SSH access to hosts on an internal network

SSH access to hosts on an internal network On a private network, such as the NAT network used by most homes, a machine can be accessed using ssh by forwarding the incoming port 22 on the router to a single machine inside the network. To access more than one machine from outside the network, proxy requests through that host. This approach is more straightforward than forwarding multiple ports, because it only requires one forwarding rule to be configured, one change in the ssh client configuration for the outside machine, and no additional configuration on the other hosts.

Required Ingredients A port forwarding rule for one host on the internal network. Log in to your router to setup the rule. Because router interfaces vary, consult your router's manual for help. A target for the above port forwarding rule configured to accept ssh connections (default on most systems). An internal network with other ssh accessible hosts. The outside address for your internal network. Home users with dynamically assigned IP addresses should read The address space for your internal network. On many home routers, this will be 192.168.1.* or 192.168.0.1 Address Space Reuse Adddresses like 192.168.1.0/24 are reserved for use in private networks. Because the proxy rule is applied based on the address space of the target, you should configure your router to use a less common set of addresses. If your router can give addresses in the 192.168.42.0/24 network, for example, your proxy rule won't get in the way when connecting to machines on a different network that uses 192.168.1.0/24 addresses.

Directions Configuring an ssh proxy Configure your router to forward incoming traffic on port 22 to one machine that will act as the proxy. If you choose, configure the router to use a less common subnet then reboot it. Open the firewall on all machines to ssh traffic. This is the default on most systems. Use the graphical firewall application firewall-config, or issue the commands below as root. firewall-cmd --permanent --add-service=ssh firewall-cmd --reload Ensure sshd is enabled and running on all target systems by running the commands below as root. systemctl enable sshd systemctl start sshd Edit ~/.ssh/config on the initiating system as below: Host 192.168.42.* ProxyCommand ssh -W %h:%p external_address #suggested optional ssh key declaratons: IdentityFile ~/.ssh/internal_id_rsa Host external_address IdentityFile ~/.ssh/proxy_id_rsa Test the configuration from inside and outside the network. Using ssh verbosely will show how the ProxyCommand statement relays your connection. ssh -vvv 192.168.42.7

References ssh-config(5) - ssh client configuration manual. firewall-cmd(1) - manual for firewalld command line utility. - recommended reading on ssh authentication. RFC1918 - defines private address spaces.