You don’t need a VPN to securely access servers in your Office/Datacenter

Especially now during the COVID-19 period😷, when you are forced to work from home🏡, you somehow have to access the servers and databases in your office’s intranet.

Photo by Dan Nelson on Unsplash

Why can’t we expose them all?

• Well🤔.. not all applications are built with security in mind.
• For most applications there won’t be even an auth wall that checks the person accessing it, for authorization.
• so let’s just keep them behind the intranet.

But there must be that one(or more) machine(s) that acts as load balancer setup(the machine exposed to the internet — let’s call it the “proxymachine”), that distributes to external traffic to the servers inside the intranet. We’re gonna make use of that to accomplish the goal.
It’s possible that you’ve used SSH(Secure Shell) to access remote servers securely. Right?💭

According to the https://www.ssh.com/ssh/

“The SSH protocol uses encryption to secure the connection between a client and a server. All user authentication, commands, output, and file transfers are encrypted to protect against attacks in the network”

So SSH can help us here. One slight issue, we’re not gonna have to SSH to the proxymachine and then SSH again from there. Some folks at SSH have already thought this through and let’s us specify an attribute that let’s you make a machine act as a “Proxy”

Setting up the config File

To achieve this we might have to change few lines in your SSH config file. It would reside in ~/.ssh for linux and MacOS and C:\Users\<YOUR_USERNAME>\.ssh for Windows.

Setting up hosts in the config file is pretty straightforward.

Host <any-name>
 HostName <domain-name-or-ip-of-the-proxy-machine>
 User <your-username-at-the-proxy-machine>
 Port <port-for-ssh-at-proxy-machine>

Example:📝

Host proxymachine
 HostName lb.yourorg.com
 User divakar
 Port 22

The Proxy

The machine we setup as proxy will talk to — or to be precise — tunnel the traffic to the machine behind the intranet wall

Source: https://giphy.com/gifs/SuccessionHBO-hbo-succession-im-in-charge-QOy97mw7oOEXZyl70O

Now to access the server in the Proxy machine’s network — AKA our restricted servers, databases etc:

Host <any-name>
 HostName <domain-name-or-ip-address-of-the-machine-in-intranet>
 User <your-username-in-that-machine>
 ProxyJump <name-you-gave-for-proxy-machine>

For Windows users, instead of the “ProxyJump” use this

ProxyCommand C:\Windows\System32\OpenSSH\ssh.exe -q -X -W %h:%p <your-username-in-that-machine>>@<proxy-machine-name>

Example: 📝

Now, let us suppose you want to access the Database machine in your office intranet and its IP in the “intranet” is 123.11.222.33

Host dbmachine
 HostName 123.11.222.33
 User divakar
 ProxyJump proxymachine

For Windows, you’d have something like this instead of ProxyJump

ProxyCommand C:\Windows\System32\OpenSSH\ssh.exe -q -X -W %h:%p divakar@proxymachine

So now you can just,

ssh dbmachine

and access the resources from the command line.

Port Forwarding

OK, seems fine and all, but this would give you only the command line interface. How would you use stuff like dashboards and other stuff that run over HTTP on different ports? VPN gives you these for free remember? For that, you’ll have to do one more step.

Enter “Port Forwarding” 🙌

You can forward port on a remote machine, to your localhost machine and send traffic to it as though it was running locally. So you can view them on the browser on localhost, send them API requests etc.

The syntax for it is something like:

 ssh -nNL localhost:<local-port>:<remote-machine>:<remote-port> <remote-machine>

Example:📝

So, if you want to tunnel traffic from localhost 8000 to, let’s say, a dashboard running in dbmachine at port 9000, you’d have something like:

 ssh -nNL localhost:8000:dbmachine:9000 dbmachine

Keep in mind that port forwarding would respect the ProxyJump/ProxyCommand we had setup above

(You can always look at the man pages to see what the args do😛)

You’d have the keep the terminal open after entering the above command to keep the forwarding alive😑

Bonus: Remote Development

That’s good and all, but what if you also want to use a GUI editor to develop on that remote machine?

If its a popular editor, its probable that, there is an extension out there that let’s you write code directly on the remote machine.

Heard of VSCode? It’s pretty awesome. It has extensions called “Remote Development” & “Remote SSH”. With these you can open up any folder and start developing on that workspace as if you would do it locally. It can also automatically setup port forwarding if you want, as you open up a remote workspace.

Source & More info: https://code.visualstudio.com/docs/remote/ssh

That’s it! — Hope you learnt something here. I’m sure I did😅

Credits: Elvis D’Souza(My mentor🤗), Anshul Mittal(That one annoying co-worker)

Hey👋 — I’m Divakar Rajesh, a Product Engineer at Sensara — Who dat? — whoa, you’ve probably interacted with our products if you have tried Xiaomi Mi Remote. We’re also the default TV Guide/Launcher on some popular smart TVs including the MiTV anddd we also power recommendations and live TV discovery on all Airtel Smart Set-top boxes.

On a personal note😛, you can find me on twitter and other socials as @sdivakarrajesh — Shameless plug 🤦‍♂️— See ya..