How to Remotely Access a Linux Server Behind a Firewall in 5 Steps

Overview of Remote Accessing a Linux Server Behind a Firewall

A firewall blocks all inbound connections to privately hosted servers for protection. Publicly exposing a Linux server is dangerous without authenticated access controls.

5 main techniques enable remote access without sacrificing server security:

1. Port Forwarding – Opens specific firewall ports to allow controlled administrative access.

2. Site-to-Site VPN – Create an encrypted VPN tunnel from the client to the server network.

3. Remote Access VPN – Connect via VPN client to the server’s network for access.

4. SSH Tunneling – Encrypted SSH tunnel to securely relay remote traffic.

5. Proxy Server – Intermediary proxy directs inbound remote connections.

Below we explore configurations and examples of each method using common Linux tools for sysadmin access.

1. Port Forwarding for Linux Server Remote Access

Opening ports in a firewall using port forwarding allows limited remote traffic to securely reach servers. This grants external access to required network services and applications running on the Linux system.

For a Linux server, enabling SSH on port 22 is a common technique:

Step 1 – Assign Static LAN IP Address

Configure the server’s network interface with a fixed internal IP address. Edit /etc/netplan/config.yaml:

network:
  version: 2
  ethernets:
    eno1:
      addresses: 
        - 192.168.1.100/24
      gateway4: 192.168.1.1

Apply this static IP address:

sudo netplan apply

Step 2 – Enable SSH Server

Install OpenSSH server if needed:

sudo apt install openssh-server

Allow SSH through the default 22 port in the firewall:

sudo ufw allow ssh

Step 3 – Set Up Port Forwarding Rule

On the firewall device, create a port forwarding rule mapping a public port to the Linux server address and SSH port:

Public Port: 9051 

Forward to: 192.168.1.100 Port 22

This forwards remote SSH traffic from port 9051 to the server.

Step 4 – SSH to Remote Server

Now remotely connect to the public IP and forwarded port:

ssh user@public_ip -p 9051

Port forwarding enables convenient remote SSH access to the secured Linux server from anywhere.

2. Site-to-Site VPN Tunnel for Remote Access

A site-to-site VPN extends the server’s private LAN to external client locations. Traffic enters the VPN tunnel encrypted end-to-end, bypassing the public internet:

Step 1 – Configure Linux VPN Server

Install a VPN server like OpenVPN and generate certificates for the VPN instance:

sudo apt install openvpn easy-rsa

# Initialize PKI
sudo make-cadir ~/openvpn-ca

# Generate CA cert and key
sudo bash -c "source ~/openvpn-ca/vars && ./clean-all && ./build-ca --batch"

# Generate server certs
sudo bash -c "source ~/openvpn-ca/vars && ./build-key-server server"

This handles all the VPN certificate creation.

Step 2 – Configure VPN Server Config

Define the VPN network details at /etc/openvpn/server.conf. For example:

port 1194
proto udp
dev tun0

server 10.8.0.0 255.255.255.0

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt  
key /etc/openvpn/keys/server.key

dh /etc/openvpn/keys/dh.pem

topology subnet

This specifies 1194 as the listening port, the VPN IP range, certificates, and other parameters.

Step 3 – Configure Linux Firewall

Open required ports for OpenVPN in the firewall:

sudo ufw allow OpenSSH
sudo ufw allow 1194/udp

Step 4 – Start OpenVPN Server

Start the VPN server process:

sudo systemctl start openvpn-server@server

The site-to-site VPN tunnel is now ready for clients to join.

Step 5 – Connect VPN Clients

On the client, import the .ovpn profile with credentials. Then initiate the VPN connection to tunnel traffic to the server LAN through the VPN interface tun0.

With end-to-end encryption, remote clients can securely access the private Linux server like on a local private network.

3. Remote Access VPN for Individual Connection

A remote access VPN uses individual user credentials to authenticate connecting from external locations. This allows securing and isolating remote access to the needed Linux server via the VPN tunnel.

Here is how to configure remote authentication for users:

Step 1 – Install VPN Server

For Linux, OpenVPN is a great open-source VPN option. Install it:

sudo apt install openvpn

Step 2 – Create CA and Certificates

Use easy-rsa to generate the root CA certificate and client/server certificates. This handles authentication and encryption.

# Initialize PKI CA
make-cadir ~/openvpn-ca

# Generate Root CA
source ~/openvpn-ca/vars
./clean-all 
./build-ca

# Client and server certificates
./build-key client
./build-key server

This creates ~/openvpn-ca/keys/ holding private keys, issued certs, and CA cert.

Step 3 – Configure server. conf

Define the OpenVPN server configuration at /etc/openvpn/server.conf:

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key

dh dh.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp" 

client-to-client

duplicate-cn

This specifies important parameters like protocol, port, IP ranges, certificates, and keepalive settings.

Step 4 – Configure User Authentication

Update /etc/openvpn/auth.txt to define authenticated VPN usernames and passwords:

user1 p@ssw0rd1
user2 p@ssw0rd2

Start the OpenVPN server process:

systemctl start openvpn

Step 5 – Connect Client

Import the .ovpn profile on a remote client using the credentials. This creates an encrypted tunnel to access the private server IP ranges.

With authenticated remote access, individual admins can securely connect to Linux servers via the VPN tunnel and access private resources.

4. SSH Tunneling Port Forwarding

SSH tunnels allow pivoting through an intermediary server to reach private endpoints. This technique forwards traffic through an SSH connection to the remote network.

Step 1 – Set Up SSH Server

The intermediary server must first allow inbound SSH connections to establish tunnels:

# Install OpenSSH 
sudo apt install openssh-server

# Permit SSH in firewall
sudo ufw allow ssh

Step 2 – Start Local Port Forwarding

On the client, initiate an SSH tunnel specifying the local and remote endpoints:

# Forward local 8000 to remote 192.168.1.5:80 through ssh.example.com
ssh -L 8000:192.168.1.5:80 username@ssh.example.com

This forwards any local connection to port 8000 through the SSH tunnel out to the private IP and port 80 on the remote network.

Step 3 – Connect Through Tunnel

With the tunnel active, locally connect services to localhost:8000 and the traffic redirects through the encrypted SSH tunnel to the private resource running on 192.168.1.5.

Step 4 – (Optional) Make Persistent

Add entries to /etc/ssh/ssh_config to save canned tunnels for quick connections:

Host tunnel-dev
  Hostname ssh.example.com
  User username
  LocalForward 8000 192.168.1.5:80

Now simply running ssh tunnel-dev establishes the cached tunnel.

SSH port forwarding provides secure encoded access to internal Linux servers via an SSH pivot server externally available.

5. Using a Proxy Server

A proxy server acts as an intermediary for remote clients to tunnel through to internal network resources securely. This approach hides the private Linux server behind the proxy.

Step 1 – Set Up Proxy Server

Install a proxy server like Squid on a server with two network interfaces – one public and one internal:

sudo apt install squid

Bind it to the internal IP on a safe port, e.g. 3128:

http_port 192.168.1.75:3128

Step 2 – Configure Proxy Authentication

Edit /etc/squid/squid.conf to require proxy credentials:

auth_param basic program /usr/lib/squid/basic_ncsa_auth
auth_param basic children 5
auth_param basic realm squid
auth_param basic credentialsttl 2 hours
acl auth proxy_auth REQUIRED
http_access allow auth

This enforces username and password authentication to use the proxy server.

Step 3 – Add Firewall Rules

Permit the proxy port on the public network interface:

sudo ufw allow 3128/tcp

Step 4 – Connect Through Proxy

Install the proxy client certificate. Then connect remote clients to the public proxy IP on port 3128 using the credentials.

Traffic enters the proxy secured by authentication and tunnels to internal resources like private Linux servers.

Step 5 – (Optional) SSH Tunnel Proxy

Additionally tunnel proxy connections over SSH for added security on untrusted networks:

ssh -D 8080 username@proxy-server-public-ip

This opens a SOCKS tunnel on port 8080 reachable locally to tunnel and proxy through.

The proxy model allows secure remote Linux server access by tunneling connections through the intermediary server.

Key Benefits of These Remote Access Approaches

• Port forwarding provides basic port access while maintaining firewall security.
• Site-to-site VPNs extend the local network remotely through encrypted tunnels.
• Remote access VPNs use individual user logins to isolate access.
• SSH tunnels pivot through intermediary servers to reach private endpoints.
• Proxies provide an authenticated middleman for obfuscating traffic.

Combining methods like proxies over SSH maximizes security and flexibility for remote Linux management.

By understanding these 5 techniques, Linux administrators can safely enable remote server access despite intervening firewalls. Using industry-standard tools like OpenVPN and SSH, remote teams can stay securely connected and collaborate effectively.

Conclusion

Here is a summary of the main methods discussed:

• Port forwarding opens designated ports through the firewall for services like SSH.
• Site-to-site VPNs implement encrypted tunnels between entire networks.
• Remote access VPNs provide individual encrypted connections using credentials.
• SSH tunneling forwards traffic to internal IPs through intermediate servers.
• Proxy servers hide private resources behind authenticated intermediary access.

Practicing defense in depth by combining multiple methods prevents unauthorized remote entry while facilitating legitimate administrative access. As remote work and distributed server management grow, properly configuring access controls as outlined here is crucial for every Linux administrator.