ITCooky Recipes

Lets cooky it yammy things!

How to access the home server behind NAT, externally by ssh tunnel, through a server on the Internet!

дата March 1, 2020

For example, there is a server at home and I want to connect to it through ssh (maybe even through scp), well, just to check how he is. I used to do it through a VPN like this Remote access to my FreeBSD home server through OpenVPN! and it even worked, the cable ISP router usually does port forwanding, I just had to know the external IP. But now I tried to do port forwanding on the router of a mobile Internet provider, and nothing, it seems that I have to pay for that separately and it only works if you buy a static IP …

… but, in fact, you don’t need to manage router, there is a thing called ssh tunnel. The home server connects to an Internet server that is configured to forward all (designated) connections to another location! For this method, you need your own VDS / VPS server … but who doesn’t have it now, everyone! Yes, even some Amazon Clouds would be worth it!

I reread many articles, but maybe just this article helped me a lot evgslb.blogspot.com thanks. But by the way, I read it for half a day, I couldn’t understand how it should work!

697/5000
How does that work
We need a Linux server available on the Internet with direct static IP. I couldn’t understand it for a long time, but I don’t need to make special configurations, I just need to have a user who can connect to this server through ssh! In addition, on the three machines enbolucradas, ssh must be installed – on Linux, already installed, there is an opinion that it is possible to do it on Windows, through Putty. In the machine to which you are going to connect, you must run the ssh tunnel to receive it, and in which you will connect the ssh tunnel to the output. A command starts these tunnels to connect to a server on the Internet.

Set up a server to connect client tunnels
I have an old Centos 6.8 server, all the rare things maybe because of that!

I connect to the server with ssh
I create a user user1 tunnel
/usr/sbin/adduser user1tunnel
create a password for him
user1tunnel passwd

Then I was a little worried about what happens if someone enters this account and starts doing something on the server. To avoid this, I made the lshell shell for users where everything is restricted here Configure, move, test the new VPS in CentOS 6! do too!

I add this shell to the new user
chsh -s /usr/bin/lshell user1tunnel
At the same time, Centos swears that this shell is not in any file, simply added it to that file and repeated

Now you need to verify the ssh configuration here
/etc/ssh/shhd_config
must be included

AllowTcpForwarding yes
GatewayPorts yes

that too (in the future it will be necessary)

PubkeyAuthentication yes
AuthorizedKeysFile      /home/%u/.ssh/authorized_keys

and the user must be written in

AllowUsers uservasya usersasha userarsen user1tunnel

We restart ssh, my ssh connection is not broken
/sbin/service sshd restart

It is also important to establish these parameters here, they should help to break the blocked sessions, which were not completed correctly

ClientAliveInterval 15
ClientAliveCountMax 3

This only works in SSH 2, if nothing happens, the server asks the client “You are alive” 3 times every 15 seconds, and hangs up the call if there are no answers! I should help with a busy port, that happens when you are connected for a long time, then it hangs, falls, restarts but the server says

Warning: remote port forwarding failed for listen port 12345

Configuration of the one to whom yuo need to connect through ssh
I have Ubuntu 18.04 Desktop on my home computer and I want to connect to it! Also, with this method, with ssh-tunnel you don’t need to know what my IP is, it is constantly changing!

In the console, run
ssh -f -N user1tunnel@123.45.67.89 -R 12345:localhost:22
for now like this, you must enter the password with your hands
f – means run in the background
123.45.67.89 – ip of server with ssh
R – that means the entrance tunnel
12345 – any free port

After executing that command, you can now access this computer from the server through ssh thus
ssh -p 12345 juancho@localhost
where juancho is the username on the computer to which we connect

We check if the port is listening … and the network commands do not work, but it is clear that the command is executed like this
ps -aux | grep ssh
we will have to think about that later …

I configure that computer from which you need to connect through ssh
And that computer will also be Linux

First you need to make tunnel
ssh -f -N user1tunnel@123.45.67.89 -L 12345:localhost:12345
the same but with L

And connect from the console
ssh -p 12345 juancho@localhost

Everything here looks great perfectly, unlike the one to whom you have to connect
netstat -ntlp | grep 12345
we see this

tcp        0      0 127.0.0.1:12345         0.0.0.0:*               LISTEN      8166/ssh            
tcp6       0      0 ::1:12345               :::*                    LISTEN      8166/ssh            

How to make the ssh tunnel keep alive and and reconnect
I’m doing it as they put it here, it’s amazing that there is such content on YouTube

install
sudo apt-get install autossh

We go to the home .ssh folder and generate the keys there, we are under the user juancho

cd /home/juancho/.ssh/
ssh-keygen -t rsa

I give the name Juancho without password

Once, the keys worked only when I generated them a second time … if it’s not clear why it doesn’t work, generate the keys again!

juancho.pub that must be put to the server
sudo scp ./juancho.pub user1tunnel@123.45.67.89:/home/user1tunnel/

On the remote server we execute
mkdir /home/user1tunnel/.ssh
cat ./juancho.pub >> ~user1tunnel/.ssh/authorized_keys
chown -R user1tunnel:user1tunnel /home/user1tunnel

Now on the local computer we can enter without an password
ssh user1tunnel@123.45.67.89

Now we will execute autossh, it is important that it runs in the background, and in the background you cannot enter the password, so we had to do all that with files
autossh -M 0 -f -N user1tunnel@123.45.67.89 -R 12345:localhost:22
It works, it is immediately put in the background with the -f key, for diagnosis it can be used without that flag

Now add that line to the cron so it starts at boot
crontab -e
Here it is also necessary to register where to obtain the key file, otherwise it will not start

@reboot autossh -M 0 -f -N user1tunnel@123.45.67.89 -R 12345:localhost:22 -i /home/juancho/.ssh/juancho

How to connect not from Linux
People use Putty, in one window they open a tunnel, in the second they connect to the local port for redirection, it didn’t work for me!

The most reliable way is to log in to the server using Putty and there do
ssh -p 12345 juancho@localhost
specifically for this in lshell it is allowed to use ssh command

Also in Windows 10 + Windows Subsystem for Linux (included in Windows components) + Ubuntu 18.04 LTS (installed from the Windows store), you can do everything like in Linux to lift the tunnel and connect through ssh
ssh -f -N user1tunnel@123.45.67.89 -L 12345:localhost:12345
ssh -p 12345 juancho@localhost


Leave a Reply

Your email address will not be published. Required fields are marked *