mb1-knetdome wrote:
Is there some way to set up a connection from my home machine through the gateway to my work machine that makes the gateway become invisible? So I can run programs that open connections from my home machine to my work machine or vice-versa?
A couple of options:
0. SSH to the gateway as usual, setting up a forwarded port to the SSH port of your internal machine. You shouldn't need to enable X forwarding on this first connection since it doesn't sound like you're actually running anything X from the gateway. Then start another SSH session, using X forwarding, on your home machine but connect to the localhost port that you forwarded to your internal machine. This should work but might be a little slow due to the SSH-inside-of-SSH encryption going on but it sounds like you were kind of doing that anyway.
This sounds interesting, and it appears to work in my testing at work. I'll try it for real tonight. I didn't understand the description at first sight, so for anybody else who didn't either, here's an example of the command lines. Suppose the machines are called 'home', 'gateway' and 'work' and I want to start xeyes on 'work' and see the result on 'home': In one terminal: home$ ssh -L 2222:work:22 gateway SOME PASSWORD STUFF HERE gateway$ Then in another terminal: home$ ssh -X -p 2222 localhost MORE PASSWORD STUFF work$ xeyes and the eyes come up on my 'home' machine. Now I guess it's worth setting up the agent's properly so I don't have any password nonsense :) Thanks greatly.
This next idea is a bit more work but is well worth it in my opinion because it becomes totally transparent once it's all setup.
I think I prefer your first suggestion precisely because it isn't so transparent! I'd prefer to have a situation where the traffic between my home and the network is limited to just that I have explicitly enabled so far as possible. Or did I miss something? Cheers, Dave
1. If your work machine has unfettered access OUT of the network then it might be easier to setup something like OpenVPN from the work machine to connect to a OpenVPN listener on your home network. This works best when your home IP is static or is at least the same for long periods of time. e.g. I'm on a dynamic IP at home but I've had the same IP address for almost a year and a half now. Some ISPs will deliberately change your IP periodically so it really depends on your provider. Anyway, I run OpenVPN from a server at work that pings the tunnel about every 15 seconds to keep the udp connection marked as active and this allows me transparent access in both directions using NAT and some routing information.
If this outgoing connection won't work for you for whatever reason then you can tell OpenVPN to run over TCP instead of UDP, use the first SSH connection you make to forward that TCP port to your home machine to the internal machine, and then start an SSH-forwarded OpenVPN connection directly between your home machine and your work machine and you'll have roughly the same thing accept that having to use TCP for the tunnel instead of UDP generally results in lower performance.
Let me know if this sounds interesting to you and I'll be glad to help you work out the details. I'll just say that this setup has worked amazingly well for me for almost two years and I highly recommend it if your home IP is even remotely stable.
Hope that makes sense.
-- Dave Howorth MRC Centre for Protein Engineering Hills Road, Cambridge, CB2 2QH 01223 252960