SSH tunnels are basically indistinguishable from magic.
So I have a remote network that I want to access. Most of my gear is Unifi Networking equipment (that’s another post about why) so one simple thing would be to do a site-to-site VPN. Alas, the remote network does not expose a publicly routable IP address. It’s deep into my ISP’s private network space (10.etc.). Setting site to site VPN is thus pretty much off the table.
Most of the time I just need to ssh to a server on that remote network. So a vanilla SSH tunnel is perfect. It’s pointless for me to document here how to do that - there’s really great pages on it all over the net. So many, in fact, you will get confused. Here’s a page that I found not only accurate, but has all the details you will need to make the tunnel “operational.”
By operational I mean that it “just works.” Even if you lose power and everything reboots. That article goes over how to configure systemd to make that happen. It’s not that hard, and there are not that many steps. You will need a VM in the cloud somewhere or a linux box on a public IP. I have a linode host for these kinds of things.
Anyway, all that is vanilla. The problem I was having was that I needed to access a web page on an appliance on the remote network. The vendor didn’t make a means to upgrade the firmware from a CLI - I needed web access. I fiddled and farted and I tried this and I tried that and nothing was working all that well. So I called my good friend David Wang and talked him through it all. I was re-assured that he thought it was complicated too. It was him that had the epiphany that this was not a two hop problem. I did not need to make a second proxy that jumped to the linode VM that jumped to the remote network. It was a one hop from localhost:
ssh -N -D <local port, like 8080> <public host> -p <ssh tunnel port>
Tell Firefox to use a “Manual Proxy Configuration” set to localhost on local port (like 8080) and make sure you select SOCKS v5. Point your browser at the remote host on the remote network and….
It worked. Just worked. Like magic.
Arthur C Clark said any sufficiently advanced technology is indistinguishable from magic. SSH tunnels fit that bill.
Maybe they will help you someday.
Some things I want to play with:
- can I make the Unifi USG run the ssh tunnel natively?
- can I run the ssh host VM on my network and have the remote host hit my firewall and port forward to the internal host?