0

My goal is to access a Ubuntu Server that is running in a local VirtualBox publicly via the internet (both SSH on port 22 and HTTP on port 80).

For now, I planned to do it like this:

  1. I set up the local VirtualBox (called "A" in the following) normally and start an OpenSSH server on it on port 22 and also a HTTP server that serves some content on port 80.
  2. At a cloud provider like AWS, I set up another virtual machine instance ("B" in the following) which of course gets a public IP address (e.g. "12.34.56.78", so that B is publicly accessible over SSH at "12.34.56.78:22").
  3. I now want to establish a persistent SSH-based connection (tunnel?) between A and B, which is where I am currently stuck. Creating this tunnel should be initiated by A.
  4. When I then connect over SSH to e.g. "12.34.56.78:2222", port 2222 of B should be forwarded to port 22 of A via the tunnel established in step 3, so that I can access my VirtualBox A from anywhere via the regular internet. Similarly, when accessing "http://12.34.56.78", HTTP content should be served from the server running on port 80 of A.

How can I achieve step 3, i.e. establish this tunnel?

Improve this question

1 Answer 1

Reset to default
1

What you're looking for is called remote forwarding/tunneling. You can use it to "push" local ports to a remote machine through an SSH connection.

You need to change an sshd option to make it work how you want. Open /etc/ssh/sshd_config with an editor of your choice, find the line

#GatewayPorts no

and change it to

GatewayPorts yes

Restart the SSH service when you're done. If you don't do this, the tunnel will only bind to the loopback interface.

Then, to achieve the SSH part of what you described, you need to open an SSH connection from VM A to VM B like so:

ssh -R 12.34.56.78:2222:127.0.0.1:22 [email protected]

After -R, instead of the remote machine's address you can also specify an asterisk (*) to listen on all interfaces.

The HTTP side is a bit more complicated because OpenSSH will not let you bind to privileged ports unless you're logging in as root. To get around this restriction, you could make the remote tunnel to a non-privileged port (e.g. 8080) and run something like socat or a reverse proxy like nginx on VM B to redirect requests (or just log in as root, but I wouldn't recommend that). You can find more about this here: https://unix.stackexchange.com/questions/554141/ssh-remoteportforw-binding-privileged-port

To automate the connection from A to B, you could create a script which runs this command and run that script as a service on VM A when the network becomes available. You might want to specify some SSH options to make sure it doesn't try to ask any questions, e.g. StrictHostKeyChecking=no and UserKnownHostsFile=/dev/null.

As a side note, make sure you lock down your SSH tight, otherwise your machines might join some botnet soon. Disable password-based authentication and use SSH keys, set up fail2ban, etc.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .