Building the Gateway

This post describes the first of three parts of my Simple SSH Tunnel Guide. The goal of this post is to get new server up and running in AWS to act as a gateway for SSH tunneling.

Step 1 - Launch New EC2 Instance

Short Version

If you already know your way around AWS, then all you need to do for this step is the following:

• Create a new t2.micro instance running Ubuntu
• Configure the Security Group to include a new Custom Rule to allow incoming traffic on port 443
• Generate a new SSH key pair and save the private key to a folder called /tmp/tunnel on your workstation

Once the new instance is launched, the key file downloaded and the public IP address is noted, continue on to Step 2.

Long Version

Please skip to Step 2 if you are already familiar with creating new EC2 instances on

1. Navigate to your preferred Amazon region and click Launch Instance:

2. Select Ubuntu as the AMI:

3. Ensure t2.micro is selected and click Next: Configure Instance Details:

4. Leave default instance values and click Next: Add Storage:

5. Leave default storage values and click Next: Tag Instance:

6. Enter name tunnel-test-1 and click Next: Configure Security Group:

7. Click Add Rule and create new Custom TCP rule for port 443 and click Review and Launch:

8. Review instance details and click Launch:

9. Select Create a new key pair, enter tunnel-key-1 as the Key pair name and click Download Key Pair:

10. Save the tunnel-key-1.pem file to a new folder on your workstation called /tmp/tunnel, then click Launch Instance:

11. Once launched, navigate back to the EC2 Services dashboard and note the status and the IP address of the new tunnel-test-1 instance:

Step 2 - Configure SSH On EC2 Instance

With the new gateway service up and running on Amazon, the next step is to prepare it to receive SSH connections on port 443.

1. Ensure the tunnel-key-1.pem key file, downloaded from Amazon to a new /tmp/tunnel folder on your workstation, has the correct permissions by running:

   chmod 600 /tmp/tunnel/tunnel-key-1.pem
   

2. Using the key file, log into gateway instance from your workstation using the following:

   export GATEWAY=54.66.197.58
   ssh ubuntu@${GATEWAY} -i /tmp/tunnel/tunnel-key-1.pem
   

   Where GATEWAY points to the IP address that was noted in Step 1. If successful, you will be presented with the command prompt of the new instance:

3. Switch to root by running sudo su, then open the sshd config file for editing using vi or similar:

   vi /etc/ssh/sshd_config
   

4. Add an additional Port 443 configuration directive underneath the existing Port 22 declaration and save the file:

5. Restart the ssh service by running service ssh restart:

6. To allow the root account to SSH directly into the server, edit the /root/.ssh/authorized_keys file and remove the comment at the beginning of the first line, so that the line starts with ssh-rsa AAA...:

   After editing, the contents of the /root/.ssh/authorized_keys file should look something like this:

7. Check that root account can now ssh into the gateway on port 443 by running:

   ssh -p 443 root@${GATEWAY} -i /tmp/tunnel/tunnel-key-1.pem
   

   A successful connection will display a command prompt for the root account:

Step 3 - Add Chatty Script to Gateway

This script is used by both the local and remote machines to maintain persistent connections to the gateway. When executed, the script outputs a tiny bit of text at random intervals, making it appear to be an active, healthy connection to the surrounding infrastructure, which helps reduce the risk that the connection will be terminated. I have found this method to be sufficient to keep the tunnel connection maintained for weeks on end.

Create this script as follows:

1. Log in to the gateway server as root, and create a new file called /root/chatty.sh with the following contents:

   #!/bin/bash
   
   set -e
   
   WHOISIT=not_sure
   
   if [ $# == 1 ]; then
     WHOISIT=$1
   fi
   
   while true; do
     R=$(( ( RANDOM % 30 )  + 11 ))
     printf "%14s : $R s\n" $WHOISIT
     sleep $R
   done
   

2. Ensure the script is executable by running:

   chmod +x /root/chatty.sh
   

3. Test that the script runs by executing

   /root/chatty.sh testing
   

   The output should look something like this:

   Kill the process by hitting CTRL-C.

   The gateway server is now ready to persist SSH connections.

Next Step

Please continue on to Part 2 - The Remote Server for the next part of this guide.

Contents

• Overview
  • About This Guide
  • The Server Bits
  • The Tunneling Example
• Part 1 - Building the Gateway
  • Step 1 - Launching New EC2 Instance
  • Step 2 - Configure SSH On EC2 Instance
  • Step 3 - Add Chatty Script to Gateway
• Part 2 - The Remote Server
  • Step 1 - Installing and Configuring proxytunnel Program
  • Step 2 - Setting Up Simple HTTP Test Server
  • Step 3 - Establishing the Work-Side Tunnel Connection
• Part 3 - The Local Workstation
  • Step 1 - Local SSH Tunnel Config
  • Step 2 - The Final Test
  • Conclusion