![]() ![]() to the tun interfaces), but it works on the good old ssh you know so well. That's really close to a full-fledged VPN (you can apply routing, policies, firewall. It will detect that the link is lost and reconnect. Instead of ssh I suggest you use autossh (and keys) with the -M flag (monitor). If you lose the connection, no problem, the tun devices will wait until you restablish it and resume.įrom this moment on, you can connect the remote host over a "stable" link that will use eth0 or 4G as needed, but keeping the addresses (10.9.0.1/10.9.0.2). Then, if you do ssh -w3:3 will have those two interfaces connected via a ssh tunnel and you will be able to ping them. Something like (you have to swap the addresses for the other side): sudo ip tuntap add dev tun3 mode tun user myuser group mygroup Whenever there is a change (eth0 up or down) you will lose the connection, but that's not a problem (read on).Ĭreate tun devices on each server and let the user access them. ![]() Then connect them via the -w switch of ssh.įirst you should setup the two local default routes with the right metrics. Ssh 3430 craig 3u IPv4 69362 0t0 TCP 192.168.1.225:43878->1.1.1.1:22 (ESTABLISHED)Īnd netstat -tpln does not show interfaces when listing sockets.Ī possible solution (I'm using it) is to create a new interface on each side. I can list connections with lsof: lsof -ai -p 3430 -n -PĬOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME Note how eth1 has a metric of 200, so eth0 gets priority when it's working. So I'm thinking, when running -O check, I could see if the tunnel is currently using eth1 (the point of this question), and if eth0 is back, re-connect.Äefault via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.225 metric 100Äefault via 192.168.2.1 dev eth1 proto dhcp src 192.168.2.241 metric 200 ![]() If the failure was due to the eth0 network cable "falling out", then Linux will automatically use eth1.Ä«ut, when eth0 is back up again, I'd like to switch back to it. If this -O check fails, the socket will be closed (via -O exit), and a new SSH connection will be established. To ensure the tunnel is still working, I'm periodically using the -O check command: ssh -S "/tmp/tunnel.socket" -O check placeholder It also has a mobile 4G internet connection (eth1), which is slower, and more expensive. Normally it connects via a wired 1GB ethernet connection (eth0) but it's unreliable, as it's in an office where people move stuff around, and the cable "falls out" (unfortunately I can't use glue). Ssh -S "/tmp/tunnel.socket" -O forward -R "0:localhost:22" placeholder Otherwise (default value for this option is no), the server will always force the port to be bound on the loopback interface only.I've got a server with 2 network interfaces.Äue to a restrictive NAT firewall, it establishes an SSH tunnel to a server on the internet: ssh -fNTMS "/tmp/tunnel.socket" host Note that if you use OpenSSH sshd server, the server's GatewayPorts option needs to be enabled ( clientspecified, or, in rare cases, to yes) for this to work (check file /etc/ssh/sshd_config on the server). (You need the quotes because could be interpreted as a glob otherwise.) The third version is probably technically equivalent to the first, but again it creates only a single bind to ::, which means that the port is accessible via IPv6 natively and via IPv4 through IPv4-mapped IPv6 addresses (doesn't work on Windows, OpenBSD). The second version creates a general IPv4-only bind, which means that the port is accessible on all interfaces via IPv4. ![]() The -Nf will background the session and exit immediately back to your desktop, not establishing an actual shell session to server B. This will let you point your desktop browser at port 8443 and send it to port 443 (the HTTPS port) on your server A. In order to make it bind to all interfaces, use ssh -R \*:8080:localhost:80 -N ssh -R 0.0.0.0:8080:localhost:80 -N ssh -R ":8080:localhost:80" -N first version binds to all interfaces individually. Yes, it is possible: ssh -L 8443:serverA:443 -Nf user.When bind_address is omitted (as in your example), the port is bound on the loopback interface only. If you check the man page for ssh, you'll find that the syntax for -R reads: -R port: host: hostport ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |