//Haxk20 going nuts almost while being angry at ISP
I know i know this is not a place to ask this but well F it. We have many network admins here.

So the situation:
I have server at home i would like to SSH to from anywhere.
I have private WAN IP tho. (No buying public IP is not an option. The price is ridicilous. Like we are talking almost twice my monthly internet cost)

What i do have is an VPS set up as VPN.

So i was thinking if connecting server (Not router) to the VPN and then connect my laptop or any machine technically to the same VPN and somehow SSH into it.

Is this possible ?
If so could anyone provide some way of how to set it up ?
If not could you explain why not ? (Well if its not gonna work i want to know why)

  • 4
    Well that is what vpns are made for. It's a virtual private network. But be careful because everything else will go back to your vps since it's the router of the network. Why not set up something like serveo on the vps?
  • 1
    @ilikeglue OK great but now comes the question how would you connect to the server when you are connected to the VPN ?
  • 0
    @ilikeglue Also why not set up the server on VPS ? Because 24 thread 16Gb RAM and 1Tb of SSD space would cost lot of money. Yet it was cheap to buy server.
  • 1
    @Haxk20 ssh? Just use its ip address or name if it's configured
  • 0
    @ScribeOfGoD Did you read the rant even ? How can i ssh into it from anywhere when i dont have public WAN IP ?
  • 2
    Try to use a reverse SSH tunnel. I used that to host a Minecraft server behind NAT.

    Edit to clarify: Connect your home server to your vps with a SSH tunnel and route incoming traffic on the specified vps port through the tunnel.
  • 1
    To make SSH tunnels work, add:
    PermitTunnel yes
    GatewayPorts yes
    to /etc/ssh/sshd_config

    Edit: this is the vps config
  • 0
    @olback I mean that would be great but would other ports work too ? Like if i wanted to run webserver on it too ?
  • 2
    To connect to your vps from your home server:

    ssh -R 8080:localhost:8080 <vps-ip>

    Edit: add as many -R options as you want. Works with multiple ports.
  • 1
    @Haxk20 yes, all traffic works
  • 0
    @olback OK but when i connect to the server outside of the network trough VPS will it require also password for the VPS or just direct passtrough ? I would like to have double security in place if possible.
  • 2
    @Haxk20 A SSH tunnel set up like this will just forward all traffic to your home server. No authentication needed on your vps. It's just a relay.
  • 0
    @olback Huh. While thats elegant i would be kind of cool if it would be possible to add just password to the VPS connection too. But thats just nitpicking.

    I will try to find some VPS cause well 2 days ago my VPS kind of died because they changed their prices and went from 2$ to 6$ a month. While still not crazy amount im student and im happy that i could afford to spend those 2$ on the VPS LOL.

    And now just to clarify

    How do you open connection from server to VPS ?

    And how do you then connect to said server using the VPS ?
  • 1

    First on your vps: configure sshd as mentioned above. Connect from home server to vps with command mentioned above. Connect from the outside world as if your vps is the actual machine.

    Home server:
    ssh -R 80:localhost:80 <vps-ip/hostname> -p<port>

    Other computer in the wild: curl <vps-ip> // Content from home server if http server is running
  • 0
    Sorry, I should have specified what I meant by ssh lol. My reply went along the lines of the others here
  • 1
    @Haxk20 FFS.

    - setup OpenVpn in a Vps with a public ip. make sure you allow client to client communications in the server conf.
    - generate two client configs, each with its own cert/keys, and setup ccd for each. this means you can setup internal static ips for each client.
    - setup a persistent "if fails try to reconnect" + "on startup" service or similar on your home server with client conf A, with internal IP A.
    - when away from home, connect to vpn from laptop, using client conf B.
    - ssh to server user@[IP A]

    pros: simple to setup (at least for me), does not expose ssh port on public web like other solutions here, better security then most, you can also use VPN server to secure your comms in public places.

    cons: slightly higher VPS cost due to traffic.
  • 2
    The real challenge for me was to setup some strange routing rules, and even stranger voodoo open VPN config, so that all traffic from Client B was routed through the VPS server to Client A, from Client A to general internet, and back again.

    Don't ask why. never ask Why.
  • 1
    For hosting you maybe wanna checkout https://uberspace.de/en/
  • 1
    @magicMirrorexactly what I asked for. Thanks this is better then the reverse ssh and has more usage.
  • 1
    @magicMirror I wonder if wireguard would allow to do the same tho.
  • 2
    @Haxk20 you can do the same with Wireguard, although I find its 'way of thinking' much more confusing, and I had to jumble with iptables even more than I had to with openvpn for some reason.
    With Wireguard, everybody is an equal peer, and the client-server topology is just an abstract concept you implement on top of it because you wanted to. With OpenVpn, on the other hand, you are explocitly thinking in terms of clients and server.
    Wireguard does have some (not huge) performance benefit in terms of bandwidth and latency though, but unless you require very high speeds between your clients I don't think it's really worth it.

    I'd go with what magicMirror suggested, I have the same setup.
  • 0
    No idea about wireguard. Played around with strongSwan, and openVpn.
    OpenVpn won in the end - So I know lots more about it weirdness.
    The reasons were UDP support, and more resistent to bad connections.
  • 2
    @magicMirror I dont like OpenVPN due to their stupid client setup. Wireguard is just way simpler.
  • 1
    @Haxk20 I agree - OpenVpn setup is dumb.
    I might look at wireguard and see if it can cover my usecases, but I don't really want too..... Shit got complicated, like most of things I play with.

    KISS is for other ppl, I guess.
  • 0
    OK i had to do it trough reverse SSH tunneling. Didnt want to configure Wireguard at this time. And well it just works with this.
Add Comment