How can I ssh into a remote machine so that the remote machine shares the client's internet?

Question

I have the following setup:

┌────────────────────────────────────────────────────────┐
│                        Internet                        │
│                                                        │
│                 ┌────────────────────┐                 │
│                 │                    │                 │
│                 │                    │                 │
│                 │       client       │                 │
│                 │                    │                 │
│                 │                    │                 │
│                 └─────────┬──────────┘                 │
│                           │                            │
│         ┌─────────────────┼──────────────────┐         │
│         │                 │                  │         │
│         │       ┌─────────┴──────────┐       │         │
│         │       │                    │       │         │
│         │       │      public        │       │         │
│         │       │       server       │       │         │
│         │       │ pub.ip:123.11.22.33│       │         │
│         │       │ pri.ip:10.0.0.2    │       │         │
│         │       └─────────┬──────────┘       │         │
│         │                 │                  │         │
└─────────┼─────────────────┼──────────────────┼─────────┘
          │                 │                  │
          │       ┌─────────┴──────────┐       │
          │       │                    │       │
          │       │      private       │       │
          │       │       server       │       │
          │       │      10.0.0.3      │       │
          │       │                    │       │
          │       └────────────────────┘       │
          │                                    │
          │              Intranet              │
          │             10.0.0.0/24            │
          └────────────────────────────────────┘

The client ssh'es into the public server in order to perform maintenance on a private network. The private network is not connected to the internet except the public server as well as an additional public-facing http(s) proxy server with a separate public IP for web traffi (not shown), and the public server only listens on SSH, RDP, and VPN ports from the internet, as its only purpose is to serve as a landing server to access machines on the private network.

From the public server, I can further ssh into any machine on the private network. Currently, in order to update the machines on the private server, I have to open an internet connection for each machine, which is cumbersome. I'd like to share the internet connection of the public server with machines on the private network but only when I'm using the public server to ssh into the a machine on the private network, so that only when I'm performing working on the private machine does it have internet access. I would also like to do this without having to open and then close a tunnel via a separate connection, such that the internet connection is shared within the same session as the interactive remote shell. A reverse tunnel, essentially.

Note that the ssh access is one-way, i.e. the machines on the private server cannot access the public server (or each other) via ssh (therefore also sshuttle) because the public server is configured only to accept ssh connection from the internet and not to accept connection from the private network.

What config can you (or are you willing to) impose? E.g. [`ssh -w`](https://superuser.com/a/53149/432690) requires root privileges at both ends, routing configuration etc. Another idea is `ssh -R`, in one of its modes it can act as a SOCKS proxy (like `ssh -D` in reverse), but programs that are going to use it need SOCKS support (or `socksify` or something similar). I don't think you can just `ssh` and suddenly the other end gets rerouted via some tunnel; extra config is required. What can you do on what host then? — Kamil Maciorowski, Oct 23 '21 at 23:17
@KamilMaciorowski I have root privilege throughout the system. My rationale behind the pairwise isolation of the private servers is that if any private server is breached, it cannot be used to springboard to any other server, especially the public server which has access to all private servers. I'm not willing to give up that particular config. I've read about SOCKS solution, though I'm not familiar enough with it to know what kind of vulnerability that could arise. — seamux, Oct 24 '21 at 02:24
@KamilMaciorowski alternatively, I could set up a 3rd public-facing server with its own public IP that blocks all incoming external traffic and has no ssh access to any private or public server, then share the internet connection of that server with the private servers, but I'm hoping for a less costly solution (though it wouldn't cost much; for the amount of network traffic that suits this purpose, a low end raspberry pi or even a container with macvlan will do, but the cost of a static external IP and its trappings is not insignificant, and for this setup I must have a separate IP. — seamux, Oct 24 '21 at 02:39

How can I ssh into a remote machine so that the remote machine shares the client's internet?

0 Answers0