Use Double SSH Tunnels Instead of VPN to Access Private Network
During the covid-19 pandemic, most people work from home and VPN is a common approach to access insecure private network servers like an HTTP server without access authentication. Most modem servers have security control and can be moved to the internet for direct access by assigning a public IP address and a domain name, such as JIRA and Confluence servers. So there should be a very limited number of legacy servers that are kept in the private network and are protected by VPN, i.e. only accessible from the private network. In this post, I will explain how you can access private servers directly in a secure way using double SSH tunnels (Local + Remote) as an alternative to VPN.
Imagine you have a corporate private network in 10.0.0.x, and you have a PC in the office (10.0.0.11) or any device that can run as an SSH client. You can use the office PC to create an SSH tunnel to a public Linux server (accessible on the internet) as a bridge to access other servers or devices in the office private network, such as an HTTP server (10.0.0.12).
The first step is to create a remote tunnel from the office PC 10.0.0.11 to the public server, e.g. yourserver.com. Assume you access the public server with an SSH key (sshkey.pem).
Run this command on your office PC if it is a Linux:
ssh -R 9000:10.0.0.12:80 -i sshkey.pem -f -N <username>@yourserver.com
-R 9000:10.0.0.12:80This creates a remote tunnel and the public server is listening on port 9000. When you access the port 9000 on the public server, it is redirected to the private server 10.0.0.12 on port 80 (HTTP) via office PC 10.0.0.11. Note that for security reasons the port 9000 is listening only on localhost 127.0.0.1, not all IP addresses 0.0.0.0 on the server. Run
netstat -anp|grep 9000on the public server and you will see that as follows.
-f -NThis is optional. “The
-foption tells the
sshcommand to run in the background and
-Nnot to execute a remote command.”