I recently setup FreeIPA on an internally accessible system at home. I'd like to manage this web UI from networks that are external to my LAN, but at the same time, I don't want to have to expose this web UI to the public internet. Is there a way I can access it through an SSH tunnel?
NOTE: I'm familiar with setting up a tunnel using ssh
& it's -L
switch like so:
$ ssh -L 12345:ipa.local.net:80 mysshserver
However this approach will not work in this scenario, since accessing FreeIPA requires that you use the actual hostname of the server in addition to being able to access the web UI using both ports 443 and 80.
Is there another way to accomplish this beyond ssh -L
?
Best Answer
Performing SSH tunneling can get a bit confusing with all the terminology, but there is a complementary feature to
-L
, which provides you the ability to "dynamically" assign ports by allocating a socket locally, instead of a single port.From the man page:
By allocating a socket, all the traffic can be funneled through to the remote site, including DNS queries.
How to use it
For starters you'll need to open up a connection to your LAN (through its public IP address on the internet) like so:
NOTE: This assumes that you have the ability to SSH into a server that's accessible through your public internet IP address.
Once that's setup, in another terminal, you'll want to configure your web browser to make use of this tunnel. NOTE: This type of tunnel is providing you a socket, so to connect to it, you need to tell your web browser to proxy all of its traffic via this socket. This is typically shown as a SOCKS or SOCKS v5 type of connection for your proxy.
An example
In this example I'll show how you can do it using Chromium, via the CLI:
Here I'm launching Chromium and pointing it to the SSH tunnel which we earlier configured on our localhost's port 1234. And with this, if I then attempt to visit a URL for a server that's configured on my LAN, I'm directed to it:
Proxying with other browsers
All the major browsers provide this feature and it's covered pretty extensively on other SE sites such as SuperUser:
You can even make use of extensions to the various browsers which allow you to selectively proxy only certain traffic, while allowing you to route everything else out over your normal connection to the internet.
For example, you can use ProxySwitchy! with Chrome to do exactly that: