access ssh tunnel (on server) from network
 

Hello,

We use a SSH tunnel to allow access to a intranet webserver on the remote network.

Until now i established the connection from my local (WINDOWS) pc by putty/plink, and it works well for me.

Now my colleagues also need to use this tunnel.

1. How to make the ssh tunnel permanent on our local linux server (local net)?
2. How to let it establish connection automatically after failure or on server start?
3. How can colleagues in local network access the tunneled (remote) webserver?

The idea is that my colleagues and me just access the local linux server by eg. (http :// lanserver) which would forward all port 80 traffic to the remote tunneled webserver.

Imagined Path of this connection:
Local PCs <-> Local Linux Server <- tunnel over internet -> Remote linux SSH server <-> remote Web Server

The networks have different subnet and are separated by firewalls.
local lan 192.168.0.0/255
local linux server: 192.168.0.10

remote LAN 192.168.10.0/255
remote linux SSH server: 192.168.10.10
remote web server: 192.168.10.20 (port 80)

Remote network has fixed external IP adress . eg. x.x.x.x

hope someone can help me with that.

thanks
Tibor

I'd suuggest you take a look at www.openvpn.net

well thanks,.. but as i said i want to use SSH. VPN is not a solution in terms of exposing the whole network.... so we want to tunnel only the port 80 to a certain machine.

hi ghost,

answers for your questions :
1. AFAIK - as long as the SSH server doesnt terminate the process - you wont loose the connection (you can configure the option on the daemon). But, that is not a good pratice.
2. which side has failed/restart? the client or the server side?
on windows client you can put putty.bat on start-up group to start the connection -> see the manual.
on server side - mostly it will always be started.
3. if your server-side router performed NAT - then you should forward tcp 22 and all needed port that you want to tunnel.

HTH.

I've had a client with the same requirements,
i've installed openvpn and used iptables to filter out undesired traffic...
Worked like a charm.

hi again,

vadiml:
SSH is the only option which i have since the remote server only supports SSH and is out of my control in terms of installing software.

rossonieri#1:
Neither side has terminated the connection, in fact its working well with the putty.bat solution on my win pc. The point is we don't want to use the putty.bat anymore. My colleagues and me shall be able to access the remote server through our local lan linux server as SSH client.

That means we type in the address of our local server in browser (eg. http://lanserver). The local "lanserver" tunnels the request through the remote side ssh server and to the remote intranet web server.

Another point...
I took a look how to setup a ssh connection, but its not clear to me how to let it recover itself after disconnect.

perhaps somebody has a clue how to solve this
thanks

Tibor

Hi! If I were you I would add a cron job(say for every 15 mins, really depends on you) that would check if the ssh tunnel is alive or not. If not then run the ssh tunnel command.

Why not simply use shtml? Forward port 8080 on the remote sites router to the web server for requests originating from your local site.

Hi jischiwal,
hmm shtml? you mean https? or something else?
the connection isnt the problem here... SSH works fine.

The issue is more if the access from multiple windows PCs will work like i posted.

Hi yongitz,
yes i thought also that way, .. just how to check if there is the ssh tunnel alive?

Yes, I meant htmls. Having an SSL connection between your browser and the server would provide security and the security is built into the browser and web server.

i still need SSH to connect to the remote network. and thats my question,.. how to do it properly

When you use the putty.bat program, are you tunneling the traffic back and forth or are you running an app remotely? I'm not sure how you set up the return packets because they would come back on random high ports.

If the web protocol used only port 80, you could use something like:
ssh -f -L2001:localhost:80 remote.server.com sleep 100000

The ssh info manual has a tunneling example but it uses the tun device on both ends. Your constraints don't allow that.

If the gateway is running ssh, I think that binding the Lan side interface instead of localhost would allow forwarding to the remote server.
ssh -f -L 8080:10.1.0.1:80 remote.server.com sleep 10000
where the gateway server has an IP address of 10.1.0.1.

I used the auxillary html port (on the local side) in this example in case other users would want to use their web browsers to the internet normally. This would need testing, and you may also want to add some kind of access control, like ip_tables rule on your gateway if you want to limit who on the lan can use the gateway forwarding.

Just in case you haven't figured out yet how to have your local LAN access the forwarded ports in your local linux server:

But then again your another problem remains,(that is how to check if this connection dies)
A simple telnet command like will check if it's up or not but I just can't get how to script this one, that if it dies then call the ssh command again.

Borrowing your code snippet:

user's crontab entry:
runtunnel.sh (put wherever the cron job points to)
Make sure to set a useful ServerAliveInterval, ServerAliveCountMax, and TCPKeepAlive to sane values in /etc/ssh/ssh_config, or ~/.ssh/ssh_config in order to promptly detect failures/disconnects of the tunnel.

Incidentally, I use a very similar setup at home, albeit to a slightly different end and inside of screen sessions so I can reconnect and manually kick it...

Also, if you want to use port 80, the user opening the tunnel is going to have to be root. You might consider looking into an iptables "REDIRECT" rule and running a different local port and a non-root user... just sayin'