set up SSH tunnel for machines behind NAT
Quick ssh forwarding setup:
0. Topology
┌───────────┐
│ MACHINE A │
│ ├─────────────┐
│ (HOME) │ │
│ │ ssh -p 23456 user@machineB
└─────┬─────┘ │
│ :23456◄───────────┘
│
│
$autossh -L 23456:localhost:12345 jump@relay
│
┌──────┼──────┐
│ └──────┼───┐
│ │ ▼
│ RELAY │:12345
│ │ ▲
│ ┌──────┼───┘
└──────┼──────┘
│
│
$autossh -R 12345:localhost:22 jump@relay
│
│ :22
┌─────┴─────┐
│ MACHINE B │
│ │
│ (WORK) │
│ │
└───────────┘
Both MachineA and MachineB are behind NAT, i.e. they can not directly connect to each other, neither can the RelayServer to connect directly to them.
We want to access MachineB(workplace) from MachineA(home)
Prerequisites
autossh: Automatically restart SSH sessions and tunnels
Install autossh on both MachineA and MachineB.
1. User and Certs
create a non-root user on RelayServer
[me@relayserver]$ sudo useradd -m jump
[me@relayserver]$ sudo passwd jump
[me@relayserver]$ sudo passwd jump
Make sure ssh login via password is disabled:
# /etc/ssh/sshd_config
PasswordAuthentication no
Install the ssh pubkeys of both MachineA and MachineB to RelayServer,i.e.
[me@relayserver]$ cat machineA_ssh.pub >> ~/.ssh/authorized_keys
2. Set up the tunnel
On MachineB
|
|
On MachineA
# append to .ssh/config
Host forward_to_machineB
Hostname vnil.de
User jump
ServerAliveInterval 20
ServerAliveCountMax 3
ExitOnForwardFailure yes
LocalForward 23456 localhost:12345
Host tunnel_machineB
Hostname localhost
User <UserNameOnMachineB>
Port 23456
Connect!
On MachineA(Home) first1
|
|
then (in another terminal)
|
|
Main Ref: “SSH access to office host behind NAT router” - https://superuser.com/a/277220
-
I’d like to run it in a tmux session to keep the connection alive.. ↩︎
[+] click to leave a comment [+]
the comment system on this blog works via email. The button below will generate a mailto: link based on this page's url and invoke your email client - please edit the comment there! [optional] even better, encrypt the email with my public key - don't modify the subject field - specify a nickname, otherwise your comment will be shown as anonymous - your email address will not be disclosed - you agree that the comment is to be made public. - to take down a comment, send the request via email.>> SEND COMMENT <<