Passthrough gitea SSH through two servers

For the love of god i wasn't able to make this work.

I have three servers which live on two different networks:

  • gitea server ( [eth0]) - Alpine Linux
  • local proxy server ( [eth1], [wg0]) - Alpine Linux
  • reverse proxy server ([wg0], public internet IP [eth0]) - Debian

Currently there is haproxy running on the local proxy server listening on :80 which just blindly forwards stuff between various servers on the class which is then properly cached and served by a nginx-based SSL terminator. However, I am now encountering an issue.

The gitea server runs a SSH server on port 22000, which is needed to let people authenticate via SSH, and for the love of got i cannot seem to be able to forward it in any way. I have tried the following rule on the local proxy server:

iptables -t nat -A PREROUTING -i wg0 -p tcp --dport 22000 -j DNAT --to-destination

But even from the reverse proxy server (reaching from wg0) i am not able to connect (connection refused) to the server. If i run an http server on the local proxy server (python3 -m http.server 22000), i can properly access it both from gitea and reverse proxy.

Of course port forward is enabled.

I also tried haproxy tcp forwarding, but didn't understand much how to set it up.

What should I do?

tldr: ssh server on gitea, how can i expose it to the internet?


  • Local proxy can reach the server and seems to have the rule enabled:

    local-proxy:~# ssh -p 22000
    The authenticity of host '[]:22000 ([]:22000)' can't be established.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? ^C
    local-proxy:~# iptables -t nat -L PREROUTING -n -v
    Chain PREROUTING (policy ACCEPT 964 packets, 115K bytes)
     pkts bytes target     prot opt in     out     source               destination         
       17  1020 DNAT       6    --  wg0    *              tcp dpt:22000 to:

    But on the reverse proxy:

    ed@proxy:~$ ssh -vvv -p 22000
    debug3: ssh_connect_direct: entering
    debug1: Connecting to [] port 22000.
    debug3: set_sock_tos: set socket 3 IP_TOS 0x10

    Hangs forever.

  • I have discovered the existance of socat, and stopped trying to relay packets around

    Thanked by (1)yoursunny
  • edited August 2023

    I think it might be that the gitea server only has a route table for it's own subnet, and it does not know to route to (which is on the separate wireguard subnet)

Sign In or Register to comment.