Passthrough gitea SSH through two servers

foxonefoxone OG
in Help

For the love of god i wasn't able to make this work.

I have three servers which live on two different networks:

  • gitea server (10.0.0.10 [eth0]) - Alpine Linux
  • local proxy server (10.0.0.3 [eth1], 10.22.33.2 [wg0]) - Alpine Linux
  • reverse proxy server (10.22.33.1[wg0], public internet IP [eth0]) - Debian

Currently there is haproxy running on the local proxy server listening on :80 which just blindly forwards stuff between various servers on the 10.0.0.0/24 class which is then properly cached and served by a nginx-based SSL terminator. However, I am now encountering an issue.

The gitea server runs a SSH server on port 22000, which is needed to let people authenticate via SSH, and for the love of got i cannot seem to be able to forward it in any way. I have tried the following rule on the local proxy server:

iptables -t nat -A PREROUTING -i wg0 -p tcp --dport 22000 -j DNAT --to-destination 10.0.0.10:22000

But even from the reverse proxy server (reaching from wg0) i am not able to connect (connection refused) to the server. If i run an http server on the local proxy server (python3 -m http.server 22000), i can properly access it both from gitea and reverse proxy.

Of course port forward is enabled.

I also tried haproxy tcp forwarding, but didn't understand much how to set it up.

What should I do?

tldr: ssh server on gitea, how can i expose it to the internet?

Comments

  • foxonefoxone OG

    Local proxy can reach the server and seems to have the rule enabled:

    local-proxy:~# ssh -p 22000 10.0.0.10
The authenticity of host '[10.0.0.10]:22000 ([10.0.0.10]:22000)' can't be established.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ^C
local-proxy:~# iptables -t nat -L PREROUTING -n -v
Chain PREROUTING (policy ACCEPT 964 packets, 115K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   17  1020 DNAT       6    --  wg0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22000 to:10.0.0.10:22000

    But on the reverse proxy:

    ed@proxy:~$ ssh -vvv 10.22.33.2 -p 22000
debug3: ssh_connect_direct: entering
debug1: Connecting to 10.22.33.2 [10.22.33.2] port 22000.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10

    Hangs forever.

  • foxonefoxone OG

    I have discovered the existance of socat, and stopped trying to relay packets around
    https://www.redhat.com/sysadmin/getting-started-socat

    Thanked by (1)yoursunny
  • tmntwitwtmntwitw
    edited August 2023

    I think it might be that the gitea server only has a route table for it's own subnet 10.0.0.0/24, and it does not know to route to 10.22.33.1 (which is on the separate wireguard subnet)

Sign In or Register to comment.