using google gcloud to ssh tunnel into linux machine inside network

Asked 11/10, 2019 at 10:47 Answered 17/10, 2019 at 11:57

Solved ssh google-cloud-platform remote-desktop

I have an Ubuntu 16.04 VirtualBox machine (i.e. machine A) running on OSX connected to a university campus network. I would like to occasionally ssh into the machine from my laptop to remotely assist my colleagues, and I looked at different options.

It seems one of the options is "reverse ssh" (related to "port forwarding" or "ssh tunnelling"). My laptop does not have a fixed IP, so I can't do straight reverse ssh. The possible solution is to use a proxy machine. The idea is that when I need to assist my colleagues, they will type in the connection instructions from machine A, this will create a running GCP instance, and I will be able to then connect to machine A from the outside using this bridging (proxy?) GCP machine.


                                            / Academic intranet
                          +----------+     |  
                          |   GCE    |     |  +----------+
                          | instance |<----|--| Machine A|
                          +----------+     |  +----------+
                                           |  
                                            \ 



                                            / Academic intranet
                          +----------+     |  
+-------------+    ssh    |   GCE    | ssh |  +----------+
| Laptop dynIP|---------->| instance |-----|->| Machine A|
+-------------+           +----------+     |  +----------+
                                           |
                                            \

We have a Google cloud account and gcloud installed on machine A. For what I can tell, GCP already has a very simple way to set up a tunnel in GCP:

https://cloud.google.com/community/tutorials/ssh-tunnel-on-gce

I tried it and it works. Which makes me guess that the same should be possible on GCP for the final step: for me to be able to open an SSH browser window on the running GCP instance so that I can ssh into machine A from there.

Any ideas?

EDITED:

Here is how far I got following the ssh tunnel on gce instructions:

On machine A:

gcloud compute instances create --zone us-west1-a tunnel
gcloud compute ssh --zone us-west1-a tunnel -- -N -p 22 -D localhost:2210

On my laptop, I can open https://console.cloud.google.com/compute/instances and then open a browser window to SSH connect.

From the GCP instance hostname tunnel, I guess I am missing something like:

ssh-into-machine-A-from-here

This is the last command that I am missing. Or maybe the ssh tunnel in gcloud needs extra flags/parameters.

Magnien answered 11/10, 2019 at 10:47 Comment(8)

It looks like it should work but I'm not seeing any need to run gcloud on machine A. See the following ... blog.devolutions.net/2017/3/what-is-reverse-ssh-port-forwarding Your initial goal seems to be to ssh into the GCP Compute Engine (CE) using native ssh ... see cloud.google.com/compute/docs/instances/connecting-advanced – Dispersal 11/10, 2019 at 11:34

It works to the point where I can ssh into the tunnel machine that has been created by machine A. But from there, I don't know how to then ssh into machine A. I guess I am missing that last ssh command, or that setting up the tunnel needs other flags/parameters. – Magnien 11/10, 2019 at 11:37

It looks like this is the key ... blog.devolutions.net/2017/3/what-is-reverse-ssh-port-forwarding If I am reading this correctly, from machine A you would SSH into the CE at GCP using the special flags. This would then cause the SSH on the CE to start listening on a local port. You would then login to the CE and execute a local SSH on the CE which would then use the existing connection set up by the first command. – Dispersal 11/10, 2019 at 13:7

Following your last update .... it looks like if you login to your CE, you should then be able to run ssh -p 2210 username@localhost where the username is the username on machine A – Dispersal 11/10, 2019 at 13:30

Thanks @Dispersal do I need to change any parameters above in my question or simply issue the two gcloud commands, then do ssh -p 2210 username@localhost in the GCP instance? – Magnien 11/10, 2019 at 13:49

I didn't understand your scenario completely, but I believe this might help you. – Sandell 15/10, 2019 at 13:23

Thanks for the link @Sandell . It could be that the final ssh command, the one that will allow me to connect to machine A from a running GCP instance, requires special credentials like the ones explained in the link you provide. Having read through it, the examples are always about connecting to the GCP instance when they don't have a name, rather than connecting to machine A from a running ssh connection of the GCP instance. Maybe the last command I need is really easy and I am missing the point somewhere. – Magnien 15/10, 2019 at 15:46

I added a diagram to explain what I am trying to achieve. – Magnien 15/10, 2019 at 17:47

0) Create an instance on GCP with a command like:

gcloud compute instances create --zone us-west1-a tunnel

0b) Click on the 'SSH' link on https://console.cloud.google.com/compute/instances to open a browser window.

0c) On the browser window, edit the sshd_config file to enable GatewayPorts yes.

0d) Set up gcloud CLI and connect the first time as shown below:

gcloud compute ssh --zone us-west1-a tunnel

This will create the ssh keys in $HOME/.ssh/google_compute_engine. Disconnect from it. Now that the keys are created, follow the next steps.

1) To establish forwarding from GCE to machine A: run following on machine A:

ssh -i ~/.ssh/google_compute_engine -o UserKnownHostsFile=/dev/null -o CheckHostIP=no -o StrictHostKeyChecking=no -f -N -R 2022:*:22 gce_user@gce_address

2) Now, to connect to machine A from your laptop, you can use the browser window with the GCP instance and do:

ssh -p 2022 A_machine_user@localhost

This should then ask for the password on A_machine_user and connect you to machine A.

Stagey answered 17/10, 2019 at 11:57 Comment(2)

I will try @konstantin-svintsov . How do I get the gce_address from a running ssh session of the tunnel GCE machine? And how do I enable GatewayPorts on GCE sshd configuration. Is that a flag on the gcloud compute instances create command or the gcloud compute ssh command? Thanks in advance. – Magnien 17/10, 2019 at 15:7

* The sshd_config is located in /etc/ssh/sshd_config * gce_user - I managed to create a new user only for this and add the public ssh key the ssh keys in VM instance details. * I had to expose the new port using firewall settings: docs.bitnami.com/google/faq/administration/use-firewall – Briar 8/6, 2020 at 19:42

I am not 100% sure that I got your exact question, but as far as I understood creating a VPN should be the best solution for you. The best and safest way of connecting your GCE instance with the machine A.

You can find here a discussion on the same kind of implementation.

Another option, which is in the same spirit is to a Virtual private server like OpenSSH on Machine A. Here there is a guide on how to implement that using a Virtual Private Server like OpenSSH and how to configure it.

Brobdingnagian answered 16/10, 2019 at 13:13 Comment(0)

Recommended topics

Hot tags