SSH Tunnel Through Multiple Hosts to Forward Traffic to Device


I am attempting to minimize my Public facing attack surface. Allowing only traffic from a specific IP address. I want to prevent all input access to the remote WAN/Edge Router's management port from the public side. So I want to create a tunnel to a server on private side and forward traffic from there to the WAN/Edge router. I have a Dynamic IP at home but have a DigitalOcean Droplet which to tunnel through which will always be static. I believe a VPN would accomplish the same result but I really didn't want to setup and maintain a VPN when, if I could determine the tunnel sequence, SSH tunnel would allow me to create and tear down at will, also using SSH key auth. So my connection would look something like this.

My destination port on the WAN/Edge Router is user definable. So to obfuscate the destination let's say it's port 3333. So from my workstation I would point my management utility to port 3333 on my localhost. Directing traffic over the tunnel to the internal interface of the WAN/Cable modem.

Home workstation (utility port 3333) -> digital_ocean_jump_host -> [—> Passing through the Dest Network WAN/Edge Router with a Firewall/NAT Rule —>] -> internal_jump_host -> WAN/Edge Router's Private Interface on Port 3333

After many Google queries and multiple attempts at this I just can't quite make it work. At best I can ssh through to the internal server.

What SSH foo might I be missing here. Ideally I would like to make the tunnel an automated service. But a two step process would be acceptable.

Best Answer

You are missing a port forwarding from port 3333 of your local machine to router_internal_ip:3333, which can be done with something like this:

ProxyJump digital_ocean_jump_host
Hostname internal_jump_host
LocalForward 3333 router_internal_ip:3333

to be used as ssh

Related Topic