Permette di creare un tunnel SSH per collegarsi a dispositivi remoti, magari all interno di una rete domestica
Go to file
2020-07-31 22:16:46 +02:00
targets Various major changes 2020-07-31 21:56:43 +02:00
authorized_keys Added comment to authorized_keys 2020-07-31 22:16:46 +02:00
config First commit. Enjoy the secure reverse ssh tunnel 2020-07-31 12:41:53 +02:00
LICENSE First commit. Enjoy the secure reverse ssh tunnel 2020-07-31 12:41:53 +02:00
README.md Various major changes 2020-07-31 21:56:43 +02:00
secure-tunnel@.service Various major changes 2020-07-31 21:56:43 +02:00
setup-host-to-expose.sh Various major changes 2020-07-31 21:56:43 +02:00

secure-reverse-ssh-tunnel

This project provides ready-to-use tools to configure a remote host via an ssh tunnel and a jump host.

Example

Premise:

  • HTE) Host you wish to expose. Currently network restricted (behind a FW or a NAT)
  • EUD) End user device such as a laptop or mobile device provided with an ssh client.
  • JH) A host publicly accessible over the internet (or a network accessible to voth HTE and EUD) running Openssh server.

Scenario:

  • EUD wants to access a service running on HTE, but HTE can be accessed only from within its own network.
  • EUD can generate outgoing traffic to the internet or external networks.
  • HTE can't accept incoming connections from the internet or other networks.
  • HTE can generate outoing traffic to the internet or external networks.
  • JH is accessible to both HTE and EUD and runs an Openssh server.

Normally, to allow communication between EUD and HTE, you would need to setup a portforward for HTE on its network's edge router. Then have EUD connect to the edge router's Public IP at the forwarded port.

This might not be feasible or out of HTE's control, thus an ssh reverse tunnel can be used. By using a jump server we can establish a tunnel from HTE to JH and respectively a communication from EUD to JH securely, using SSH and our private keys. At this point EUD can access HTE's service just like any other service running on JH. The Reverse tunnel binds HTE's port to JH's network-interface:port (JumHost's localhost by default, see GatewayPorts yes) Every request sent to JH binded port is going to be forarded to HTE's port.

In ssh cli terms:

 ssh -R ${JH_PORT}:localhost:${HTE_PORT} ${USER}@${TARGET}

Support us

Whether you use this project, have learned something from it, or just like it, please consider supporting it by donate, so we can dedicate more time on open-source projects like this :)

Donate using Liberapay


Components

  • setup-remote-host.sh: This script must be run as root after setup step
  • authorized_keys: should contains the ssh pubkey for HTE
  • config: example host configuration for "EUD" computer
  • secure-tunnel@.service: SystemD ready to use example service
  • targets/* : contains multiple targets that need to be used as jump servers

Setup

Before you run the script as root user, you should:

  1. append your keypair's pubkey into JH authorized_keys
  2. edit targets based on the example provided
  3. adjust your EUD's ~/.ssh/config like the one provided.
  4. now you are able to run the script as root on HTE.

Usage

SystemD


## To enable at boot
systemctl enable secure-tunnel@<target>

## To disable at boot
systemctl disable secure-tunnel@<target>

## To start manually
systemctl start secure-tunnel@<target>

## To stop manually
systemctl stop secure-tunnel@<target>

Tips

To check if the tunnel is active and the dedicated port is up, ssh into your jump host and run:

netstat -tupln | grep 20001

You should see your port associated to autossh process :)

Remote port forwarding

By default sshd will bind forwarded ports only to the server's loopback interface (localhost, 127.0.0.0/8)

For instance the following reverse tunnel :

 ssh -R ${JH_PORT}:localhost:${HTE_PORT} ${USER}@${TARGET}

would result in a bind like this:

127.0.0.1:${JH_PORT}  LISTEN pid/sshd

To expose forwarded ports over every jumphost's IP add the following to /etc/ssh/sshd_config

GatewayPorts yes
Note:

Every forwarded port will now be publicly exposed (unless FW rules are in place.)

A better aproach would be:

GatewayPorts userspecified

The reverse tunnel above becomes;

 ssh -R ${JH_ADDR}:${JH_PORT}:localhost:${HTE_PORT} ${USER}@${TARGET}

Local port forward

You could use your Jump Host even to bind to a local port a web interface of a remote host or something else with:

ssh -N -L ${LOCALPORT}:127.0.0.1:${JH_PORT} ${USER}${TARGET}

For example to access a remote pihole web interface locally :)


License

You can check out the full license here

This project is licensed under the terms of the GPLv3 license.