Arif’s Scratch Pad

Different Methods of Tunneling Through a Gateway

Problem

We have a host that we want to get to, through a gateway machine; i.e. we have a hop to get to the machine that we need to work on

1
ssh gw01

Then from that machine, we log onto another machine

1
ssh mgmt01

We would like to just run one command from the command line, to get directly onto mgmt01

Solution

I have been using the first 2 solutions over the last 10 years, and found solution 3, which seems to be the best out of all of them.

Solution 1: Using connect-proxy

You need to have a command connect or connect-proxy installed on your machine. These should be available in any linux distribution

Add the following in your ~/.ssh/config

1
2
3
4
5
6
7
8
9
Host gw01
    HostName 81.23.34.45
    User user1
    DynamicForward 7816

Host mgmt01
    HostName 10.0.0.34
    User user2
    ProxyCommand connect -S localhost:7816 %h %p

Now, for demonstration, we open 3 terminals

  1. ssh to gw01, this should open a session on gw01; this will be the platform to now logon to mgmt01
  2. Run ssh mgmt01; this should now logon to mgmt01, using the tunnel we created in step 1. This will seem quite seamless. You may be asked for the password for mgmt01
  3. again ssh mgmt01; and again this will be exactly as step 2.

In this scenario, you always need to open up a connection to the first hop, and keep that open. As soon as you close this session or window, it will also close all the other sessions that depend on it.

Solution 2: Using netcat

In this scenario, you need to have netcat or nc installed on gw01 in order for this to work

Add the following in your ~/.ssh/config

1
2
3
4
5
6
7
8
Host gw01
    HostName 81.23.34.45
    User user1

Host mgmt01
    HostName 10.0.0.34
    User user2
    ProxyCommand ssh -q gw01 nc %h %p

Now, similar to Scenario 1, we open 2 terminals

  1. Run ssh mgmt01; this should now logon to mgmt01. This will seem quite seamless as per previous scenario. You may be asked for the password twice, first for gw01, and then mgmt01
  2. again ssh mgmt01; and again this will be exactly as step 1.

In this scenario, it seems you are logging in directly to mgmt01; A seamless connection can be created by have public/private keys that will not require paraphrase.

The negative of this scenario is that, you need nc installed on the gw01 machine. This is a problem, due to the fact the gateway/tunnel machine is never owned by yourself, and therefore nc could be missing. This leads me to the final scenario

Solution 3: Using ssh directly

In this scenario, there are no dependencies.

Add the following in your ~/.ssh/config

1
2
3
4
5
6
7
8
Host gw01
    HostName 81.23.34.45
    User user1

Host mgmt01
    HostName 10.0.0.34
    User user2
    ProxyCommand ssh gw01 -W %h:%p

Again, similar to Scenario 2, we open 2 terminals

  1. Run ssh mgmt01; this should logon to mgmt01. This will seem quite seamless, as per previous scenarios. Again, you may be asked for the password twice, first for gw01, and then mgmt01
  2. again ssh mgmt01; and again this will be exactly as step 1.

This is similar to scenario 2, except that you do not have the dependency of installing nc on the gateway/tunnel machine.