[kwlug-disc] reverse tunnel? vpn over ssh?

john at netdirect.ca john at netdirect.ca
Tue Aug 18 09:35:43 EDT 2009

kwlug-disc-bounces at kwlug.org wrote on 08/17/2009 10:47:39 PM:
> From: Richard Weait <richard at weait.com>
> I have a box I can reach on my DMZ.  I allow incoming web requests
> through the firewall to the DMZ box.  It can then reply to the
> request. But if you do crack this box, it can't connect out.  The
> firewall won't allow it.  Great.  Defense in depth and all.
> I can reach this box from my internal network and start/stop services.
>  Configure stuff.  Great.  But I can't get it to update from the web.
> It can't dial out.  I'd like to apply updates without unplugging eth
> cables.

Do you want to update manually or automatically?
> Lots of examples cover connecting boxes that can't see each other but
> can each connect to another box.  When the configuration looks like
> A --> public box <-- B
> SSH reverse tunneling looks to be the right tool for the job.  That's
> the gotomypc-type solution.
> My configuration is essentially:
> internet  <-- desktop --> DMZ
> I'd like to, from my desktop, say "Hi DMZ box, I'm logging in. Here is
> a temporary connection to the internet that will disappear when I log
> out."
> Help me lazyweb?

The reverse tunnel on SSH only allows TCP connections to a single IP/port. 
You can have multiple of these but they have to be known in advance. In 
other words a reverse tunnel is a one-to-one and I assume that your update 
will require one-to-many. A proxy server setup accessible from your 
workstation could make this happen. You would have to configure your 
updater to use a proxy and define that proxy as localhost:nnnn and setup a 
reverse tunnel using this command from your workstation:

ssh -R nnnn:proxyip:mmmm DMZHost.

where nnnn is the port created on the DMZ host, proxyip is the ip address 
of the proxy server and mmm is the port on the proxy server.

Without a proxy this could be done with a full VPN but it would involve 
setting up complex policy routing rules to deal with the dual gateway 
you'd create on the DMZ host.

John Van Ostrand
Net Direct Inc.
564 Weber St. N. Unit 12
Waterloo, ON N2L 5C6
john at netdirect.ca
Ph: 866-883-1172
Linux Solutions / IBM Hardware
Fx: 519-883-8533

More information about the kwlug-disc mailing list