take down a comment, send the request via email.

>> SEND COMMENT <<