secure-reverse-ssh-tunnel

This project provides ready-to-use tools to configure a remote host via an ssh tunnel and a jump host.

Example

Premise:

• HTE) Host you wish to expose. Currently network restricted (behind a FW or a NAT)
• EUD) End user device such as a laptop or mobile device provided with an ssh client.
• JH) A host publicly accessible over the internet (or a network accessible to both HTE and EUD) running Openssh server.

Scenario:

• EUD wants to access a service running on HTE, but HTE can be accessed only from within its own network.
• EUD can generate outgoing traffic to the internet or external networks.
• HTE can't accept incoming connections from the internet or other networks.
• HTE can generate outgoing traffic to the internet or external networks.
• JH is accessible to both HTE and EUD and runs an Openssh server.

Normally, to allow communication between EUD and HTE, you would need to setup a portforward for HTE on its network's edge router. Then have EUD connect to the edge router's Public IP at the forwarded port.

This might not be feasible or out of HTE's control, thus an ssh reverse tunnel can be used. By using a jump server we can establish a tunnel from HTE to JH and respectively a communication from EUD to JH securely, using SSH and our private keys. At this point EUD can access HTE's service just like any other service running on JH. The Reverse tunnel binds HTE's port to JH's network-interface:port (JumpHost's localhost by default, see GatewayPorts) Meaning every request sent to JH's binded port is going to be forwarded HTE's port.

In ssh cli terms:

 ssh -R ${JH_PORT}:localhost:${HTE_PORT} ${USER}@${TARGET}

---

Support us

Whether you use this project, have learned something from it, or simply like it, please consider supporting it by donation, so we can spend more time on open-source projects like this :)

---

Components

• setup-remote-host.sh: This script must be run as root after setup step
• authorized_keys: should contains the ssh pubkey for JH
• config: example host configuration for "EUD" computer
• secure-tunnel@.service: SystemD ready to use example service
• targets/* : contains multiple targets that need to be used as jump servers

---

Setup

Before you run the script as root user, you should:

1. append your keypair's pubkey into JH authorized_keys
2. edit targets based on the example provided
3. adjust your EUD's ~/.ssh/config like the one provided.
4. now you are able to run the script as root on HTE.

---

Usage

SystemD

## To enable at boot
systemctl enable secure-tunnel@<target>

## To disable at boot
systemctl disable secure-tunnel@<target>

## To start manually
systemctl start secure-tunnel@<target>

## To stop manually
systemctl stop secure-tunnel@<target>

---

Tips

To check if the tunnel is active and the dedicated port is up, ssh into your jump host and run:

netstat -tupln | grep 20001

You should see autossh's process to your chosen port :)

Remote port forwarding

By default sshd will bind forwarded ports only to the server's loopback interface (localhost, 127.0.0.0/8)

For instance the following reverse tunnel :

 ssh -R ${JH_PORT}:localhost:${HTE_PORT} ${USER}@${TARGET}

would result in a bind like this:

127.0.0.1:${JH_PORT}  LISTEN pid/sshd

To expose forwarded ports over every jumphost's IP (0.0.0.0) add the following to /etc/ssh/sshd_config

GatewayPorts yes

Note:

Every forwarded port will now be publicly exposed (unless FW rules are in place.)

A better approach would be:

GatewayPorts clientspecified

The reverse tunnel above becomes;

 ssh -R ${JH_ADDR}:${JH_PORT}:localhost:${HTE_PORT} ${USER}@${TARGET}

Local port forward

You could use your Jump Host even to bind a local port to a web interface on a remote host or something else with:

ssh -N -L ${LOCALPORT}:127.0.0.1:${JH_PORT} ${USER}${TARGET}

For example to access a remote pihole web interface locally :)

---

License

You can check out the full license here

This project is licensed under the terms of the GPLv3 license.