1

I have different hosts that are connected over a cellular network (so NAT and dynamic IP). I have a central server that I want to use to use as gateway to access those machine SSH server for remote management. Current setup is to assign a port for each remote host in configuration phase, then those hosts will crate a reverse bridge over SSH, so from the server I can ssh to 127.0.0.1:port and i will bounce to the machine I want to manage.

Of course this has some serious security and management problem; I need to handle out those ID/port number, make sure are unique, and each host can also connect to all the other host since the server will happily bounce everything, and i don't want this (and that is also why a VPN would not be a solution AFAIK)

What would be a better solution? I can't even find a software to be able to manage multiple machine under those condition.

The only solution I see is to build a custom software to create this "mixer", but feels very error prone.

mauro
  • 13
  • 2
  • Why aren't you using IPv6? All the mobile networks already have it. Your office probably does too, at this point. – Michael Hampton Oct 31 '18 at 12:04
  • @MichaelHampton All (mobile) networks should have it, but unfortunately that's not the case. But of course the right thing to do here is to tell the ISP that you need IPv6. – kasperd Oct 31 '18 at 12:31

1 Answers1

1

OpenVPN for example can prohibit clients to route traffic to one another, or you can use iptable queues to keep them seperate.

HannesS
  • 322
  • 1
  • 5
  • 17
  • >OpenVPN for example can prohibit clients to route traffic to one another This is interesting, guess ill also need some iptable to expose only needed service on the server.. If one service is exposed to all host by the server like a HTTP server, will other client be able to sniff the connections of other hosts? – mauro Oct 31 '18 at 10:49
  • The directive you are searching for should be client-to-client, like explained here for example: https://serverfault.com/questions/736274/openvpn-client-to-client - we use a similar way to connect to our customer sites. – HannesS Oct 31 '18 at 10:51