SSH Tunneling host to host

First I will bring up a couple simple ubuntu docker containers. I have already setup vlans 10 and 20 in my network within docker using macvlan, so here i’m just assigning them specific IP addresses to use. You’ll also have to use privileged mode on these or else you won’t be able to bring up the tunnels. You will not need to worry about this unless you are using docker containers like I am.

docker run -itd --network vlan10 
                --ip 172.16.10.130 
                --hostname HOST1 
                --name HOST1 
                --privileged basic_host
docker run -itd --network vlan20 
                --ip 172.16.20.130 
                --hostname HOST2 
                --name HOST2 
                --privileged basic_host

I already have my own user account created on the basic_host image, so I can simply SSH to them after starting the SSH service

docker exec -it HOST1 bash
 service ssh start
docker exec -it HOST2 bash
 service ssh start

Now I can just ssh to the new hosts directly:
NOTE: You must be root on both hosts in order to setup this tunnel as it builds a new tunnel interface. So, sudo up

jason@HOST1:~$ sudo -s
root@HOST1:~#

jason@HOST2:~$ sudo -s
root@HOST2:~#

On both I now generate ssh keys. Only really need to do this on HOST1 and then paste the public key into HOST2’s ‘/root/.ssh/authorized_keys’ file.
I just accept all of the defaults and do not set a passphrase

root@HOST1:~# ssh-keygen
.....
root@HOST1:~# cat /root/.ssh/id_rsa.pub

copy contents into HOST2’s ‘/root/.ssh/authorized_keys’ file

Now test out that you can ssh (from root) to HOST2 without entering a password:

root@HOST1:~# ssh 172.16.20.130
...
root@HOST2:~#

To build the tunnel:

root@HOST1:~# ssh -Nf -w 0:0 172.16.20.130
root@HOST1:~# channel 0: open failed: administratively prohibited: open failed

Note:
-N Do not execute a remote command
-f Tells ssh to run in the background so you get your prompt back.

Doesn’t work.

Add the below to the /etc/ssh/sshd_config on HOST2

PermitTunnel yes

Restart the SSH service

root@HOST2:~# service ssh restart

And let’s try again

root@HOST1:~# ssh -Nf -w 0:0 172.16.20.130

No errors, let’s see if the tun0 interface is now showing

root@HOST1:~# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          POINTOPOINT NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Tunnel is built, but not configured or up. Let’s configure it and see if it works:
Configure 10.0.0.1 on HOST1 (you have to specify the remote end of the connection)

root@HOST1:~# ip addr add 10.0.0.1 remote 10.0.0.2 dev tun0
root@HOST1:~# ifconfig tun0 up

Configure 10.0.0.2 on HOST2 pointing back to 10.0.0.1

root@HOST2:~# ip addr add 10.0.0.2 remote 10.0.0.1 dev tun0
root@HOST2:~# ifconfig tun0 up

Now for a ping check

root@HOST1:~# ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.626 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.693 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.587 ms

Works!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.