Accessing systems remotely through ssh jumpserver
Remote access to our machines, often behind firewalls or on mobile networks, can be challenging. While VPNs are commonly used, a simpler solution for shell access and port forwarding exists, one that doesn’t rely on third parties. A jump server self-hosted on own vpn can serve as a secure gateway to access machines across different networks.
In this guide, we’ll walk you through setting up a jump server, configuring a reverse SSH tunnel, and managing your remote systems—without the need for costly services.
Warning
This is an advanced level guide, requiring multiple steps and manual configuration. You should understand what the commands do and not just blindly copy-paste them. If you don't understand what is happening here, you are probably better off using more user-friendly solutions provided by third parties, like Zerotier or Teleport.
Summary
flowchart LR
subgraph Internet[VPS]
B[Jump Server]
end
subgraph Local_Network[Client Network]
A[Client Machine]
end
subgraph Robot_Network[Robot Network]
C[Target Machine]
end
C -->|1 Logs into| B
A -->|2 Logs into| B
B -->|3 Forwards to| C
- Jump Server: Acts as the gateway for secure access, handling authentication.
- Target Machine: Maintains a reverse SSH tunnel using
autossh
. - Client Machine: Uses a convenient SSH configuration to access the target machine via the jump server.
Note
Setting up access requires access from client to target
and jump server
over local network
Step 1: Configure Jump Server
-
Create a Dedicated User for tunneling purposes:
-
Update SSH Configuration to allow forwarding and restrict access:
-
Edit
/etc/ssh/sshd_config
and add the following: -
Restart SSH Service for the changes to take effect:
-
Set Proper Permissions for the key files:
Step 2: Configure Target Machine
Tip
These steps can be automated with setup_jump_target.sh script.
wget
,chmod +x
& run it on target.- on
vps
, swtich totunnel_user
(sudo su - tunnel_user
) and add target public key to~/.ssh/authorized_keys
- start
reverse-tunnel
service on target and inspect used ports
Install autossh
sudo apt update & sudo apt install autossh
Generate SSH Key Pair for tunneling:
Configure jumpserver login
add this to `~/.ssh/config`
Host jumpserver
HostName my.vps.org
User tunnel_user
IdentityFile ~/.ssh/id_rsa_jump
Port 12345 # use correct ssh port on vps
Host *
ServerAliveInterval 60
ServerAliveCountMax 10
Create Reverse Tunnel Script (reverse_tunnel.sh
):
#!/bin/bash
MACHINE_NR=0 # used for port number calculation
SSH_PORT=$((22022+MACHINE_NR)) # set base port as you like
CHK_PORT=$((61000+MACHINE_NR)) # set base port as you like
autossh -M $CHK_PORT -N -R $SSH_PORT:localhost:22 jumpserver
Create Systemd Service (/etc/systemd/system/reverse-tunnel.service
) to keep the tunnel active:
Note
Make sure that you use correct username, in this case pi
.
[Unit]
Description=Reverse SSH Tunnel
After=network-online.target
Wants=network-online.target
[Service]
ExecStart=/home/pi/reverse_tunnel.sh
Restart=always
RestartSec=60
User=pi
[Install]
WantedBy=multi-user.target
Add ssh key to jump server
on vps
, swtich to tunnel_user
(sudo su - tunnel_user
) and add target public key
to ~/.ssh/authorized_keys
Enable and Start the Service:
sudo systemctl daemon-reload
sudo systemctl enable reverse-tunnel.service
sudo systemctl start reverse-tunnel.service
Step 3: Configure Client Machine
-
Generate SSH Key Pair for Client Access:
-
Edit SSH Configuration (
~/.ssh/config
) to simplify access:Host jumpserver HostName my.vps.org User tunnel_user IdentityFile ~/.ssh/id_rsa_jump Port 12345 # use correct ssh port on vps Host target-machine HostName localhost User pi Port 22022 # Replace with correct port based on target machine number ProxyJump jumpserver LocalForward 8080 localhost:8080 # example forward remote port to localhost
Usage
Now you should be able to login to the target with ssh target-machine
.