~   /code   /bits   /sys   /music   /vis   /archive   /tl   /log   /about  

set up SSH tunnel for machines behind NAT

Quick ssh forwarding setup:

0. Topology

          ┌───────────┐
          │ MACHINE A │
          │           ├─────────────┐
          │  (HOME)   │             │
          │           │    ssh -p 23456 user@machineB
          └─────┬─────┘             │
                │ :23456◄───────────┘
                │
                │
   $autossh -L 23456:localhost:12345 jump@relay
                │
         ┌──────┼──────┐
         │      └──────┼───┐
         │             │   ▼
         │   RELAY     │:12345
         │             │   ▲
         │      ┌──────┼───┘
         └──────┼──────┘
                │
                │
   $autossh -R 12345:localhost:22 jump@relay
                │
                │ :22
          ┌─────┴─────┐
          │ MACHINE B │
          │           │
          │  (WORK)   │
          │           │
          └───────────┘

Both MachineA and MachineB are behind NAT, i.e. they can not directly connect to each other, neither can the RelayServer to connect directly to them.

We want to access MachineB(workplace) from MachineA(home)

Prerequisites

autossh: Automatically restart SSH sessions and tunnels

Install autossh on both MachineA and MachineB.

1. User and Certs

create a non-root user on RelayServer

[me@relayserver]$ sudo useradd -m jump
[me@relayserver]$ sudo passwd jump
[me@relayserver]$ sudo passwd jump

Make sure ssh login via password is disabled:

# /etc/ssh/sshd_config

PasswordAuthentication no

Install the ssh pubkeys of both MachineA and MachineB to RelayServer,i.e.

[me@relayserver]$ cat machineA_ssh.pub >> ~/.ssh/authorized_keys

2. Set up the tunnel

On MachineB

1

autossh -M0 -R 12345:localhost:22 -oServerAliveInterval=20 -oServerAliveCountMax=3 jump@relayserver

On MachineA

# append to .ssh/config

Host forward_to_machineB
    Hostname vnil.de
    User jump
    ServerAliveInterval 20
    ServerAliveCountMax 3
    ExitOnForwardFailure yes
    LocalForward 23456 localhost:12345

Host tunnel_machineB
    Hostname localhost
    User <UserNameOnMachineB>
    Port 23456

Connect!

On MachineA(Home) first1

1

autossh -M0 forward_to_machineB

then (in another terminal)

1

ssh tunnel_machineB

Main Ref: “SSH access to office host behind NAT router” - https://superuser.com/a/277220

  1. I’d like to run it in a tmux session to keep the connection alive.. ↩︎

edited 06.10.2023
created 03.10.2023
EOF
[+] click to leave a comment [+] 
the comment system on this blog works via email. The button
below will generate a mailto: link based on this page's url 
and invoke your email client - please edit the comment there!

[optional] even better, encrypt the email with my public key

- don't modify the subject field
- specify a nickname, otherwise your comment will be shown as   
  anonymous
- your email address will not be disclosed
- you agree that the comment is to be made public.
- to take down a comment, send the request via email.
>> SEND COMMENT <<



2024-05-04 ♦ Live A/V Show in Rochester via Paloma Kop ♦ RSS Feed April 21, 2024
Live audiovisual show in Rochester, NY... Read more↗

2024-04-21 via mrshll.com April 21, 2024
Well, it's real now. We are moving to Nashville. I came to Boston in 2009 to study computer science and stayed for the career opportunities, loud and then quiet music scene (where I met Alejandra), and the wonderful friends we've made over the ye…

Āyen, Pōm, and ITGBTW Remixes via Helvetica Blanc April 19, 2024
The newest Wormsong entry, Āyen, marks the beginning of a little interactivity in the narrative. After each entry goes live, I'll post a choice on Patreon. All patrons can vote, and their choices will allow us to explore the Realms together! I don'…

Generated by openring from webring