[kwlug-disc] Remote access to machine behind CG-NAT

Khalid Baheyeldin kb at 2bits.com
Tue May 20 12:00:05 EDT 2025 

Thanks John for the details.
It seems OpenVPN is quite doable then ...

Regarding split tunnels, it is not something I have experience with.
Rather it is something that needs to be set up, in order to prevent
ALL data from going through the VPS. Say you are traveling, and
only want the data to your home server to go through the VPN,
but your streaming from Youtube (or whatever streaming service)
should go to your local provider, and NOT to the VPN, to reduce data
usage and improve performance.

That is what I understand it to be. How to do it depends on the
specific tunnel or VPN used.

As for SSH tunneling, it turned out to be quite simple for certain
use cases, and for a single or a couple of ports.

Assume you have a VPS with the domain name of YOUR-VPS.com
(if you have a fixed IP address, then you can use that too, or a Dynamic
DNS service). Also assume your shell user name on it is REMOTE_USERNAME.
And on the machine that is behind a firewall where you can't open external
ports,
nor can you have a stable external facing IP address, the internal IP
address is
192.168.0.50, and the service you want to run is on port 8080.

You create a systemd unit file, you do:

User=USERNAME
ExecStart=/usr/bin/autossh -N \
  -o StrictHostKeyChecking=no \
  -o UserKnownHostsFile=/dev/null \
  -o PubkeyAuthentication=yes \
  -o PasswordAuthentication=no \
  -o ServerAliveInterval=30 \
  -o ServerAliveCountMax=3 \
  -i /home/USERNAME/.ssh/id_ed25519 \
  -R YOUR-VPS.com:18080:192.168.0.50:8080 \
  -p 22 REMOTE_USERNAME at YOUR-VPS.com

The -R line is where the magic is. It starts with the name of the external
VPS

Then because this specific service is HTTP, you need an extra step, to
proxy it in Nginx or Caddy.

Since my VPS already has Nginx, I chose that route, with this file called
my.conf, in the directory /etc/nginx/sites-enabled:

server {
  server_name subdomain1.YOUR-VPS.com;
  listen 80;
  access_log /var/log/nginx/access-$host.log;
  location / {
    proxy_pass                         http://127.0.0.1:18080; # This is
the tunnel port
    proxy_http_version                 1.1;
    proxy_set_header Host              $host;
    proxy_set_header                   Upgrade $http_upgrade;
    proxy_set_header                   Connection 'upgrade';
    proxy_set_header                   Host $host;
    proxy_cache_bypass                 $http_upgrade;
    proxy_read_timeout                 90;
    proxy_connect_timeout              90;
    proxy_buffers                      8 24k;
    proxy_buffer_size                  2k;
  }
}

If you browse to http://subdomain1.YOUR-VPS.com, the request will go to
Nginx
which will send it to the tunnel on the VPS, which then sends it to your
machine
behind the firewall, then back.

You can go a step further and setup SSL on Nginx, and the service will be
https,
and not plain text http.

It is all transparent, and your application never knows it is behind a
tunnel.

It gets complicated if you have more services, since you need to have one
port (18080 in the above case) assigned to each tunnel.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20250520/f82a916b/attachment.htm>

More information about the kwlug-disc mailing list