How can I browse work machines (i.e. behind a firewall) from home?

From home I would like to browse my intranet at work where I have a Linux box, which I will call "W", i.e. W.workdomain.com.

My router at home closes port 22 but maps port 2222 to port 22 on my server "S" which resolves to mydomain.org.

My main machine at home, "M", is where I do my work from home. I thought this might work:

W: $ ssh -g -D 6666 -p 2222 mylogin@mydomain.org

On M I tell firefox that S:6666 is the proxy for all sites like *.workdomain.com.

So far my browser on M cannot find the intranet web sites with this scheme.

How do I make this work? What can I use to debug this?

Note: I asked this on serverfault where it was off-topic. Hopefully this is on-topic here.

John Schmitt

Posted 2013-02-02T03:52:48.610

Reputation: 427

You should clarify the sentence "So far my browser on M cannot find the intranet web sites with this scheme," to indicate whether they cannot find the sites (in which case look at DNS issues) or cannot ping the sites (by IP address) (in which case, look to network issues.) – Michael McNally – 2013-02-02T04:15:07.400

I think if you "tell firefox" about a proxy it is expecting an HTTP proxy server. I don't think you have that. You probably want an SSH tunnel, and you might have to add a static route to home. – Keith – 2013-02-02T05:52:23.690

2Why don't you ask whoever manages your network to help you with this? Most system administrators I know would be none too happy if someone decided to set up their own VPN/Reverse Proxy/SSH tunnel into their network. – ta.speot.is – 2013-02-02T09:11:11.950

^ that. Your office might have a relatively trouble free, official, and approved VPN system you might be able to use. – Journeyman Geek – 2013-02-02T09:52:42.767

Answers

it appears to me you want to setup something like a reverse socks proxy. This is not directly supported by one ssh client. Instead you may start 2 of them:

W: $ ssh -N -R 1234:localhost:22 -p 2222 mylogin@mydomain.org

this will establish a listening port 1234 on S which gets forwarded to standard sshd port on W

S: $ ssh -N -g -D 6666 -p 1234 localhost

this will setup the socks proxy with gateway port 6666 using the reverse tunnel of above.

your browser(s) anywhere in your home network then should point to S:6666. Be aware that some browsers don't support DNS over socks.

sparkie

Posted 2013-02-02T03:52:48.610

Reputation: 2 110

This worked and helped me understand what was going on, thank you. I appreciate all the advice from everyone about getting a proper VPN, but this was more about learning than just the end goal. I wish I could up-vote you further, @sparkie. – John Schmitt – 2013-02-02T19:29:51.513

Go to your network administrator. Tell him you want access.

Depending on the situation (s)he will either:

Say "no". IN which case: do not try this unless you like risking getting fired.
Or (s)he will tell you how to do it. Possibly by pointing you at the right DNS/HOST entries to get from your home to the 'normal IP' network at work.
Or, assuming work uses an ugly kludge like NAT, (s)he can point you to a VPN solution. (Feel free to check the intranet, it might already have an IT section which explain exactly this and already has links to all needed files).

Hennes

Posted 2013-02-02T03:52:48.610

Reputation: 60 739

If you set up some kind of VPN you can access the machines at work.

vonbrand

Posted 2013-02-02T03:52:48.610

Reputation: 2 083