Just curious on what you guys think the "Best Practice" is in this case.

Lets say I have 5 machines on my network
Main - 192.168.1.50
VM1 - 192.168.1.51
VM2 - 192.168.1.52
VM3 - 192.168.1.53
VM4 - 192.168.1.54

To access my network via ssh from the outside I set my router to port forward my SSH port to the main machine. Everything works, but lets say I want to access the other machines via ssh. I know that I can set a different ssh port on each machine and forward that port to what ever specific machine I want. I also could ssh into my Main machine and then ssh into the others from there, I guess thats called "nested ssh". I have done both of these methods, but I was just wondering what the best practice is in this type of situation?

Thanks

ProxyCommand via ssh, stick it in your private ssh_config (from a Linux client). It starts a ssh session and tunnels it to the real remote machine.

Close. In recent years, it would be easier to use ProxyJump for that. It can be accessed via the -J option for one-off sessions, or placed in ~/.ssh/config for permanence. So, for example, connecting from the outside you connect via your router (203.0.113.224) to your main computer to one of your VMs (192.168.1.53)

Or in ssh_config it could look like this. with the IPv4 address for "main" being set to your router's IPv4 address:

With that, you could be outside your LAN and then type "ssh vm2" to pass through Main to VM2, with the connections being made automatically.

It will work for IPv6 addresses, too.

Because the settings are chosen on a first-match basis, the specific setting go first and progressively more general settings later.

If you want to get really fancy a Match block can be used to determine whether you are on the LAN or outside and only use ProxyJump outside the LAN.

Excellent! Thank you sir, and in my first post when I said from the outside I should of specified via the internet, in case that wasn't clear. So for accessing from the internet do I use WAN IP with the -J option

Yes, you would point -J at the external IP address for your router when you are connecting from outside your LAN.

The shortcuts will only work from outside the LAN as there are above, because most routers don't support loopback NAT aka NAT hairpinning. If you wish to keep the same shortcuts, you'll have to throw in a quick check for whether you are on the LAN or not. Use a Match block to test if you are on your LAN. The test condition can be anything, even a Perl script, but it has to figure out whether you are on your LAN, not just any other LAN.

Here is a guess, untested. See the link in the previous post.

I use OpenVPN for this. Then I can ssh to every machine at the office from home.

It's only one port to forward, and it supports other kinds of traffic too. Eg: RDP to Windows machines.