We are using OPENVPN to access our server over private IP with Jump Box. Our architecture is like below it may help us to undertsand the environment:
We are using 5 different subnet and want to access them via openvpn. The subnet are below:
10.110.0.0/20
10.120.0.0/20
10.121.0.0/20
10.130.0.0/20
10.133.0.0/20
our VPN server and Jump Box exist in the 10.133.0.0/20 subnet. Below are the route from my laptop when we are connected with OPENVPN:
dagar#dagar:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.43.1 0.0.0.0 UG 600 0 0 wlp1s0
10.133.0.0 172.21.1.1 255.255.0.0 UG 0 0 0 tun0
Below is my .ssh/config file configuration:
Host 10.139.*.*
IdentityFile "/home/dagar/.ssh/id_rsa"
User admin
ProxyCommand ssh -W %h:%p abc#10.133.27.252 -p 911
Port 911
Host 10.133.*.*
IdentityFile "/home/dagar/.ssh/id_rsa"
User admin
ProxyCommand ssh -W %h:%p abc#10.133.27.252 -p 911
Port 911
In the above configuration 10.133.27.252 is my Jump Box server IP.
We are able to SSH all subnet server using Jump Box with above configuration except 10.133.0.0/20 subnet servers.
We are able to SSH 10.133.0.0/20 servers directly from user laptop when we comment the ProxyCommand from .ssh/config file for 10.133.00/20 subnet.
We want to SSH 10.133.0.0/20 subnet machines also via Jump Box.
Can you please help me why its not working for one subnet?
Any help or guidance will be appriciated.
Thank You
Related
I am running a home network with a ddwrt installed router.
I can ssh into the router from homenetwork, i can ssh in the pc from inside the homenetwork, i can ssh into the router from outside the home network ( static public ip).
Now i want to ssh in my pc from outside the home network, as far as i have understood, to do that i need to create a ssh tunnel. I am using the following command :
ssh -L bbbb:hoomepcip:22 root:externalip
after doing this i open another terminal and i
ssh homepcusername#externalip -p bbbb
but it does not work, what am i doing wrong
Isn't the first command supposed to do a port forward in the router so everything i send to it's external ip on bbbb port goes to 22 of my home pc?
for now i have made a permanent port forward on the router gui, but i would like to not use that and open the port when i need to ssh.
both the router and the pc have SSH server installed, the router has dropbear the pc openssh
I found the solution for me.
So as i said i needed a way to ssh into my pc from outside my network through my router.
first open a terminal window and type
ssh -L bbbb:homepcIP:cc myrouterusername#mywanip -p aa
this will connect you to the router and forward port bbbb(chose a number from 1024-60000) to cc in your pc(usually 22)
type the password and leave it open
then open a new terminal window and type
ssh pcUSERNAME#localhost -p bbbb
bbbb in this case can be any port number you choose(best if above 1024, and max limit is 60000ish)
cc and bb are the port of the ssh servers (cc of my pc and bb of my router, they usually are 22 but it can change depending on conifguartion)
the key here is the "localhost" i always typed my pc ip in there but you have to type localhost and it connects to the pc correctly.
Also you have to have enabled SSH TCP Forwarding in the first server
Instead of SSH tunneling, you might consider tailscale.
See for instance "How to secure an Ubuntu server using Tailscale and UFW", which will restrict ssh access to be only over Tailscale, and use UFW (Uncomplicated Firewall) to restrict non-Tailscale traffic to your server.
That will give you a Tailscale IP address (starting with 100.x.y.z) which can be used to SSH, while your public internet IP would not allow SSH.
You can then add MFA (multi-factor auth) if you want.
Other example: "How to Setup SSH using Tailscale or Ngrok" from Ibrahim Jarif.
I've never connected to a remote server before. I want to connect to my company's remote server then jump to another IP address.
I followed VS Code Guide here and connected to the server, but I'm not sure how to jump to the IP address.
Could anyone help me? Thanks a lot!
I've managed to get it working using the ProxyCommand option, as described in the VSCode Remote SSH Tips & Tricks page, as chocolatte's answer didn't work for me with VSCode 1.51.1:
# Jump box with public IP address
Host jump-box
HostName <Jump-Box-IP>
User <Your-Jump-Box-User-Name>
IdentityFile path/to/.ssh/id_rsa
# Target machine with private IP address
Host target-box
HostName <IP address of target>
User <Your-Private-Machine's-User-Name>
IdentityFile path/to/.ssh/id_rsa
ProxyCommand ssh -q -W %h:%p jump-box
Note: you can use the same IdentityFile for both hosts
Update: After a while this stopped working. What solved this issue is changing ssh to ssh.exe:
ProxyCommand ssh.exe -q -W %h:%p jump-box
I figured it out.
I wanted to connect to my company's private server. In order to do that, I must connect to my company's host server. When I'm in the host server, I have to connect to a private server (sorry for not phrasing my question in a clearer sense).
I'm leaving my solution here for future reference.
In VS Code, do F1 (fn+F1 on Mac) -> Remote-SSH: Connect to Host -> Configure SSH Host -> /Users//.ssh/config.
From there, edit the config file as follows:
Host <host-name>
HostName <IP-address>
Port <specify-port-number-here>
User <user-name>
### The Remote Host
Host <private-server-name>
HostName <IP-address>
Port <specify-port-number-here>
User <user-name>
ProxyJump <host-name>
Save the config file and connect to the private server by F1 -> Remote-SSH: Connect to Host -> private-server-name
I set up a Proxy command to get to a test box I'm working on that is acting like a host and is not connected to the internet. The set up is accessible from my home from one of my new Raspberry Pi 3 with a built-in wifi that I dedicate to connecting to the test box and it's private network.
If I need to connect to that machine from another computer (other than the raspberry pi 3) I can do so using host hopping with a ProxyCommand in my ssh config on the given machine. e.g.:
host testbox
Hostname 10.10.1.1
Port 2222
User myuser
TCPKeepAlive yes
ForwardX11 yes
ForwardX11Trusted yes
ProxyCommand ssh rpithree nc %h %p
Here's the question. Since the testbox is not connected to the internet, I set up a squid server on the raspberry pi that I can use through a port tunnel when connecting directly from the Pi 3 to the testbox or vice versa. I know I can run ssh -N with the port forwarding and background it with nohup, but since I'm hopping through that pi 3 anyway, I was wondering if there was some way to modify the proxy command so that it picks up port 3128 on the way through and forwards it as needed?
I am attempting a multi-hop SSH tunnel that needs to route traffic in both directions. My network config is:
My personal shell is on machineA
machineA can SSH into machineB
machineB can SSH into machineC
machineC is locally connected via ethernet to machineD
There is a service running on machineD wherein machineC sends UDP packets to machineD's portX, and machineD sends its replies via UDP to machineC's portY.
I have successfully done the following:
(from machineA)
ssh machineB
(from resulting shell)
ssh machineC
(from resulting shell)
echo "my command" | nc -u machineD portX #Send command to machineD's service
nc -ul portY #Read the results on machineC's port
I would like to do all of this via tunnels, so that I can run custom scripts directly on machine A to formulate service commands and parse the results. I tried the following in my .ssh config file:
host machineB
hostname x.x.x.x
user username_machineB
localforward 1234 machineC:22
host machineC
hostname localhost
user username_machineC
port 1234
localforward 1235 machineD:portX
remoteforward 1236 localhost:portY
I thought I could then do the following:
(from machineA)
ssh machineB
(from machineA again)
ssh machineC
(from machineA again)
echo "my command" | nc -u localhost 1235
nc -ul 1236
But...it doesn't seem to work. I don't see any of the expected replies on 1236. I'm not exactly sure how to debug this. I'm also not entirely sure of the format of those "localforward" and "remoteforward" lines on machineC's configuration. I don't know who will be interpreted as "localhost" when evaluating those lines. I suspect that remoteforwarding might be disabled on machineC, but I want to make sure I have configured everything else correctly first. Am I Doing It Wrong?
Alternatively, is there another way to achieve my end goal without having to change any configuration on machineB, C, or D? What I would like to do is use machineA to programatically construct complex commands intended for machineD, and parse the results using scripts on machineA as well.
You have to think backwards when you are doing this.
So basically machC can talk to machD's portX.
So you really want to run this on machA:
ssh machC
This is your end goal since that machine sends and receives from machD
Now you cannot get to machC directly, this is where your ProxyCommand entries come in.
host machC
ProxyCommand ssh machB nc %h %p
So you said machA can ssh to machB no problem. now if you do:
ssh -v machC
You'll see it hop through those things.
But really you want a port forwarding and listener from machC to the ports on machD so you change the machC settings:
host machC
ProxyCommand ssh machB nc %h %p
# first part is port on your current shell, second part is relative to machC
LocalForward 1234 machD:portX
RemoteForward 1235 localhost:portY
so using your example above:
host machineB
hostname x.x.x.x
user username_machineB
host machineC
ProxyCommand ssh machineB nc %h %p
hostname localhost
user username_machineC
localforward 1235 machineD:portX
remoteforward 1236 localhost:portY
Then you can use command:
ssh machineC
use -v to see the hops and tunnels, and -N if you don't care about getting a shell.
Now you can talk to your localhost's port 1235 to send to machineD portX and read from 1236 to listen to machineC portY
Setup:
My computer (linux / unix) has an arbitrary IP address
I can connect to a central linux server which has a static ip
Remote linux systems are set up so they only respond to central server IP address on port 22
I want to port forward through the central server so I can use MySQLWorkbench and make python scripting connections on port 3306 to the remote systems.
Ideally, I would like the syntax for ssh command to make the port forwarding work;
Suppose I want to forward local port 3307 to 3306 on the remote system. Assume my ip is x.x.x.x, the central server IP is y.y.y.y, and the remote system IP is z.z.z.z;
I think it has something to do with ssh -L but I can only forward to the central server so far. Maybe I need to connect to the central server, set up forwarding there, then set up forwarding on my machine? I think functionality exists to do it with a single command using ssh.
If this is a duplicate, it should not be marked as such because without knowing what magic keyword to search for, you can't find the duplicate;
Clarification: port 3306 is NOT open on the remote server. Only 22
ssh -L :3307:z.z.z.z:3306 user#y.y.y.y -Nf
Works fine
or
ssh -L 3307:z.z.z.z:3306 user#y.y.y.y -Nf
To only bind to x.x.x.x's localhost
The first example binds to all interfaces
edit...
Just seen that z.z.z.z only has port 22 open.
on y.y.y.y you will also need to have a local port open
run on y.y.y.y
ssh -L 3307:localhost:3306 user#z.z.z.z -Nf
then on x.x.x.x
ssh -L 3307:localhost:3307 user#y.y.y.y -Nf
run these commands in a screen for best results
You can actually condense these 2 commands together
ssh -L 3307:localhost:3307 user#y.y.y.y -f 'ssh -L 3307:localhost:3306 user#z.z.z.z -Nf'
ssh -L <local-port-to-listen>:<remote-host>:<remote-port>
The āLā switch indicates that a local port forward is need to be created
Best method is to create the tunnel using putty (ssh client). so you can start the shell, and it will create the ssh tunnel for you. this is a good reference
https://howto.ccs.neu.edu/howto/windows/ssh-port-tunneling-with-putty/