SSH Tunneling : Remote Forwarding

The process of accessing the INTERNAL server through a public server or local system is known as SSH TUNNELLING: REMOTE FORWARDING

These are some configurations that need to be changed on both the server and client-side.

On Server Side ( Internal VM ):

Change these variables in this file : FILE=/etc/ssh/sshd_config

AllowTcpForwarding remote

GatewayPorts yes

2. Save it and run this command to restart your ssh service.

sudo systemctl restart ssh

3. RUN this command to create a ssh tunnel.

nohup ssh -nNv -R 8002:localhost:22 admin@abc.com &

Command breakup :

nohup, & : to run this process in background

ssh: secure shell

-nN : to not allocate a tty( terminal ) and only do the port forwarding.

-v : verbose ( detailed output )

-R : Specifies that the given port of the remote server host is to be forwarded to the given host and port on the local side.

8002 : Client-side port on which ssh connection will be establish.

22 : server side port ( ssh )

admin@abc.com: Azure Vm USERNAME@HOST-DNS

On Client side ( Azure Vm ):

Change these variables in this file : FILE=/etc/ssh/sshd_config

AllowAgentForwarding yes

AllowTcpForwarding yes

AllowStreamLocalForwarding yes

GatewayPorts yes

X11Forwarding yes

2. Save it and run this command.

sudo systemctl restart ssh

3. Open a terminal and type:

ssh server_username@localhost:8002

It will prompt you for a password, Enter the server VM password & enjoy SSH tunnelling.

Security Constraint:

Port 22 needs to be opened on your Azure vm publicly, so that the Internal vm can establish a connection with your Azure VM, and opening port 22,3389 publicly is not recommendable as this makes our Azure VM’s more vulnerable to attack. I tried restricting port access only on Internal VM public IP but that didn’t work because the INTERNAL VM runs behind a VPN (proxy network) and that is unknown by the Azure Public Cloud so it fails.

Limitation & workaround:

Through this process you will be only able to connect to terminal, so let say if you want to check other services like frontend & backend (running on some port), then you need to open another tunnel,

ex: nohup ssh -nNv -R 8010:localhost:8000 dtdevops@dt-devops.westeurope.cloudapp.azure.com &

8000: server port

8010: Azure VM port

Now you will be able to access 8000 port of your server on you Azure vm (8010 port).

https:// Internal-vm-host-ip:8000 = https://abc.com:8010

In this way you can create “n” number of tunnels.

A DevOps who is passionate about Autom@tion.