Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Just curious on what you guys think the "Best Practice" is in this case.
Lets say I have 5 machines on my network
Main - 192.168.1.50
VM1 - 192.168.1.51
VM2 - 192.168.1.52
VM3 - 192.168.1.53
VM4 - 192.168.1.54
To access my network via ssh from the outside I set my router to port forward my SSH port to the main machine. Everything works, but lets say I want to access the other machines via ssh. I know that I can set a different ssh port on each machine and forward that port to what ever specific machine I want. I also could ssh into my Main machine and then ssh into the others from there, I guess thats called "nested ssh". I have done both of these methods, but I was just wondering what the best practice is in this type of situation?
ProxyCommand via ssh, stick it in your private ssh_config (from a Linux client). It starts a ssh session and tunnels it to the real remote machine.
Close. In recent years, it would be easier to use ProxyJump for that. It can be accessed via the -J option for one-off sessions, or placed in ~/.ssh/config for permanence. So, for example, connecting from the outside you connect via your router (203.0.113.224) to your main computer to one of your VMs (192.168.1.53)
Code:
ssh -J 203.0.113.224 daedrea@192.168.1.53
Or in ssh_config it could look like this. with the IPv4 address for "main" being set to your router's IPv4 address:
Close. In recent years, it would be easier to use ProxyJump for that. It can be accessed via the -J option for one-off sessions, or placed in ~/.ssh/config for permanence. So, for example, connecting from the outside you connect via your router (203.0.113.224) to your main computer to one of your VMs (192.168.1.53)
Code:
ssh -J 203.0.113.224 daedrea@192.168.1.53
Or in ssh_config it could look like this. with the IPv4 address for "main" being set to your router's IPv4 address:
With that, you could be outside your LAN and then type "ssh vm2" to pass through Main to VM2, with the connections being made automatically.
It will work for IPv6 addresses, too.
Because the settings are chosen on a first-match basis, the specific setting go first and progressively more general settings later.
Excellent! Thank you sir, and in my first post when I said from the outside I should of specified via the internet, in case that wasn't clear. So for accessing from the internet do I use WAN IP with the -J option
So for accessing from the Internet do I use WAN IP with the -J option
Yes, you would point -J at the external IP address for your router when you are connecting from outside your LAN.
The shortcuts will only work from outside the LAN as there are above, because most routers don't support loopback NAT aka NAT hairpinning. If you wish to keep the same shortcuts, you'll have to throw in a quick check for whether you are on the LAN or not. Use a Match block to test if you are on your LAN. The test condition can be anything, even a Perl script, but it has to figure out whether you are on your LAN, not just any other LAN.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.