SSH Tunneling Technology Guide

Overview

Previously I wrote a SSH Tunnel Tips that introduced some SSH tunneling techniques, but it lacked context and coherence, so I’ve reorganized it here and presented a network topo diagram. A better explanation of what I’m doing.

Network Basics

Suppose my network situation is a simplification of this Topo.

The following is a list of the most important things you can do for your business.

So here are a few possible operations.

Direct SSH Office PC from Home PC
- From Office PC SSH to Home PC Same as above
Direct SSH from Home PC to VPS
- From Office PC SSH to VPS same way.
From VPS SSH to Home (Office) PC

Among these scenarios, the easiest one to implement is: SSH from Home PC to VPS, which is also the most common operation we usually do. The reason why we can easily implement this principle is that the VPS has a public IP, so we can route directly from the Home PC to the VPS.

As you can see in the figure above, simply put, the difference between PC and VPS lies in the fact that the PC is connected to the router once, so if the PC intervenes in the ISP network directly, can it have a public IP? However, with the spread of fiber optics, even if you don’t use a router, you are not directly intervening in the ISP’s backbone, but rather in one of the ISP’s splitters, such as the FTTB series. So, the idea of having a PC (router) have public IP is not universal, and even if it did, the ISP would probably restrict it to a few ports, so it would not be used much.

SSH Tunneling

So, to get to the point of this article, since you can’t connect to the PC directly, can you do the opposite and let the PC initiate the request itself, which is the principle of SSH tunneling.

[root@liqiang.io]# ssh -qngfNTR 9999:localhost:8888 root@192.168.29.48

Command Line Quick Use

[root@liqiang.io]# cat ~/.ssh/config
Host jump
  HostName 10.0.0.102
  Port 22
  User root
  IdentityFile /root/.ssh/id_rsa
  ForwardAgent yes
Host 10.0.0.87
  HostName 10.0.0.87
  ProxyJump jump
  User zhangsan

The first thing you need to do is make sure you can log in directly to the jumper: 10.0.0.102.
10.0.0.87 is accessed via the 10.0.0.102 hopper.

Tips

The reverse tunnel listens only to localhost.

[root@liqiang.io]# cat /etc/ssh/sshd_config
GatewayPorts = yes

Proxy UDP

Reverse Proxy

Local Machines.

  [root@liqiang.io]# yum install -y nc
  [root@liqiang.io]# mkfifo /tmp/fifo
  [root@liqiang.io]# nc -l -p 1162 < /tmp/fifo | nc -u localhost 1163 > /tmp/fifo

This means listening to the data coming from port 1162 on the machine and sending it to localhost:1163 in the form of UDP.

Remote Machine
```
  [root@liqiang.io]# mkfifo /tmp/fifo
  [root@liqiang.io]# nc -l -u -p 1163 < /tmp/fifo | nc localhost 1162 > /tmp/fifo
```
This means listening on the machine for UDP protocol on port 1163 and then sending out the received UDP traffic over the TCP link localhost:1162.
Points to note
- You must execute the command locally before going to a remote server, otherwise the server side will not work properly because there is no data.
- One of the problems I have encountered is that this way I can only receive UDP once, and the second time I cannot receive it successfully.
- This is an example of a reverse proxy, where the forward proxy is the reverse.

Ref

How to make a SSH tunnel publicly accessible?
Performing UDP tunneling through an SSH connection
How to use ansible openstack modules with a ssh socks proxy openstack-modules-with-a-ssh-socks-proxy)

格物致知

All Posts