Reading time: 4m
The purpose of this is to have a secure way back into the office or home or wherever you need to get to, and keep your NAT / firewall exceptions empty so you needn’t whitelist anything.
You’ll need a small VPS with a public IP that can be secured, though you can use a Colo / Dedicated for this for better security.
Create a tunnel user on the gateway server:
gateway# adduser tunnel gateway# chsh -s /bin/bash tunnel gateway# su - tunnel gateway$ ssh-keygen -t rsa -b 4096 -N '' gateway$ echo 'YOUR_SSH_PUBLIC_KEY' >> ~/.ssh/authorized_keys
On your target network, SSH to the gateway as the tunnel user to record the fingerprint in ~user/.ssh/known_hosts
We then create a systemd service on the machine that’s on the network you want to access, called tunnel.service:
local# vim /etc/systemd/system/tunnel.service
[Unit] Description=Tunnel Service Wants=network-online.target After=network-online.target [Service] User=user ExecStart=/usr/bin/ssh -tt -N -i /home/user/.ssh/id_rsa -R REMOTE_PORT:LAN_SSHD_IP:LAN_SSHD_PORT -l tunnel SSH_GATEWAY RestartSec=3 Restart=always [Install] WantedBy=multi-user.target
Edit the parts above to reflect your desired forwarded SSH port on the SSH Gateway. Preferably both servers only accept SSH key authentication (PasswordAuthentication no) and root disabled (PermitRootLogin no).
Enable the service on the target network:
local# systemctl start tunnel.service local# systemctl enable tunnel.service
Now go back to the tunnel user and get the public key:
gateway$ cat ~/.ssh/id_rsa.pub
Put the tunnel user’s key in ~/.ssh/authorized_keys on your local machine, check the systemd tunnel.service for the user.
SSH from the tunnel user on the gateway to record the fingerprint from the tunnel user to your SSH user on your network.
gateway# ssh -p REMOTE_PORT -l user
You should now be in, and no firewall rules have been added! All you need is SSH access to the gateway server via your own key to ~tunnel/.ssh/authorized_keys