So I've had this all working previously but I had forgotten all the hoops that we're necessary to get it to work.
N.B. all of the below assumes that a "proper" vpn solution is not an option
The aim:
To forward a port on network A to a machine on network B in such a way as to be accessible by all machines on network A, using the address that the machine on network B has.
The Caveat:
It is not possible to make an ssh connection from Network A into Network B due to the the firewall setup, however the reverse is possible.
The solution:
So ssh has this handy -R flag which allows you to forward a port from the remote host to the local network.
Setting up a secondary ip address is easy enough using Linux's config tools (yast in my case), ifconfig or ip*
The final part of the puzzle is to set up a route from all relevant machines on network A that direct it to the ssh gateway machine.
The problem:
ssh, by default, does not allow you to specify the remote address to bind to (or rather, you can specify it but the packets will be silently dropped with no error message to indicate what you did wrong).
The Fix:
edit /etc/ssh/sshd_config and add the line
GatewayPorts yes
While you're there I recommend you also add
TCPKeepAlive yes
Why these two options are not enabled by default is beyond me.
The complete solution:
ok, so you have the following setup:
Network A: 192.168.0.0/24
Computer 1: 192.168.0.2, Windows
Computer 2: 192.168.0.3, *nix
Computer 3: 192.168.0.4, *nix, used as gateway
Router 1: internal: 192.168.0.1, external: 10.0.0.1, external port 22 forwarded to 192.168.0.4
Network B: 192.168.1.0/24
Computer 4: 192.168.1.2, Target (service port: 1234)
Computer 5: 192.168.1.3, *nix, used as gateway
Router 2: internal: 192.168.1.1, external: 10.0.0.2
On Computer 3:
Edit (as root) /etc/ssh/sshd_config in your favourite editor and add the following options:
GatewayPorts yes
TCPKeepAlive yes
Use your systems config tools to add a second ip address for the network interface [in yast this is Network Devices->Network Settings->Edit->Add]
Set the ip address to be the same as the target computer (e.g. 192.168.1.2).
Don't worry about it being in a different ip range - we'll fix that later.
Create a new user and create an ssh private key for that user
On Computer 5:
Run the following command as a normal user (or get someone to run it for you): **
#ssh -v -R 192.168.1.2:1234:192.168.1.2:1234 user@10.0.0.1
On Computers 1 & 2:
Configure a route to access the remote computer
network: 192.168.1.0
via: 192.168.0.4
* I only discovered ip existed today. It seems I am not the only one. Spread the word!
** See a separate blog post to follow about how to have this running all the time.