Ubuntu – Access remote multiple servers behind NAT

networkingremote accessserversshteamviewer

I have a situation where our Ubuntu servers were deployed across multiple remote locations. These servers were behind a carrier grade NAT and also an internal NAT. Now from a central location I want to access it any time I want, but I am also behind a NAT similar to those servers.

When those servers are online I want to access it (through SSH or SSH tunnel). I know I can't access like servers that have a public IP, but maybe somehow I can access it through TeamViewer's working principle. For this method if I need another public server I can manage it in Google Compute Engine.

Best Answer

If we have access to a server with public IP address, then we can use it as a gateway. We could achieve this via Reverse SSH Port Forwarding connections. Let’s say we have three instances:

Public Server: Here we have an operational SSH server and public IP address (and/or domain name). We are able to connect to this server with public-private key pair, which is not passphrase protected (setup reference).
Private Server: Here we have an operational SSH server. It is behind a Firewall (NAT, ISP, etc.) and doesn't have a public IP address, but we are able to establish a SSH connection from it to the Public Server, so here we have also SSH client.
Client Machine: Here we (need to) have only SSH client. We are able to establish a SSH connection to the Public Server. We want to establish a SSH connection from this instance to the Private Server.

The principal level

At principal level we could apply at least two scenarios.

Scenario 1. Where we don’t want to open an additional ports in the Public Server’s Firewall:

Establish SSH connection with Port Forwarding from the Private Server to the Public Server.
Establish SSH connection with Port Forwarding from the Client Machine to the Public Server.
Connect to the Private Server from the Client Machine via the forwarded port (through itself).

Scenario 2. Where we are inclined to open an additional port in the Public Server’s Firewall:

Establish SSH connection with Port Forwarding from the Private Server to the Public Server.
Connect to the Private Server from the Client Machine through the Public Server.

The main advantage of the Scenario 1 is that we don’t need to think how secure is our Private Server. The main advantage of the Scenario 2 is that we ommit one step, but in this case we should think about the security of the Private Server, because it becomes public accessible through the forwarded port. In addition, these scenarios could be applied to different port and services, not only SSH, for example to HTTP.

How to apply Scenario 1 within Ubuntu

Establish SSH connection with Port Forwarding from the Private Server to the Public Server

We could do that by the command:

ssh user-of-the-public-server@public-server -p 22 -R 2222:127.0.0.1:22 -i ~/.ssh/pass-less/id_rsa

-p 22 provides the SSH port of the Public Server (it is not mandatory).
-i ~/.ssh/pass-less/id_rsa provides the authentication key file.
-R 2222:127.0.0.1:22 means that port 2222 on the (remote) Public Server will be forwarded to the SSH port of the (local) Private Server that, in this case, is 22.

We can push this connection into the background by adding the options -fTN (of the OpenSSH Client – reference). We could use also the tool autossh to be sure the connection will be kept alive for a long period of time (reference):

autossh user-of-the-public-server@public-server -p 22 -fTN -R 2222:127.0.0.1:22 -i ~/.ssh/pass-less/id_rsa

We can simplify the above command by implementation of the following lines in our ~/.ssh/config file:

Host public-server-reverse
    HostName 100.100.100.100  # this is the IP address or the domain name of the Public Server
    IdentityFile ~/.ssh/pass-less/id_rsa
    User user-of-the-public-server
    Port 22
    RemoteForward 2222 localhost:22

In this case the above command will become:

autossh public-server-reverse -fTN

We can easily automate this task on system reboot by the next Cron job (or we could create service that should be the better approach):

@reboot sleep 45 && autossh public-server-reverse -fTN

Once this connection is established we can connect to the Private Server from the Public Server, through the reverse tunnel, by the command:

ssh user-of-the-private-server@localhost -p 2222    # provide an additional authentication data (for the Private Server) if it is needed…

Establish SSH connection with Port Forwarding from the Client Machine to the Public Server

We could do that by the command:

ssh user-of-the-public-server@public-server -p 22 -fTN -L 1111:127.0.0.1:2222 -i ~/.ssh/pass-less/id_rsa

-L 1111:127.0.0.1:2222 means that port 1111 on the (local) Client Machine will be forwarded to the (remote) Public Server’s port 2222 (that is forwarded to the SSH port of the Private Server). Note we could use -L 2222:127.0.0.1:2222.
-fTN these options will push the connection into the background as it is described above.
We can implement also autossh and ~/.ssh/config file, with directive RemoteForward or LocalForward.

Connect to the Private Server from the Client Machine through itself

Once the above two steps are implemented, we can connect from the Client Machine to the Public Server by the command:

ssh user-of-the-private-server@localhost -p 1111    # provide an additional authentication data (for the Private Server) if it is needed…

How to apply Scenario 2 within Ubuntu

Establish SSH connection with Port Forwarding from the Private Server to the Public Server

This step is identical as the first one from the Scenario 1, but few additional things should be done.

Open the forwarded port 2222 on the Public Server’s Firewall - this is out of the scope of this answer.

Modify /etc/ssh/sshd_config of the Public Server and add the next directive, that will allow to open our SSH tunnel to public (don't forget to restart the server: sudo systemctl restart sshd.service):

GatewayPorts yes

Make our SSH tunnel open to public. This step is well described within the question: (How to make ssh tunnel open to public?). According to the answers there we could add the -g option to the commands that make a connection between the Private and the Public servers:

autossh public-server-reverse -gfTN

@reboot sleep 45 && autossh public-server-reverse -gfTN

Or, alternatively, instead that we could modify the ~/.ssh/config file in this way:

Host public-server-reverse
    HostName 100.100.100.100  # this is the IP address or the domain name of the Public Server
    IdentityFile ~/.ssh/pass-less/id_rsa
    User user-of-the-public-server
    Port 22
    RemoteForward \*:2222 localhost:22

Finally we should killall autossh and establish the connection again.

Connect to the Private Server from the Client Machine through the Public Server

Once the above step is performed, we can achieve our goal by the command:

ssh user-of-the-private-server@public-server -p 2222    # provide an additional authentication data (for the Private Server) if it is needed… forward some ports, etc.

Related Solutions

Ubuntu – how to connect to a remote desktop behind a router

You can use Gogo6 and get an IPv6 address at the same time:

On the server, download and install the Gogo6 client with:

sudo apt-get install gogoc

And get an account at http://www.gogo6.com/freenet6/registration for Freenet6.

Then, run gksudo gedit /etc/gogoc/gogoc.conf(still on the server) and set the following settings:

userid=your_user_name_you_set_up_with_the_link_above
passwd=your_password

Save and reboot. You can now access your_user_id.broker.freenet6.netas long as the SSH client is set up to bind to that interface. You can just bind it to 0.0.0.0, which is the default IIRC.

It should allow access from IPv4 hosts, but I will check on that.

Ubuntu – How to connect to Internet through a remote server via SSH connection

Try SSH tunneling/port forwarding. There is a lot of information in Internet. Read this: SSH/OpenSSH/PortForwarding and SSH tunneling with ubuntu.

I like to use SSH socks-proxy. Install plink:

sudo apt install plink

Run command in your local computer (SSH client) with restricted access to Internet:

plink -ssh 111.111.11.111 -C -N -l user -D 127.0.0.1:8081

where 111.111.11.111 - IP-address of your remote SSH-server with unrestricted access and user - your SSH-server username.

Thats all. Now you have SOCKS proxy - all of the traffic through the proxy will be encrypted and routed through your remote SSH-server. Settings for the proxy are: host 127.0.0.1, port 8081.

Add this settings as Ubuntu system-wide proxy settings and instruct browsers, bash etc. to use system proxy. It's possible to add system proxy with Ubuntu System Settings GUI (mine has Ukrainian locale):

If you want to use the proxy for apt, read Configure proxy for APT?, only take into account you have socks-proxy, thus the proxy URLs should be socks4://127.0.0.1:8081 or socks5://127.0.0.1:8081 instead of http://127.0.0.1:8081, for example:

export http_proxy="socks4://127.0.0.1:8081"