Ssh – How to set up a server for reverse SSH tunneling that can be used by multiple users

amazon-web-servicessshssh-tunnel

Sorry for the wall of text, I'm a bit of a newbie but have exhausted my search resources.

In order to establish a public IP for my local Django development server, I set up an AWS micro instance as a server for reverse SSH tunneling. The public IP points to the tunnel server, and I create a reverse tunnel from my local machine to the tunnel server which forwards traffic between the public IP and my machine. Here's the command if you're interested:

autossh -M 8001:8001 -NR 80:localhost:8000 root@mytunnelserver.com -v

I am now working on on-boarding another developer and need to set up something similar for him. I could create a clone of my setup (essentially creating a new tunnel server just for him) but that seems messy, especially as I need to add more developers in the future.

Is there a way to set up a single server that multiple users can use for setting up reverse SSH tunnels, considering those users have unique public IPs but are forwarding the same ports? Basically, can both me and my partner use the same server for reverse SSH tunneling, properly forwarding traffic across the same ports for different public IPs?

Thanks in advance and please let me know if I can clarify.

Best Answer

we use it that way:

install a local script for the tunnel (so you don't have to remember :) ) - like:

_username_local.domain.org.sh_

#!/bin/sh
echo "local: 8080 - remote: 8081"
echo "http://username-local.domain.org/"
ssh root@domain.org -R 8081:localhost:8080 -g

so the first user listens on the remote port 8081, the second on 8082 etc.

on the server setup nginx as reverse proxy, one 'server' per user:

upstream user_1 {
    server localhost:8081 fail_timeout=0;
}
server {
    listen   80;
    server_name username-local.domain.org;
    location / {
        proxy_redirect off;
        proxy_pass   http://user_1;
    }
}

and don't forget to set create the dns entries... (probably with wildcard to *.domain.org)

Related Solutions

Ssh – why use ssh tunneling for thesql server

If you use SSH tunneling, then your SSH and MySQL passwords are both encrypted during communication -- as well as all data that passes through the tunnel. If you're not using an SSH tunnel and you're not using MySQL's SSL support, there is no encrypting and a malicious third party could use packet sniffing or other nefarious means to eavesdrop on your communications.

Also, if you're using SSH tunneling, then you will be alerted if the remote machine's SSH key changes. This will not happen with standard MySQL, meaning an attacker could use IP spoofing or a Man in the Middle attack to disrupt/interfere/eavesdrop on your communications.

For more information, see:

SSH – How to Send Port Number to Server via Reverse SSH Tunnel

Wouldn't a VPN be more appropriate? OpenVPN is super simple to configure. Here is a sample config and some links to guide your through the certificate creation process:

apt-get install openvpn
mkdir /etc/openvpn/easy-rsa
mkdir -p /etc/openvpn/ccd/client_server
touch /etc/openvpn/ipp.txt
cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca 
./build-dh
./build-key-server server
cd /etc/openvpn/easy-rsa/keys
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile ca.crt

Then create a new file /etc/openvpn/client_server.conf and put the following in it, changing the SERVER_IP_ADDRESS as appropriate

local SERVER_IP_ADDRESS
port 8443
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
pkcs12 /etc/openvpn/easy-rsa/keys/server.p12
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
server 192.168.100.0 255.255.255.0
client-config-dir /etc/openvpn/ccd/client_server
ccd-exclusive
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
reneg-sec 0

Then build a key per user who is going to connect, and create the config file in the ccd dir

./build-key-pkcs12 user1@domain.com
echo "ifconfig-push 192.168.100.2 255.255.255.0" > /etc/openvpn/ccd/client_server/user1@domain.com

The IP address MUST be suitable for a /30 subnet (see http://www.subnet-calculator.com/cidr.php), as there is only 2 addresses available (server and client) per connection. So your next available client IP would be 192.168.100.6 and so on.

Then you now have static IPs per connecting user.

Then supply the user1@domain.com.p12 file to the end-user and use the following config file

client
dev tun
proto udp
remote SERVER_IP_ADDRESS 8443
pkcs12 user1@domain.com.p12
resolv-retry infinite
nobind
ns-cert-type server
comp-lzo
verb 3
reneg-sec 0

Best Answer

Related Solutions

Ssh – why use ssh tunneling for thesql server

SSH – How to Send Port Number to Server via Reverse SSH Tunnel

Related Topic