Set up direct SSH connection from A to C without public IPs using one public SSH server

I have available these SSH servers/clients:

A - without public IP

B - public IP

C - without public IP

I know, I can establish an SSH connection from A to C as follows:

1) Hook C to B. Doing from C:

ssh -R 10100:localhost:22 B_IP

2) Set port forwarding from A to C using B hook in order to be able of ssh-agent usage on machine A:

ssh -L 5000:localhost:10100 B_IP

3) Now I can use my ssh keys to "directly" access C from A:

ssh -p 5000 localhost

... my point is:

Can I somehow establish new "pure" connection from A to C so that after machine B goes down, I can continue my work?

I think it should be possible as long, as these two computers realise, they already share a connection, or am I wrong?

Thanks for your time & ideas :)

jirislav

Posted 2015-10-12T22:53:04.893

Reputation: 103

Answers

The usual method is to set up "NAT port forwarding" on A's or C's router. (How it's done depends on router, but there are instructions everywhere.) Once you do that, you can connect to C-router's public address + the "forwarded" port, and the connection will go through to C.

(Note: NAT port-forwarding and SSH port-forwarding are similar but distinct things, like a hammer and a screwdriver. Do not confuse them.)
If you do not have administrative access to either router, you could try using UPnP or NAT-PMP to set up a port forwarding rule, as many games and P2P programs do. For this, use upnpc or natpmpc commands.
If neither of above methods work, you will need some form of NAT hole-punching. (See also the TCP and ICMP hole-punching articles.)

Unfortunately, while it's widely used in various specific programs, there don't seem to be many generic tools for TCP, though chownat may work.

user1686

Posted 2015-10-12T22:53:04.893

Reputation: 283 655

Well, first solution was already obvious to me, but I don't have public IP on my router ... about the second solution - I'm now about to try it out, so I'll report it back - but I'd like to make something clear to me - is it possible to communicate from A to C using UPnP or NAT-PMP without any public server I have access to ?... and honestly the third solutions seems the most attractive to me, so I can't wait to try it out :) – jirislav – 2015-10-13T14:22:25.490

This is probably impossible unless you can do some kind of port forwarding on the routers - but in this case you don't need computer C at all.

The thing is that in your example you are not going directly from A -> C, the packets are all still traversing B.

If you have another computer with public addresses on it, you can probably set up a VPN setup in a star topography, and use routing between the VPN's to create a virtual network where either of the public hosts can fall over and things can continue to work. I've done this with OpenVPN - there are a few gotchas - one important one being disabling Reverse Path Filtering.

davidgo

Posted 2015-10-12T22:53:04.893

Reputation: 49 152

It's technically possible, if both hosts can cooperate (e.g. by using STUN, or perhaps using lesser-known TCP features). – user1686 – 2015-10-13T05:27:28.383

@grawity - I thought about that initially, however this still requires a connection to the external address of the other device which requires port-forwarding. (I'm suspect you know STUN is a way of exposing a public IP address from behind NAT). The thing is that as the IP address is changing between NAT and non-NAT I don't see how an SSH client can continue to allow a connection as it would be a security risk [ ie a MITM could take over the connection more easily ], and surely the TCP session must die also. Thats the reason I came up with a VPN based solution...cont – davidgo – 2015-10-13T05:35:30.287

Thats the reason I postulated a VPN based solution - it abstracts the IP address and allows routing across a virtual connection - but unless you can get the VPN pinholed or running on the routers you still have the problem of how the VPN endpoints can see each other. It might be possible to allow VPN endpoints to "float" and not check the actual underlying IP addresses, but you would still need to get the pinholing working to detect the session mid-way, and I can think of no way to do that. – davidgo – 2015-10-13T05:38:00.143

Ah yes, I mistook SIP's NAT traversal features as being part of STUN. – user1686 – 2015-10-13T05:39:48.700

Well, thanks for your nice workaround, but still - let's assume I want to have established an connection between A & C even after all my public servers available goes down - your solution does not appear to match this condition to me – jirislav – 2015-10-13T14:17:58.790

@jirislav - Can't be done with conventional IPV4 equipment. (Read my discussion with Grawity for my machinations as to why) – davidgo – 2015-10-13T18:13:08.307

@davidgo - I'm not sure I understood you solution - you suppose to create VPN servers on each A, B & C right? Then somehow create direct route from A to C so that B can go down right? Will this work even if A & B are behind NATs ? – jirislav – 2015-10-14T11:02:04.863

No. There is no answer that will let you communicate between a and c over ssh without a publicly reachable endpoint to route traffic through unless you can make changes to the routers (eg run vpns on them or possibly port forwarding) or a and c are in the same network. – davidgo – 2015-10-14T17:52:28.300