How to set up SSH tunnel between 2 machines behind 2 different NATs

nat;sshssh-tunnel

I have Windows PC behind a NAT/Firewall at home, and a Windows PC behind a NAT/Firewall at work. i.e. Neither PC has a publicly visible IP address. On each of the PCs, I am running a Ubuntu VM on VirtualBox.

My IT folks at work will not let me SSH from outside into my Windows machine or the Ubuntu VM running on that machine, nor will they open any ports to make my machine accessible, nor will they give me a publicly visible IP address for my Windows PC or Ubuntu VM. But I can SSH out (as I often do to manage Amazon EC2 instances).

I would like to SSH from my (unaddressable) home machine to my (unaddressable) work machine so that I can run software on my work machine from home. All of the solutions I found on the internet require that one of the VMs be network-addressable, but none solve the problem when both machines are unaddressable. I'm willing to cough up a few bucks to rent a cheap Digital Ocean server to bridge the communication between the Ubuntu VMs.

Is there a way that I can configure a set of SSH tunnels between my Ubuntu VMs and the external Digital Ocean server which will make my Ubuntu VM at work addressable via SSH from my Ubuntu VM at home? I am willing to make this work by setting up a SSH tunnel from each Ubuntu VM to the (addressable) Digital Ocean server (with the SSH command originating from the Ubuntu VM).

Best Answer

You can do it easily, without any expense.

1) At home, get a (free) dns from no-ip.com. You will be given a name like

  my_name.no-ip.biz

2) Set it up, either on your router or on your pc; this way, even if your ISP changes your IP address, the moniker above always points to your home. The site no-ip.com has instructions on how to do this.

3) in your router, forward ports 6521 and a port for ssh (2222?) to your pc.

4) At work: set up a reverse tunnel to the moniker above, at first with ssh, and just check it works;

5) now download autossh for your distro, a small wrapper which uses port 6521 (that's why!) to check that the connection is still active, and if it is not it kills the running instance of ssh and starts a new one.

Typically, I write an executable called auto with this content:

 #!/bin/sh
 /usr/lib/autossh/autossh -M 6521 -f -p 2222 -2 -N -R 8400:localhost:22 my_name@no-ip.biz -i /home/myname/.ssh/id_rsa

This sets up a passwordless ssh connection (see the use of the cryptographic key **id_rsa) without terminal (-N), in protocol 2 (-2), using port 6521 to check that the connection is still active, and redirecting to my home port 22 all that is sent to port 8400 at work.

I put this line

   su myname -c /home/myname/bin/auto

to execute the executable file auto in /etc/rc.local automatically at boot, as myself instead of root. I can now connect to my work pc with the command:

   ssh -Y myname_at_work@localhost -p 8400 -i /home/myname/.ssh/id_rsa_work

where I now have to use the passwordless key for work. I have found that this connection is always, always up. Truly satisfactory.

Related Solutions

SSH – Access Office Host Behind NAT Router

youatwork@officepc$ autossh -R 12345:localhost:22 notroot@serverpc

Later:

you@homepc$ autossh -L 23456:localhost:12345 notroot@serverpc

you@homepc$ ssh youatwork@localhost -p 23456

What you could do is this: in step 1 forward a remote port from the office PC to the server (12345 is used as an example, any port >1024 should do). Now connecting to 12345 on the server should connect you to port 22 on officepc.

In step 2, forward the port 23456 from your home machine to 12345 on the server (whence it gets forwarded to officepc:22, as set up in step 1)

In step 3, you connect to the local port 23456 with your office PC login. This is forwarded by step 2 to port 12345 on your server, and by step 1 to your office PC.

Note that I'm using autossh for the forwardings, as it's a ssh wrapper which automatically reconnects the tunnel should it be disconnected; however normal ssh would work as well, as long as the connection doesn't drop.

There is a possible vulnerability: anyone who can connect to localhost:12345 on serverpc can now connect to officepc:22, and try to hack into it. (Note that if you're running a SSH server, you should anyway secure it above the basic protections which are on by default; I recommend at least disabling root login and disabling password authentication - see e.g. this)

Edit: I have verified this with the same config, and it works. GatewayPorts no only affects the ports that are open to the world at large, not local tunnels. This is what the forwarded ports are:

homepc:
  outgoing ssh to serverpc:22
  listening localhost:23456 forwarded through ssh tunnel
serverpc:
  listening ssh at *:22
  incoming localhost ssh tunnel (from homepc) forwarded to localhost:12345
  listening localhost ssh tunnel (from officepc) forwarded from localhost:12345
officepc:
  outgoing ssh to serverpc:22
  incoming localhost through ssh tunnel (from serverpc) forwarded to localhost:22

So, as far as the network stack is concerned, it's all local traffic on the respective loopback interfaces (plus ssh connections to serverpc); therefore, GatewayPorts is not checked at all.

There is, however, the directive AllowTcpForwarding: if that is no, this setup will fail as no forwarding is allowed at all, not even across the loopback interface.

Caveats:

if using autossh and recent ssh, you may want to use ssh's ServerAliveInterval and ServerAliveCountMax for keeping the tunnel up. Autossh has a built-in check, but apparently it has some issues on Fedora. -M0 disables that, and -oServerAliveInterval=20 -oServerAliveCountMax=3 checks if the connection is up - tries each 20 sec, if it fails 3x in a row, stops ssh (and autossh makes a new one):
```
autossh -M0 -R 12345:localhost:22 -oServerAliveInterval=20 -oServerAliveCountMax=3 notroot@serverpc

autossh -M0 -L 23456:localhost:12345 -oServerAliveInterval=20 -oServerAliveCountMax=3 notroot@serverpc
```
it might be useful to restart ssh tunnel if the forward fails, using -oExitOnForwardFailure=yes - if the port is already bound, you might get a working SSH connection, but no forwarded tunnel.

using ~/.ssh/config for the options (and ports) is advisable, else the command lines get too verbose. For example:

Host fwdserverpc
    Hostname serverpc
    User notroot
    ServerAliveInterval 20
    ServerAliveCountMax 3
    ExitOnForwardFailure yes
    LocalForward 23456 localhost:12345

Then you can use just the server alias:

    autossh -M0 fwdserverpc

SSH Tunnel – Connecting Two Behind-NAT Computers via Third Public-IP

on Home server (tunnel from third party to home):
ssh -R 20000:127.0.0.1:22 thirdparty.org

This connects your home box to the third party shell, and then starts to forward any connections to port 20000 on the third party shell to port 22 on your home box (the SSH port).

On remote computer (tunnel from remote to third party):
ssh -L 20000:127.0.0.1:20000 thirdparty.org

This connections your remote box to the third party shell, and then starts to foward port 20000 on the remote box to port 20000 on the third party shell.

and then on remote computer (connect over tunnels):
ssh 127.0.0.1:20000 and enter in credentials for your home server

This will attempt to ssh to port 20000 on the remote box. Since we set up a tunnel to the third party, the #2 command effectively forwards this connection attempt to 127.0.0.1:20000 on the third party shell. Then, the first command fowards the connection again to port 22 on your home box, at which point the ssh server picks up the connection.

Best Answer

Related Solutions

SSH – Access Office Host Behind NAT Router

SSH Tunnel – Connecting Two Behind-NAT Computers via Third Public-IP

Related Question