0

I need to SSH between 2 "clients", both behind CGNATs, by using a third party server as a jump. This use case has been covered on this site already but:

How do I make it so the SSH traffic is not readable to the Jump server; and stays end-end encrypted between the 2 clients?

A VPN server was considered, but discarded since the server would have read access to the client data.

Dalhousie
  • 1
  • 1
  • How would you actually implement even the jump box here when the destination server of the SSH connection is behind CGNAT? – Tero Kilkanen Jul 08 '18 at 08:32
  • 1
    @TeroKilkanen Haven't got the specifics, but I figured an always-on reverse tunnel from one of the clients, and a regular tunnel from the other client directed through the forwarding port on the jump server. – Dalhousie Jul 10 '18 at 07:26

1 Answers1

0

A design question immediately comes up that "should you use a third party jump server you don't trust?"

I'm assuming the following: 2 customers have a server poking into each of their networks, connected via vpn, private line, or otherwise.

Assuming this "insecure" server can't be trusted, but you decide to use it anyway (not recommended) to transport or handle ssh traffic between the two clients, you could do the following:

Create a port forwarding rule in iptables (assuming this is a linux box such as centos). If you don't want the middle server to take part in SSH negotiation (i.e. SSH tunnelling, or just ssh'ing to the middle server, then jumping to target), then you need to have the middle server forward your SSH packets direct to target.

It sounds like the described purpose of this server is to provide routing between the networks. If so you need a forwarding rule to accomplish. You could ideally have the middle server forward packets to its local gateway (router or firewall) and if it has a path to the destination SSH server, should forward the packet. The middle server does nothing but forward packets, and doesn't see the data traversing it.

This requires knowing the source subnet or Individual IPs sending SSH requests, and the target subnets. See the following link on implementation: https://askubuntu.com/questions/227369/how-can-i-set-my-linux-box-as-a-router-to-forward-ip-packets

Hope this helps,

MalformedPacket
  • 31
  • 3
  • The jump server is a secure installation on a VPS, but it's still a step down from my preferred solution of using an on-prem server. So I wouldn't say it's "untrusted" but I reckon anything that's not on-prem should be handled with extra care. As for the server setup, it's a KVM linux box so I should be able to port forward. However, could you elaborate on what you mean by "requires knowing...the IPs sending SSH requests"? Because both clients are behind CGNAT, they have dynamic IPs and I wouldn't have anyway to hardcode anything in the jump server's IPtables. Is that a problem? – Dalhousie Jul 08 '18 at 06:13
  • If the SSH client in network A is dynamic, and SSH Server in network B is dynamic as well, you can setup a forward for any connections where destination port is tcp 22, source subnet is customer A subnet, destination subnet is customer B subnet. I was basically mentioning a way to setup the port forward where it doesn't require statically defining host ips. Also note that the SSH client has to know to send their SSH packets to the jump server instead of default gateway if the destination IP address is in customer B network. Not sure if I described that well enough. – MalformedPacket Jul 08 '18 at 07:00
  • To clarify, one must add NAT rules to the "jumpbox", not routing rules. The link to other question isn't valid here, since that talks about a NAT router for a private network, which is different case than this "jumpbox" solution. – Tero Kilkanen Jul 08 '18 at 08:30