Skip to content

Latest commit

 

History

History
115 lines (77 loc) · 3.96 KB

README.md

File metadata and controls

115 lines (77 loc) · 3.96 KB

docker-ssh-vpn-jump-host

A secured ssh based VPN in a Docker container. Works only as jump host for port forwarding and SOCKS proxy but provides no shell.

It can either be used to access services on a remote host or a remote access in a secure way.

Or it can be used to publish services inside a docker container with ssh. I this case, there should be at least two docker ontainers: One running the service you want to access from the outside and one running the ssh service.

The big advantage of having ssh in a separate Docker container is that the ssh container can be kept at the most current version while the rest of the system can stay at a stable state. So if there are some security updates, it is sufficient to only update the ssh Docker container and keep the rest of the system untouched.

With the ssh Docker container it is also possible to update ssh from remote without risking to lock yourself out. Just spawn two instances of the ssh Docker container, then connect to the first and update the second and then vice versa. So there is always a backup in case the update fails and ssh won't start in the updated container.

Idea: SSH VPN jump host for port forwarding

This docker file provides a pure jump host. This means it can only be used to connect to other servers using ssh port fowarding. It has no shell available and cannot run any commands.

Connecting

Connect from Linux

Open the command line and run

  1. ssh -N -L xxx:nnnnnn:yyy -p 22022 vpn@name-of-server

    Where

Option Description
nnnnnn:yyy The remote server you want to access
xxx The local port number
name-of-server The name of the jump gateway server

You can then access the remote server on port xxx on your local system.

  1. ssh -N -D 1080 -p 22022 vpn@name-of-server

    You can then add "localhost:1080" as a socks 4 proxy to your local web browser. All traffic will be tunneled to the vpn gateway server.

Connect from Mac OS X

Install a current ssh version using homebrew:

    brew tap homebrew/dupes
    brew install openssh \
      --with-brewed-openssl --with-keychain-support

Then continue with the steps for Linux.

Connect from Windows

Attention: PuTTY does not support the required encryption levels used on this server.

Connect using KiTTY SSH or MobaXTerm.

KiTTY SSH

Configure a new session with port forwarding. Under "SSH" choose "Don't start a shell or command at all".

MobaXTerm

Create a new connection. Under "Advanced settings" choose "Conncet through SSH gateway (jump host)"

Autossh

Instead of the plain command line ssh, you can also use autossh. Autossh automatically restarts the tunnel when the connection temporarily goes down. It is available to all major platforms (on Windows autossh is available as a Cygwin package and can even run as a Windows service).

News

Date Remark
2015-07-22 The provided configuration is already imune against the MaxAuthRetries attack.
2016-02-17 The provided configuration is probably safe against the GLibc getaddrinfo attack. Nevertheless all users are advised to rebuild the Docker image, so it fetches the fixes from Ubunutu 14.04 LTS. The patches are already in the LTS version, othere Ubuntu versions should follow soon.