SSH Into Server Behind VPN

Question

I have two servers, server A and server B. Server B is acting as a VPN for server A. I am trying to figure out a way from a 3rd computer to ssh directly into server A even though it's behind server B's firewall.

Sever A:
IP: 73.85.87.81
sshport: 222

Server B:
IP: 109.192.97.168
sshport: 22

I noticed I can VPN in to server B then ssh to server A or ssh to server B then ssh to server A, but I would rather be able to ssh once and end up at sever A on port 222.

Is there a way I could set things up that when I ssh 109.192.97.168:222 I end up at 73.85.87.81:222?

I do not want to ssh into server B and then from there ssh into server A. I would much rather have ports forwarded to allow me to ssh directly to server A.

Possible duplicate of How do I SSH to machine A via B in one command? — earthmeLon, Jan 17 '17 at 18:37
i don't have enough battery to answer right now :). brb in 2 h. Short Answer YES — Stancu Mihai, Jan 17 '17 at 18:49
earthmeLon I don't think this is a duplicate because if I understand correctly those are all just taking the SSH to server B, then ssh to server A approach and stuffing it into 1 command. I thought there was a way to forward ports so that I can just ssh to server A directly. — Charles S, Jan 17 '17 at 18:57

score 2 · Accepted Answer · answered Jan 17 '17 at 21:31

2

Using IPTABLES you can accomplish what you whant with to following:

Run these rules on 109.192.97.168 ( Server B )

iptables -t nat -A PREROUTING -d 109.192.97.168 -p tcp --dport 222 -j DNAT --to-d 73.85.87.81:222
iptables -t nat -A POSTROUTING -d 73.85.87.81 -p tcp --dport 222 -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward

Explanation:

You can now ssh on 109.192.97.168 on port 222 and you will be accessing the Server A
1st rule is for redirecting the traffic designated to Server A on port 222 to Server B on port 222
2nd rule is for MASQUERADE ( Translate the outgoing traffic to use the IP Address of interface where the route is connected )
3rd rule is for enabling IP forward, if this isn't already enable

answered Jan 17 '17 at 21:31

Stancu Mihai

455

1

This seems like what I want to do, one thing though. I was talking with someone else and they suggested that instead of 73.85.87.81 in the commands above I would want to be using the local IP of server A on server B when server B is being used as a VPN (hopefully that makes sense). Any insight? – Charles S Jan 17 '17 at 22:08
Yes. Change the ip address 73.873.85.87.81 with the IP assigned throw VPN in both rules – Stancu Mihai Jan 17 '17 at 22:46
i've already tested the configuration above befor posting the answer. Please check and dont't forget to vote. Thanks – Stancu Mihai Jan 17 '17 at 22:48
Thanks for this! I get a 'Connection refused' error on PuTTY. I'm running a Lightsail instance, with the port 222 opened and using the same SSH key as I would to connect to port 22. Any ideas will be really appreaciated! – nicozica May 11 '20 at 23:51

SSH Into Server Behind VPN

1 Answers1