In order to investigate a bug I was running into, I recently had to give my colleague ssh access to my laptop behind a firewall. The easiest way I found to do this was to create an account for him on my laptop, and setup a pagekite frontend on my personal server and a pagekite backend on my laptop.

Frontend setup

Setting up my server in order to make the ssh service accessible and proxy the traffic to my laptop was fairly straightforward.

First, I had to install the pagekite package (already in Debian and Ubuntu) and open up a port on my firewall by adding the following to both /etc/network/iptables.up.rules and /etc/network/ip6tables.up.rules:

-A INPUT -p tcp --dport 10022 -j ACCEPT

Then I created a new CNAME for my server in DNS:

pagekite.fmarier.org.   3600    IN  CNAME   fmarier.org.

With that in place, I started the pagekite frontend using this command:

pagekite --clean --isfrontend --rawports=virtual --ports=10022 --domain=raw:pagekite.fmarier.org:Password1

Backend setup

After installing the pagekite and openssh-server packages on my laptop and creating a new user account:

adduser roc

I used this command to connect my laptop to the pagekite frontend:

pagekite --clean --frontend=pagekite.fmarier.org:10022 --service_on=raw/22:pagekite.fmarier.org:localhost:22:Password1

Client setup

Finally, my colleague needed to add the folowing entry to ~/.ssh/config:

Host pagekite.fmarier.org
  CheckHostIP no
  ProxyCommand /bin/nc -X connect -x %h:10022 %h %p

and install the netcat-openbsd package since other versions of netcat don't work.

On Fedora, we used netcat-openbsd-1.89 successfully, but this newer package may also work.

He was then able to ssh into my laptop via ssh [email protected].

Making settings permanent

I was initially quite happy settings things up temporarily on the command-line, but it's also possible to persist these settings and to make both the pagekite frontend and backend start up automatically) at boot.

I ended up putting the following in /etc/pagekite.d/20_frontends.rc on my server:

#defaults

isfrontend
rawports=virtual
ports=10022
domain=raw:pagekite.fmarier.org:Password1

as well as removing the following lines from /etc/pagekite.d/10_account.rc:

# Delete this line!
abort_not_configured

before restarting the pagekite daemon using:

systemctl restart pagekite

Using mosh and pagekite

Mosh is a nice way to interface with ssh over high-latency netowrks. However, it's not possible to tunnel mosh directly through pagekited since pagekite only supports TCP.

I ended up with a hybrid setup where I don't have to expose the ssh service to the local network (and therefore remember to disable it when I'm done) but I do have to open a UDP port on my firewall for mosh.

First, I assigned a stable IP to my laptop on my router, based on its MAC address. I also had to disable MAC address spoofing in Network Manager (setting it to permanent).

This is what my /etc/NetworkManager/system-connections/Ethernet automatique config looks like:

[ethernet]
cloned-mac-address=preserve

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
ip6-privacy=2
method=auto

Then I forwarded port 9000 (UDP) traffic to the static IP address above.