Skip to content

Accessing systems remotely through ssh jumpserver

Remote access to our machines, often behind firewalls or on mobile networks, can be challenging. While VPNs are commonly used, a simpler solution for shell access and port forwarding exists, one that doesn’t rely on third parties. A jump server self-hosted on own vpn can serve as a secure gateway to access machines across different networks.

In this guide, we’ll walk you through setting up a jump server, configuring a reverse SSH tunnel, and managing your remote systems—without the need for costly services.

Warning

This is an advanced level guide, requiring multiple steps and manual configuration. You should understand what the commands do and not just blindly copy-paste them. If you don't understand what is happening here, you are probably better off using more user-friendly solutions provided by third parties, like Zerotier or Teleport.

Summary

flowchart LR
    subgraph Internet[VPS]
        B[Jump Server]
    end

    subgraph Local_Network[Client Network]
        A[Client Machine]
    end

    subgraph Robot_Network[Robot Network]
        C[Target Machine]
    end

    C -->|1 Logs into| B
    A -->|2 Logs into| B
    B -->|3 Forwards to| C

  • Jump Server: Acts as the gateway for secure access, handling authentication.
  • Target Machine: Maintains a reverse SSH tunnel using autossh.
  • Client Machine: Uses a convenient SSH configuration to access the target machine via the jump server.

Note

Setting up access requires access from client to target and jump server over local network

Step 1: Configure Jump Server

  1. Create a Dedicated User for tunneling purposes:

    sudo adduser --disabled-password --gecos "" tunnel_user
    

  2. Update SSH Configuration to allow forwarding and restrict access:

  3. Edit /etc/ssh/sshd_config and add the following:

    AllowTcpForwarding yes
    GatewayPorts no
    PermitTunnel no
    Match User tunnel_user
        ForceCommand /bin/false
        PermitTunnel yes
        X11Forwarding no
        AllowAgentForwarding no
    

  4. Restart SSH Service for the changes to take effect:

    sudo systemctl restart sshd
    

  5. Set Proper Permissions for the key files:

    sudo chown -R tunnel_user:tunnel_user /home/tunnel_user/.ssh
    sudo chmod 700 /home/tunnel_user/.ssh
    sudo chmod 600 /home/tunnel_user/.ssh/authorized_keys
    

Step 2: Configure Target Machine

Tip

These steps can be automated with setup_jump_target.sh script.

  1. wget, chmod +x & run it on target.
  2. on vps, swtich to tunnel_user (sudo su - tunnel_user) and add target public key to ~/.ssh/authorized_keys
  3. start reverse-tunnel service on target and inspect used ports

Install autossh

    sudo apt update & sudo apt install autossh

Generate SSH Key Pair for tunneling:

ssh-keygen -t rsa -b 4096 -C "target_machine@example.com" -f ~/.ssh/id_rsa_tunnel

Configure jumpserver login

add this to `~/.ssh/config`

    Host jumpserver
        HostName my.vps.org
        User tunnel_user
        IdentityFile ~/.ssh/id_rsa_jump
        Port 12345 # use correct ssh port on vps

    Host *
        ServerAliveInterval 60
        ServerAliveCountMax 10

Create Reverse Tunnel Script (reverse_tunnel.sh):

#!/bin/bash
MACHINE_NR=0  # used for port number calculation
SSH_PORT=$((22022+MACHINE_NR)) # set base port as you like
CHK_PORT=$((61000+MACHINE_NR)) # set base port as you like
autossh -M $CHK_PORT -N -R $SSH_PORT:localhost:22 jumpserver

Create Systemd Service (/etc/systemd/system/reverse-tunnel.service) to keep the tunnel active:

Note

Make sure that you use correct username, in this case pi.

[Unit]
Description=Reverse SSH Tunnel
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/home/pi/reverse_tunnel.sh
Restart=always
RestartSec=60
User=pi

[Install]
WantedBy=multi-user.target

Add ssh key to jump server

on vps, swtich to tunnel_user (sudo su - tunnel_user) and add target public key to ~/.ssh/authorized_keys

Enable and Start the Service:

sudo systemctl daemon-reload
sudo systemctl enable reverse-tunnel.service
sudo systemctl start reverse-tunnel.service

Step 3: Configure Client Machine

  1. Generate SSH Key Pair for Client Access:

    ssh-keygen -t rsa -b 4096 -C "your_email@example.com" -f ~/.ssh/id_rsa_jump
    

  2. Edit SSH Configuration (~/.ssh/config) to simplify access:

    Host jumpserver
        HostName my.vps.org
        User tunnel_user
        IdentityFile ~/.ssh/id_rsa_jump
        Port 12345 # use correct ssh port on vps
    
    Host target-machine
        HostName localhost
        User pi
        Port 22022  # Replace with correct port based on target machine number
        ProxyJump jumpserver
        LocalForward 8080 localhost:8080 # example forward remote port to localhost
    

Usage

Now you should be able to login to the target with ssh target-machine.