A secured ssh based VPN in a Docker container. Works only as jump host for port forwarding and SOCKS proxy but provides no shell.
It can either be used to access services on a remote host or a remote access in a secure way.
Or it can be used to publish services inside a docker container with ssh. I this case, there should be at least two docker ontainers: One running the service you want to access from the outside and one running the ssh service.
The big advantage of having ssh in a separate Docker container is that the ssh container can be kept at the most current version while the rest of the system can stay at a stable state. So if there are some security updates, it is sufficient to only update the ssh Docker container and keep the rest of the system untouched.
With the ssh Docker container it is also possible to update ssh from remote without risking to lock yourself out. Just spawn two instances of the ssh Docker container, then connect to the first and update the second and then vice versa. So there is always a backup in case the update fails and ssh won't start in the updated container.
This docker file provides a pure jump host. This means it can only be used to connect to other servers using ssh port fowarding. It has no shell available and cannot run any commands.
Open the command line and run
-
ssh -N -L xxx:nnnnnn:yyy -p 22022 vpn@name-of-server
Where
Option | Description |
---|---|
nnnnnn:yyy | The remote server you want to access |
xxx | The local port number |
name-of-server | The name of the jump gateway server |
You can then access the remote server on port xxx on your local system.
-
ssh -N -D 1080 -p 22022 vpn@name-of-server
You can then add "localhost:1080" as a socks 4 proxy to your local web browser. All traffic will be tunneled to the vpn gateway server.
Install a current ssh version using homebrew:
brew tap homebrew/dupes
brew install openssh \
--with-brewed-openssl --with-keychain-support
Then continue with the steps for Linux.
Attention: PuTTY does not support the required encryption levels used on this server.
Connect using KiTTY SSH or MobaXTerm.
Configure a new session with port forwarding. Under "SSH" choose "Don't start a shell or command at all".
Create a new connection. Under "Advanced settings" choose "Conncet through SSH gateway (jump host)"
Instead of the plain command line ssh, you can also use autossh. Autossh automatically restarts the tunnel when the connection temporarily goes down. It is available to all major platforms (on Windows autossh is available as a Cygwin package and can even run as a Windows service).
Date | Remark |
---|---|
2015-07-22 | The provided configuration is already imune against the MaxAuthRetries attack. |
2016-02-17 | The provided configuration is probably safe against the GLibc getaddrinfo attack. Nevertheless all users are advised to rebuild the Docker image, so it fetches the fixes from Ubunutu 14.04 LTS. The patches are already in the LTS version, othere Ubuntu versions should follow soon. |