-1

I have only one public IP address, behind it are some virtual machines that I need to access using WinSCP/FileZilla from public internet.

I know I can do port forwarding on the router like 10022->192.168.1.100:22, but it feels too tedious. I wonder if there is an elegant solution? The ultimate goal is to be able to access file systems on those virtual machines and transfer files with a GUI client.

Edit: I have the choice to VPN into my network, however I am not quite happy with it since I need to do more configuration and security precaution etc etc. If VPN into the private network is allowed then I have to put more security on each VM which could be a lot of work and I want to avoid that.

anetworknoobie
  • 193
  • 1
  • 1
  • 5
  • 2
    You're ok port forwarding to your VMs, but are concerned about the security ramifications of standing up a VPN?!? I think you should think through things a bit more. – EEAA Jan 30 '15 at 06:36
  • @EEAA The logic is: if I do port forwarding I need to do as many times as the number of VMs I have, plus security on each of them; if I do VPN then I only need fewer ports forwarded but still security on each of them. I did not say I am OK with port forwarding to my VMs, I only said "I know I can do this" but "it feels too tedious" which implies I am NOT all that OK with it. Pay attention to the word "elegant", I already have a few solutions but I want to know if there is any better one. – anetworknoobie Jan 30 '15 at 10:21
  • VPN is your solution. It is as secure and "elegant" as you're going to get. – EEAA Jan 30 '15 at 13:09

1 Answers1

3

The port forwarding approach is exactly what I take. However, a downside is that some networks (like when in hotels) implement egress filtering and only let you connect to known ports. So the servers on unusual ports will be inaccessible.

There may be security/trust ramifications, but you could network share the files from all the machines to a central machine over NFS/Samba. Then port forward 22/tcp to that machine. Then you have one place where you can easily update all files all over a single standard port.

[EDIT] The step-by-step:

  1. Mount each of the VMs filesystems onto a central VM using nfs/samba, such as:
    1. vm1:/path/to/files /mnt/vm1
    2. vm2:/path/to/files /mnt/vm2
  2. Port forward 22/tcp to this central machine
  3. Using SFTP to this central machine, access your files at /mnt/vm1 and /mnt/vm2
Dan Armstrong
  • 821
  • 4
  • 6
  • So I forward Port 22 to one of the VMs, then I can: SSH into that machine then from that machine to others; SFTP connect to that machine, mount a shared folder on each VM, copy files from my machine to that folder, use terminal to copy the files from that shared folder to other machines? So far so good, but is there a more direct way? – anetworknoobie Jan 30 '15 at 10:40
  • Added step-by-step above. – Dan Armstrong Jan 30 '15 at 16:34
  • Hmm...I probably should not do this but just being curious, can I mount the whole root file system? Like: `mount -whatever vm1:/ /mnt/vm1`? I think I will create a new shared folder on my NAS and mount it on every VM. – anetworknoobie Jan 31 '15 at 02:01
  • You could, but follow your gut: only mount what parts are needed. And good call for using the NAS. – Dan Armstrong Jan 31 '15 at 17:04