←back to thread

SSH into private machines from anywhere using Cloudflare Tunnel

(orth.uk)
319 points SpaghettiX | 10 comments | 10 Feb 22 09:18 UTC | HN request time: 1.186s | source | bottom
1. marginalia_nu ◴[10 Feb 22 11:18 UTC] No.30284730[source]
> Each port is also limited to a single machine, so you'd have to choose a different port for a different machine.

I would probably set up one gateway machine, and then from that machine log into other machines on the network; instead of exposing them all to the Internet. SSH allows you to chain logins thus:

  ssh -A -t user@public-gateway ssh -A -t user2@server-behind-dmz
It's a lot less work to lock down one machine really tight enough to expose them to the public Internet than to do it on the entire network.
replies(4): >>30284739 #>>30285263 #>>30285565 #>>30286600 #
2. jgtrosh ◴[10 Feb 22 11:20 UTC] No.30284739[source]
Use -J or ProxyJump in .SSH/config for a modern equivalent
replies(2): >>30284747 #>>30291309 #
3. marginalia_nu ◴[10 Feb 22 11:21 UTC] No.30284747[source]
I guess my bash aliases are a bit oldfashioned :P
4. amiller2571 ◴[10 Feb 22 12:42 UTC] No.30285263[source]
That's how we do it where I work. We have a bastion server we SSH into to access other systems in the network.

Pretty easy to setup SSH to use it to hop through with just one command.

https://www.redhat.com/sysadmin/ssh-proxy-bastion-proxyjump

5. trinovantes ◴[10 Feb 22 13:17 UTC] No.30285565[source]
I use this alias in my .ssh/config to connect through a gateway machine:

    Host myserver
        User user
        ProxyCommand ssh -q public-server nc -q0 private-server 22
I can't remember what these flags actually do but they seem to get the job done
replies(1): >>30291667 #
6. neurostimulant ◴[10 Feb 22 14:38 UTC] No.30286600[source]
Unfortunately it doesn't work if you're behind a NAT due to shitty ISP, like me. I use AutoSSH instead to expose my local machine's ssh port on a high port in the gateway machine: `autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -v -N -R 22222:localhost:22 user@my-vps-domain`

ServerAliveInterval 30 is important because my ISP often drop idle connections, often not even 1 minute idle. Can probably tweak it to listen to a localhost only port instead of exposing them to internet.

7. lxgr ◴[10 Feb 22 19:34 UTC] No.30291309[source]
Yes, please only use this!

The big advantage of this (over ssh user@host1 ssh user@host2) is that the jump host only sees the encrypted inner connection – it doesn't get access to the client's SSH agent/keychain, nor to the target host (host2) or data transmitted over the connection.

8. taftster ◴[10 Feb 22 20:02 UTC] No.30291667[source]
ProxyJump is slightly preferred in modern SSH. Does what you're doing, but with simpler syntax. Take a look.
replies(1): >>30296601 #
9. trinovantes ◴[11 Feb 22 03:37 UTC] No.30296601{3}[source]
Thanks, I see that it's a fairly recent addition to OpenSSH

I wrote that alias about a decade ago when it wasn't available for me yet

replies(1): >>30305194 #
10. taftster ◴[11 Feb 22 18:30 UTC] No.30305194{4}[source]
Yeah, it's a new parameter, based on exactly this common use case.