(I'm writing this mostly for myself so if/when some day in the future I want to set this up again and can't remember how, I've got something to reference.)
If you have a scenario where you'd like to access machines behind a corporate firewall without getting on their VPN, this might work for you. For instance if you occasionally need to access things behind the firewall from a machine running an OS (like linux) that is not supported by the IT overlords at your $JOB, you can set up a reverse SSH tunnel to connect a machine behind the firewall to a machine at home (or a VM on a cloud provider).
First off, get a VM up and running on the office network, install autossh, copy your SSH id to your bastion host, and then start a reverse tunnel. This would be done on "SECRETVM".
$ sudo apt install autossh $ ssh-copy-id bastion $ autossh -M 10984 -o "PubkeyAuthentication=yes" -o "PasswordAuthentication=no" -i /home/username/.ssh/id_rsa -R 2224:localhost:22 username@bastion -p 22
Now on your home machine (in the diagram above thats "Workstation") you need to add an entry to ~/.ssh/config
host secretvm User username ProxyCommand ssh bastion -W localhost:2224
Now, to get to the VM inside the office, you can just "ssh secretvm"!
To proxy your web traffic through that VM (so you can reach things like JIRA easily), use a SOCKS proxy. Run the following:
$ ssh secretvm -D 9932 -N
Then in Firefox, go to Preferences, General, Network Settings and select "Manual proxy configuration", set SOCKS Host to localhost with port 9932, and check the box for "Proxy DNS when using SOCKS v5".
Enjoy! Also don't tell IT as this could be a real security problem if your bastion host is not well secured. So be sure to do everything you can to lock that node down and keep it up to date.
EDIT: Adding a link to this excellent visual guide to SSH tunnels as it's SUPER useful!
No Innocent Bystanders
Systemic racism impacts every person in this country. For some it means they’re more likely to get a job interview just because of their name. For others it means they’re more likely to be shot during a traffic stop just because of the color of their skin. Sociologists …read more
Scandir errors with scripted backups on OSX
A few years ago I documented how I automatically back up my computer, plus my family members' machines and the process has been working really well. Recently however I noticed some directories were not getting backed up on OSX machines. Turns out since I updated to Catalina, the stricter security …read more
Best Headphones Ever
Whats On Tap, April 2019
Quick update to the blog about what's on tap these days!
It's been quite a while since the last update. That is mostly because I've been drinking a less lately. Busy, and watching my calories pretty closely while I try to drop a few pounds. Usually that means I don't …read more
Whats On Tap, November 2018
Sticking with my promise to update the blog when I rotate what's on tap, here comes November's entry.
The last round of beer lasted pretty long. That's due to only having one bbq party, and me drinking less beer these last few months.
First up is another pale ale. Basically …read more
Whats On Tap, August 2018
I promised to do this whenever something on tap changed but I completely failed to stay on top of that. Instead maybe I'll just do it when ALL the taps have rotated, as I am doing this time!
The Saison is tasty, but came out a little higher gravity than …read more
Publish WordPress to static GitLab Pages site
A long time ago I set up a WordPress blog for a family member. Though there are lots of other options these days, back then there were few decent choices if your requirement was a web-based CMS with a WYSIWYG editor. An unfortunate side effect of things working well was …read more
Whats On Tap, February 2018
I am going to start putting up a little post whenever what's on tap at home changes. I will also make an effort to post when I brew something as well. To that end, here's the first post on that subject!
The Porter I brewed came out really nice. When …read more