User transparent SSH multihop

2

1

What I have is the same as this question SSH tunnel through two servers to access a web service on port 9091 (mainly because I asked that question).

But the difference now is that I'm accessing it from a Chromebook which cannot use ProxyCommand. All it got is the base NaCl shell running in a sandboxed Chrome tab.

So a review from my previous question:

I got 3 machines:

  • remotePi (raspberry PI, somewhere in the world)
  • localPi (another raspberry PI, in my local network, I have full access to it, including root, no monitor, no kb, running as headless server)
  • Chromebook (my local machine, which is a Chromebook on the same local network as localPi, limited but does have the SSH as per links above).

remotePi have a constant SSH tunnel to localPi, it does it by calling the following command

ssh -N -R 16864:localhost:22 -p 2222 <user_on_lan>@<external_lan_ip>

I can access remotePi terminal by doing

Chromebook> ssh <user_on_localPi>@<localPI_ip>
localPi> ssh -l <user_on_remotePi> -p 16846 localhost

And in remotePi I have a daemon service (web interface) listening on 9091.

a "drawing" of everything:

                                   16864:tunnel:22   9091:service
Chromebook <--local_net--> localPi  <--internet-->  remotePi

So what I need is:

Access the daemon service web interface in remotePi by calling on my Chromebook browser 127.0.0.1:9091/web/

On my previous computer (shown on the linked question, ubuntu laptop) I was doing it by using ProxyCommand on my config and calling ssh -L9091:localhost:9091 user_on_remotePi@remotePi -N, but now I'm on a Chromebook that can't use it and I believe there must be a way to do it anyway.

So I was wondering about 2 possible solutions:

  1. some very clever and long SSH command that will "replace" what the ProxyCommand was doing. I always see this on tutorials like that LINK but it always relies on host name, I only have the port 16864 to connect to.

  2. (preferred) add some magic to the localPi SSH config which will make it listen on some non-standard port (say 2222) and auto-redirect that connection to user_on_remotePi:localhost:16864. So then, when I call from Chromebook ssh user_on_localPI -p 2222 localPi_ip, then the localPi will redirect this to the correct user directly on remotePi.

As you can noticed I'm a bit of a network newbie, my main expertise in app development, so any help here I'll be extremely grateful.

Any ideas?

Budius

Posted 2015-06-27T11:34:30.650

Reputation: 147

1Looks a bit complex for me and i'm not that familiar with ProxyCommand, but you say you have REMOTE, LAN, PC.. So is Chromebook the PC? – barlop – 2015-06-27T16:25:41.130

Yes. Chromebook is PC. Sorry, I'll edit to clarify in the question. And ProxyCommand was only useful when I was using an Ubuntu PC, now with the chromebook, that's not an option. – Budius – 2015-06-27T16:26:26.460

1You could call them Pi and CB rather than calling one LAN and one PC. Both are computers and each is behind the same LAN. – barlop – 2015-06-27T16:30:01.500

1so chromebook does it have ssh.exe? sshd.exe? – barlop – 2015-06-27T16:30:35.290

LAN is a raspberry PI without monitor, keyboard or mouse connected to it. So it's essentially a headless server. It's just the shell available on the CHromebook, the question includes the link to it, but I'll also add now the official FAQ with all details available about it. – Budius – 2015-06-27T16:32:21.770

1so call it HeadlessPi don't call it LAN. It's not a LAN it's a computer on a LAN. So you have HeadlessPi, RemotePi, ChromeBook. And HeadlessPi and ChromeBook are behind the same LAN. – barlop – 2015-06-27T16:32:57.007

1The NAT Router at your external LAN IP presumably port forwards to an SSH server on your headless raspberry pi on some port other than port 22, what port is that? i.e. what port does the headless pi's ssh server run on? – barlop – 2015-06-27T16:36:48.543

hi @barlop, I was not sure what to call them when writing the question. Edited to Chromebook, localPi and remotePi, much clear now, good suggestion. Yes the NAT router redirects from external 2222 to localPi:22, but from my understand that is completely transparent for the setup and all necessary to complete the puzzle is the constant connection on localPI:16864 – Budius – 2015-06-27T16:45:52.527

1

Let us continue this discussion in chat.

– barlop – 2015-06-27T16:46:43.773

Answers

1

we got there in the chat

LocalPi>ssh -L *:5678:127.0.0.1:9091  remoteuser@127.0.0.1 -p 16864

then on chromebook, http://localpi_IP:5678

So the remote pi had done an SSH -R creating port 16864 on the localpi.

He was already able to get a terminal to his raspberry pi, doing localpi>ssh remoteuser@127.0.0.1 -p 16864 We added a -L to open port 5678 on his localpi, so he can then connect from a device e.g. chromebook, to his localpi, which goes to his remotepi which forwards to a web server on itself/his remote pi.

So there are two ssh commands in total. The one from his remote pi to his localpi. And one from his localpi to his remotepi.

We just amended the second one, the one from his localpi to his remotepi. To tunnel to a web server on his remote pi.

It is actually tunneling through a tunnel.

barlop

Posted 2015-06-27T11:34:30.650

Reputation: 18 677

@Budius What do you use to keep the connection going? For example, suppose LocalPi restarts? And suppose RemotePi restarts? Some might use a script that runs ssh in a loop and so tries again when the connection goes. You mentioned -N though -N would stop the shell appearing it wouldn't keep the connection active AFAIK. – barlop – 2015-06-29T11:43:35.227

my original setup was following this: http://www.tunnelsup.com/raspberry-pi-phoning-home-using-a-reverse-remote-ssh-tunnel It's a little script that checks connection and connect if necessary in a cron job running every 3 min. So if connection drops or PI reboots, it will reconnect soon after.

– Budius – 2015-06-29T11:47:56.323

Asked: 2015-06-27T11:34:30.650

Viewed: 376 times

Active: 2015-06-27T18:20:40.317