0

I am attempting to minimize my Public facing attack surface. Allowing only traffic from a specific IP address. I want to prevent all input access to the remote WAN/Edge Router's management port from the public side. So I want to create a tunnel to a server on private side and forward traffic from there to the WAN/Edge router. I have a Dynamic IP at home but have a DigitalOcean Droplet which to tunnel through which will always be static. I believe a VPN would accomplish the same result but I really didn't want to setup and maintain a VPN when, if I could determine the tunnel sequence, SSH tunnel would allow me to create and tear down at will, also using SSH key auth. So my connection would look something like this.

My destination port on the WAN/Edge Router is user definable. So to obfuscate the destination let's say it's port 3333. So from my workstation I would point my management utility to port 3333 on my localhost. Directing traffic over the tunnel to the internal interface of the WAN/Cable modem.

Home workstation (utility port 3333) -> digital_ocean_jump_host -> [---> Passing through the Dest Network WAN/Edge Router with a Firewall/NAT Rule --->] -> internal_jump_host -> WAN/Edge Router's Private Interface on Port 3333

After many Google queries and multiple attempts at this I just can't quite make it work. At best I can ssh through to the internal server.

What SSH foo might I be missing here. Ideally I would like to make the tunnel an automated service. But a two step process would be acceptable.

hackerkatt
  • 1
  • 1
  • Does this answer your question? [An SSH tunnel via multiple hops](https://superuser.com/questions/96489/an-ssh-tunnel-via-multiple-hops) – HackSlash Dec 27 '19 at 00:17
  • The answer to do what you want is already found elsewhere on this site but I will caution you against it. A VPN adds a layer around all that. You can VPN in to your network and then SSH using certificates. That puts two walls between the world and your configuration port. – HackSlash Dec 27 '19 at 00:20
  • Thanks, but it doesn't really solve/answer my question. It assumes the end host is a server hosting whatever service. I am looking to have the last server forward my traffic to a non-server, a router for which I access it's management gui via a given port. – hackerkatt Dec 27 '19 at 04:01
  • I also agree, to a point, that a VPN provides an access method to gain access to the remote's local network. But VPN's are the target of many attacks and a known attack vector. I want to limit the attack surface to a single non standard port for which I gain access to the server behind the router. And the firewall only allows access from a specific IP address on that non standard port. That way I can SSH hop to the server behind the firewall/router as well as port forward my desired port for the firewall/router mgmt util. – hackerkatt Dec 27 '19 at 04:07
  • Ok, I think we have a terminology problem here. A "server" is any computer that hosts a service. In this case, the computer is your router and the service is SSHD. The router IS a server. It's also a switch, and a router, and a firewall. It's a multipurpose computer. You are also conflating port forwarding and SSH tunneling. SSH tunneling is the technique you came here to learn and it is explained in the first link I posted. You setup the tunnel on the internal jump host. You set up the port forward on the router to point to that tunnel on the jump host. – HackSlash Dec 27 '19 at 16:36
  • Note: that tunnel can point to anything, including a web portal. As seen here: https://serverfault.com/questions/581530/https-ssh-tunnel – HackSlash Dec 27 '19 at 16:39
  • @HackSlash - You are absolutely correct in the strict def of a "server". I should have better defined that in my description. I thought that by specifically referring to the end host as a WAN/Edge Router I made it clear it was not a server in the traditional sense (Linux, Windows, Etc). And that I'm not trying to connect to end host on port 22. I referred to a Mgmt Utility. – hackerkatt Dec 27 '19 at 18:50
  • Regarding port forwarding, you are also somewhat correct. However, I would respectfully argue that SSH Tunneling can also, by definition, can also include port forwarding. For example localhost:8080 to remotehost:80. It's in that context I posted for a solution to a end host (Router) using it's Mgmt Utility. Perhaps I should also state that the last hop from jump server to host is not part of the tunnel. Maybe that's where I went wrong in my question. – hackerkatt Dec 27 '19 at 18:52
  • Can you use the mgmt utility from the resulting terminal session at the end of the SSH tunnel? – HackSlash Dec 27 '19 at 19:45
  • The utility is a GUI app. Let me say that I can connect to the router via SSH and manage, but I prefer the GUI as it makes access to all the features much easier to use and manage. I could use X11-Forwarding, install all the needed dependencies, and then run GUI across the tunnel. But that wouldn't be my preferred path. – hackerkatt Dec 27 '19 at 20:15
  • Okay, well that's important information that needs to be included in the question. The question looks like it's just about SSH tunneling. Now you are talking about X11 window applications. This brings us back to **Just use a VPN**. – HackSlash Dec 30 '19 at 16:06
  • With respect, it really doesn't. You asked if I could use the utility from the terminal session. I could, "if I used X11-Forwarding". It was never my intention nor my desire to solve my problem in that solution. But it's technically possible. So it really had nothing to do with my original post or intent. I appreciate your suggestion to use a VPN, it looks like that's going to be my option. I'll see about implementing an IPSec ike2 VPN. Thanks – hackerkatt Dec 30 '19 at 22:17

0 Answers0