Connecting to a private LAN host over the internet via SSH.

Helpful ways to ssh via a bastion host.

Connecting to a private LAN host over the internet via SSH.

If you’ve ever worked within Unix or Linux based networks you no doubt would have come across a need to access a server on a LAN or Private network via an intermediate host connected to the internet. Copying files is especially arduous.

There are a few different ways of achieving this. I want to share a couple that I regularly use.

Method 1: Direct SSH

source.host~$ ssh -A www.example.com 
www.example.com~$ ssh target.lan

This is a simple two command connection, the first command connects you to the server at www.example.com then the second command (run on the server listening at `www.example.com`) will connect you to the target.lan host. The -A flag specifys Agent forwarding which if you are using Public/Private key pairs you won't be prompted for server passwords.

Pros:

  • No additional config

Cons:

  • Two commands
  • Can't SCP files directly

Method 2: Chained SSH

source.host~$ ssh -At www.example.com ssh target.lan

This will log you into the target.lan server. Again, the -A flag is used to specify Agent Forwarding. The -t flag forces pseudo-tty allocation. Essentially this means that the connection doesn't close right away after running the second ssh command.

Pros:

  • No additional config
  • Single command

Cons:

  • Can't SCP files directly

Method 3: ProxyCommand

This is by far my preferred method, however it has a few minor prerequisites. First up ensure that netcat (nc) is installed on the intermediate host (www.example.com). If it's running a recent distro you'll more than likely have it already installed, if not check your repos. Secondly we need to create a ~/.ssh/config entry. Lets do that now. Open ~/.ssh/config in your editor of choice, you'll need to add a record like so:

Host target.lan
	User thepearson
	HostName target.lan
	ProxyCommand  ssh -l thepearson www.example.com nc %h %p 2> /dev/null
    

Save that file (replacing the example hosts and usernames with your own). The magical part here is the ProxyCommand line. With ssh_config we can use ProxyCommand to specify a command to connect to the server, all occurrences of %h will be replaced with the target hostname host name and %p with target port. When used in conjunction with netcat the ProxyCommand config parameter can be very powerful.

You should now be able to execute the following.

source.host~$ ssh target.lan

This should give you direct ssh access to the internal server. What's great about this method is that you can use other tools that utilise OpenSSH for connections, for example.

source.host~$ scp -r ./local_dir target.lan:~

Will recursively copy the local_dir folder to the remote lan host. Cool huh?

Pros:

  • Single command
  • Directly SCP files

Cons:

  • Additional config
  • Requires netcat on intermediate server

Note: I put netcat down as a con, but realistically most (if not all) GNU based boxes will have this installed.

So there you have it, some simple SSH commands that may make your life easier. Don't forget to check out the man pages for ssh_config and nc for more details.