I finally managed to accomplish this with ssh
only:
- start a local SOCKS proxy on your client machine (using
ssh -D
) EDIT: not necessary with SSH>7.6
- connect to remote server and setup a reverse port forwarding (
ssh -R
) to your local SOCKS proxy
- configure the server software to use the forwarded proxy
1. Start local socks proxy in the background
EDIT SSH>7.6 allow a simpler syntax to start the proxy. Skip this and continue with step 2!
Connect to localhost via SSH and open SOCKS proxy on port 54321.
$ ssh -f -N -D 54321 localhost
-f
runs SSH in the background.
Note: If you close the terminal where you started the command, the proxy process will be killed. Also remember to clean up after yourself by either closing the terminal window when you are done or by killing the process yourself!
2. connect to remote server and setup reverse port forwarding
Bind remote port 6666 to local port 54321. This makes your local socks proxy available to the remote site on port 6666.
$ ssh root@target -R6666:localhost:54321
EDIT SSH>7.6 allows a simpler syntax to start the proxy! Step 1 is not needed then:
$ ssh root@target -R6666:localhost
3. configure the server software to use the forwarded proxy
Just configure yum, apt, curl, wget or any other tool that supports SOCKS to use the proxy 127.0.0.1:6666
.
Voilá! Happy tunneling!
4. optional: install proxychains to make things easy
proxychains
installed on the target server enables any software to use the forwarded SOCKS proxy (even telnet
). It uses a LD_PRELOAD
trick to redirect TCP and DNS requests from arbitrary commands into a proxy and is really handy.
Setup /etc/proxychains.conf
to use the forwarded socks proxy:
[ProxyList]
# SSH reverse proxy
socks5 127.0.0.1 6666
Tunnel arbitrary tools (that use TCP) with proxychains
:
$ proxychains telnet google.com 80
$ proxychains yum update
$ proxychains apt-get update
Wouldn't a VPN be more appropriate? OpenVPN is super simple to configure. Here is a sample config and some links to guide your through the certificate creation process:
apt-get install openvpn
mkdir /etc/openvpn/easy-rsa
mkdir -p /etc/openvpn/ccd/client_server
touch /etc/openvpn/ipp.txt
cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-dh
./build-key-server server
cd /etc/openvpn/easy-rsa/keys
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile ca.crt
Then create a new file /etc/openvpn/client_server.conf
and put the following in it, changing the SERVER_IP_ADDRESS
as appropriate
local SERVER_IP_ADDRESS
port 8443
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
pkcs12 /etc/openvpn/easy-rsa/keys/server.p12
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
server 192.168.100.0 255.255.255.0
client-config-dir /etc/openvpn/ccd/client_server
ccd-exclusive
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
reneg-sec 0
Then build a key per user who is going to connect, and create the config file in the ccd dir
./build-key-pkcs12 user1@domain.com
echo "ifconfig-push 192.168.100.2 255.255.255.0" > /etc/openvpn/ccd/client_server/user1@domain.com
The IP address MUST be suitable for a /30 subnet (see http://www.subnet-calculator.com/cidr.php), as there is only 2 addresses available (server and client) per connection. So your next available client IP would be 192.168.100.6 and so on.
Then you now have static IPs per connecting user.
Then supply the user1@domain.com.p12
file to the end-user and use the following config file
client
dev tun
proto udp
remote SERVER_IP_ADDRESS 8443
pkcs12 user1@domain.com.p12
resolv-retry infinite
nobind
ns-cert-type server
comp-lzo
verb 3
reneg-sec 0
Best Answer
To make things simpler I like to assign a port number or range to each server. Keeping what you've started with, B is 10000, C is 20000, forget about the 30000.
Setup:
Now you should be able to do
to get a shell on C, and assuming you want to connect to a web server running on server C port 8080:
Connect to: