Routing it Your Way Part 2: ssh + socat to Simplify Tunneling

In a previous post I’ve described of how ssh reverse tcp forwarding and socat forwarding can be used in combination to make the services of a server without a public IP address and no ssh access available to the outside world. The setup requires two intermediate gateway servers, one on the Internet and one in the local network. On the one hand, this is complicated but on the other hand offers a number of interesting simplifications if you have more than just one server in your local network that you want to expose to the world. Let me explain…

In my case, I have well beyond ten virtual machines at home with services ranging from Nextcloud, over XMPP messaging to my own email server that must be available from the Internet. On each of those VMs, I have a little script that starts the ssh command to reverse forward the tcp ports to that gateway server on the Internet. And on the gateway server on the Internet, I have an account for each of those VMs. That’s quite a lot of scripts and quite a lot of accounts. If something basic changes in my setup, I have to adapt a lot of scripts in a lot of places.

So let’s simplify: With the ssh + socat approach described in part 1, the distributed configuration described above can be centralized on the single Raspberry Pi in the home network. From here, a single ssh command is used to create all tcp forwardings to the gateway service on the Internet. Also, the Raspberry Pi is the single place from which socat is used to forward the tcp connections to the individual virtual machines. And on the gateway server on the Internet, only a single account is needed to which ssh can connect. When I want to make changes to my setup later on, there’s only a single machine to touch and only a single shell script to modify. And if you don’t like a physical server, this can of course also be done in a virtual machine.

The downside is that the Raspberry Pi or the virtual machine becomes a single point of failure. So having a good backup plan to reach the home network in case the Pi or VM goes down for whatever reason is a good idea.