SSH into private machines from anywhere using Cloudflare Tunnel

(orth.uk)

319 points SpaghettiX | 2 comments | 10 Feb 22 09:18 UTC | HN request time: 0.002s | source

Show context

marginalia_nu ◴[10 Feb 22 11:18 UTC] No.30284730[source]▶

> Each port is also limited to a single machine, so you'd have to choose a different port for a different machine.

I would probably set up one gateway machine, and then from that machine log into other machines on the network; instead of exposing them all to the Internet. SSH allows you to chain logins thus:

  ssh -A -t user@public-gateway ssh -A -t user2@server-behind-dmz

It's a lot less work to lock down one machine really tight enough to expose them to the public Internet than to do it on the entire network.

replies(4): >>30284739 #>>30285263 #>>30285565 #>>30286600 #

trinovantes ◴[10 Feb 22 13:17 UTC] No.30285565[source]▶

>>30284730 #

I use this alias in my .ssh/config to connect through a gateway machine:

    Host myserver
        User user
        ProxyCommand ssh -q public-server nc -q0 private-server 22

I can't remember what these flags actually do but they seem to get the job done

replies(1): >>30291667 #

taftster ◴[10 Feb 22 20:02 UTC] No.30291667[source]▶

>>30285565 #

ProxyJump is slightly preferred in modern SSH. Does what you're doing, but with simpler syntax. Take a look.

replies(1): >>30296601 #

1. trinovantes ◴[11 Feb 22 03:37 UTC] No.30296601[source]▶

>>30291667 #

Thanks, I see that it's a fairly recent addition to OpenSSH

I wrote that alias about a decade ago when it wasn't available for me yet

replies(1): >>30305194 #

2. taftster ◴[11 Feb 22 18:30 UTC] No.30305194[source]▶

>>30296601 (TP) #

Yeah, it's a new parameter, based on exactly this common use case.

↑