Skip to content

SSH Tunneling host to host

First I will bring up a couple simple ubuntu docker containers. I have already setup vlans 10 and 20 in my network within docker using macvlan, so here i’m just assigning them specific IP addresses to use. You’ll also have to use privileged mode on these or else you won’t be able to bring up the tunnels. You will not need to worry about this unless you are using docker containers like I am.

docker run -itd --network vlan10 \
                --ip \
                --hostname HOST1 \
                --name HOST1 \
                --privileged basic_host
docker run -itd --network vlan20 \
                --ip \
                --hostname HOST2 \
                --name HOST2 \
                --privileged basic_host

I already have my own user account created on the basic_host image, so I can simply SSH to them after starting the SSH service

docker exec -it HOST1 bash
 service ssh start
docker exec -it HOST2 bash
 service ssh start

Now I can just ssh to the new hosts directly:
NOTE: You must be root on both hosts in order to setup this tunnel as it builds a new tunnel interface. So, sudo up

jason@HOST1:~$ sudo -s

jason@HOST2:~$ sudo -s

On both I now generate ssh keys. Only really need to do this on HOST1 and then paste the public key into HOST2’s ‘/root/.ssh/authorized_keys’ file.
I just accept all of the defaults and do not set a passphrase

root@HOST1:~# ssh-keygen
root@HOST1:~# cat /root/.ssh/

copy contents into HOST2’s ‘/root/.ssh/authorized_keys’ file

Now test out that you can ssh (from root) to HOST2 without entering a password:

root@HOST1:~# ssh

To build the tunnel:

root@HOST1:~# ssh -Nf -w 0:0
root@HOST1:~# channel 0: open failed: administratively prohibited: open failed

-N Do not execute a remote command
-f Tells ssh to run in the background so you get your prompt back.

Doesn’t work.

Add the below to the /etc/ssh/sshd_config on HOST2

PermitTunnel yes

Restart the SSH service

root@HOST2:~# service ssh restart

And let’s try again

root@HOST1:~# ssh -Nf -w 0:0

No errors, let’s see if the tun0 interface is now showing

root@HOST1:~# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Tunnel is built, but not configured or up. Let’s configure it and see if it works:
Configure on HOST1 (you have to specify the remote end of the connection)

root@HOST1:~# ip addr add remote dev tun0
root@HOST1:~# ifconfig tun0 up

Configure on HOST2 pointing back to

root@HOST2:~# ip addr add remote dev tun0
root@HOST2:~# ifconfig tun0 up

Now for a ping check

root@HOST1:~# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.626 ms
64 bytes from icmp_seq=2 ttl=64 time=0.693 ms
64 bytes from icmp_seq=3 ttl=64 time=0.587 ms


Published inTech

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *