Tabletop Fire Pit with Smores Maker Kit Portable Indoor/Outdoor Mini Small Fireplace Table Top Decor Home Patio Gifts for Women Mom Her Wedding Housewarming Christmas Birthday White Elephant Gift
26% OffAeroBand Electronic Drum Set PocketDrum2 MAX(2024 Version), Air Drum Sticks & Pedals & Bluetooth Adapter, Play Drum Anywhere Anytime, 8 Tones and USB Midi Kids Adult Drummer Gift (Earphone Included)
$179.00 (as of December 4, 2024 20:35 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)Remote accessing a Linux server from the internet allows conveniently managing it from anywhere. However, servers protected behind a firewall prevent direct external remote access for security.
This guide explains 5 methods to remotely access a Linux machine while keeping it safely secured behind a firewall. Port forwarding, VPNs, SSH tunneling, and proxy servers enable secure administrative server access for Linux administrators and teams.
Overview of Remote Accessing a Linux Server Behind a Firewall
A firewall blocks all inbound connections to privately hosted servers for protection. Publicly exposing a Linux server is dangerous without authenticated access controls.
5 main techniques enable remote access without sacrificing server security:
1. Port Forwarding – Opens specific firewall ports to allow controlled administrative access.
2. Site-to-Site VPN – Create an encrypted VPN tunnel from the client to the server network.
3. Remote Access VPN – Connect via VPN client to the server’s network for access.
4. SSH Tunneling – Encrypted SSH tunnel to securely relay remote traffic.
5. Proxy Server – Intermediary proxy directs inbound remote connections.
Below we explore configurations and examples of each method using common Linux tools for sysadmin access.
1. Port Forwarding for Linux Server Remote Access
Opening ports in a firewall using port forwarding allows limited remote traffic to securely reach servers. This grants external access to required network services and applications running on the Linux system.
For a Linux server, enabling SSH on port 22 is a common technique:
Step 1 – Assign Static LAN IP Address
Configure the server’s network interface with a fixed internal IP address. Edit /etc/netplan/config.yaml
:
network:
version: 2
ethernets:
eno1:
addresses:
- 192.168.1.100/24
gateway4: 192.168.1.1
JavaScriptApply this static IP address:
sudo netplan apply
JavaScriptStep 2 – Enable SSH Server
Install OpenSSH server if needed:
sudo apt install openssh-server
JavaScriptAllow SSH through the default 22 port in the firewall:
sudo ufw allow ssh
JavaScriptStep 3 – Set Up Port Forwarding Rule
On the firewall device, create a port forwarding rule mapping a public port to the Linux server address and SSH port:
Public Port: 9051
Forward to: 192.168.1.100 Port 22
JavaScriptThis forwards remote SSH traffic from port 9051 to the server.
Step 4 – SSH to Remote Server
Now remotely connect to the public IP and forwarded port:
ssh user@public_ip -p 9051
JavaScriptPort forwarding enables convenient remote SSH access to the secured Linux server from anywhere.
2. Site-to-Site VPN Tunnel for Remote Access
A site-to-site VPN extends the server’s private LAN to external client locations. Traffic enters the VPN tunnel encrypted end-to-end, bypassing the public internet:
Step 1 – Configure Linux VPN Server
Install a VPN server like OpenVPN and generate certificates for the VPN instance:
sudo apt install openvpn easy-rsa
# Initialize PKI
sudo make-cadir ~/openvpn-ca
# Generate CA cert and key
sudo bash -c "source ~/openvpn-ca/vars && ./clean-all && ./build-ca --batch"
# Generate server certs
sudo bash -c "source ~/openvpn-ca/vars && ./build-key-server server"
JavaScriptThis handles all the VPN certificate creation.
Step 2 – Configure VPN Server Config
Define the VPN network details at /etc/openvpn/server.conf
. For example:
port 1194
proto udp
dev tun0
server 10.8.0.0 255.255.255.0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh.pem
topology subnet
JavaScriptThis specifies 1194 as the listening port, the VPN IP range, certificates, and other parameters.
Step 3 – Configure Linux Firewall
Open required ports for OpenVPN in the firewall:
sudo ufw allow OpenSSH
sudo ufw allow 1194/udp
JavaScriptStep 4 – Start OpenVPN Server
Start the VPN server process:
sudo systemctl start openvpn-server@server
JavaScriptThe site-to-site VPN tunnel is now ready for clients to join.
Step 5 – Connect VPN Clients
On the client, import the .ovpn
profile with credentials. Then initiate the VPN connection to tunnel traffic to the server LAN through the VPN interface tun0
.
With end-to-end encryption, remote clients can securely access the private Linux server like on a local private network.
3. Remote Access VPN for Individual Connection
A remote access VPN uses individual user credentials to authenticate connecting from external locations. This allows securing and isolating remote access to the needed Linux server via the VPN tunnel.
Here is how to configure remote authentication for users:
Step 1 – Install VPN Server
For Linux, OpenVPN is a great open-source VPN option. Install it:
sudo apt install openvpn
JavaScriptStep 2 – Create CA and Certificates
Use easy-rsa
to generate the root CA certificate and client/server certificates. This handles authentication and encryption.
# Initialize PKI CA
make-cadir ~/openvpn-ca
# Generate Root CA
source ~/openvpn-ca/vars
./clean-all
./build-ca
# Client and server certificates
./build-key client
./build-key server
JavaScriptThis creates ~/openvpn-ca/keys/
holding private keys, issued certs, and CA cert.
Step 3 – Configure server. conf
Define the OpenVPN server configuration at /etc/openvpn/server.conf
:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
client-to-client
duplicate-cn
JavaScriptThis specifies important parameters like protocol, port, IP ranges, certificates, and keepalive settings.
Step 4 – Configure User Authentication
Update /etc/openvpn/auth.txt
to define authenticated VPN usernames and passwords:
user1 p@ssw0rd1
user2 p@ssw0rd2
JavaScriptStart the OpenVPN server process:
systemctl start openvpn
JavaScriptStep 5 – Connect Client
Import the .ovpn
profile on a remote client using the credentials. This creates an encrypted tunnel to access the private server IP ranges.
With authenticated remote access, individual admins can securely connect to Linux servers via the VPN tunnel and access private resources.
4. SSH Tunneling Port Forwarding
SSH tunnels allow pivoting through an intermediary server to reach private endpoints. This technique forwards traffic through an SSH connection to the remote network.
Step 1 – Set Up SSH Server
The intermediary server must first allow inbound SSH connections to establish tunnels:
# Install OpenSSH
sudo apt install openssh-server
# Permit SSH in firewall
sudo ufw allow ssh
JavaScriptStep 2 – Start Local Port Forwarding
On the client, initiate an SSH tunnel specifying the local and remote endpoints:
# Forward local 8000 to remote 192.168.1.5:80 through ssh.example.com
ssh -L 8000:192.168.1.5:80 username@ssh.example.com
JavaScriptThis forwards any local connection to port 8000 through the SSH tunnel out to the private IP and port 80 on the remote network.
Step 3 – Connect Through Tunnel
With the tunnel active, locally connect services to localhost:8000
and the traffic redirects through the encrypted SSH tunnel to the private resource running on 192.168.1.5
.
Step 4 – (Optional) Make Persistent
Add entries to /etc/ssh/ssh_config
to save canned tunnels for quick connections:
Host tunnel-dev
Hostname ssh.example.com
User username
LocalForward 8000 192.168.1.5:80
JavaScriptNow simply running ssh tunnel-dev
establishes the cached tunnel.
SSH port forwarding provides secure encoded access to internal Linux servers via an SSH pivot server externally available.
5. Using a Proxy Server
A proxy server acts as an intermediary for remote clients to tunnel through to internal network resources securely. This approach hides the private Linux server behind the proxy.
Step 1 – Set Up Proxy Server
Install a proxy server like Squid on a server with two network interfaces – one public and one internal:
sudo apt install squid
JavaScriptBind it to the internal IP on a safe port, e.g. 3128:
http_port 192.168.1.75:3128
JavaScriptStep 2 – Configure Proxy Authentication
Edit /etc/squid/squid.conf
to require proxy credentials:
auth_param basic program /usr/lib/squid/basic_ncsa_auth
auth_param basic children 5
auth_param basic realm squid
auth_param basic credentialsttl 2 hours
acl auth proxy_auth REQUIRED
http_access allow auth
JavaScriptThis enforces username and password authentication to use the proxy server.
Step 3 – Add Firewall Rules
Permit the proxy port on the public network interface:
sudo ufw allow 3128/tcp
JavaScriptStep 4 – Connect Through Proxy
Install the proxy client certificate. Then connect remote clients to the public proxy IP on port 3128 using the credentials.
Traffic enters the proxy secured by authentication and tunnels to internal resources like private Linux servers.
Step 5 – (Optional) SSH Tunnel Proxy
Additionally tunnel proxy connections over SSH for added security on untrusted networks:
ssh -D 8080 username@proxy-server-public-ip
JavaScriptThis opens a SOCKS tunnel on port 8080 reachable locally to tunnel and proxy through.
The proxy model allows secure remote Linux server access by tunneling connections through the intermediary server.
Key Benefits of These Remote Access Approaches
- Port forwarding provides basic port access while maintaining firewall security.
- Site-to-site VPNs extend the local network remotely through encrypted tunnels.
- Remote access VPNs use individual user logins to isolate access.
- SSH tunnels pivot through intermediary servers to reach private endpoints.
- Proxies provide an authenticated middleman for obfuscating traffic.
Combining methods like proxies over SSH maximizes security and flexibility for remote Linux management.
By understanding these 5 techniques, Linux administrators can safely enable remote server access despite intervening firewalls. Using industry-standard tools like OpenVPN and SSH, remote teams can stay securely connected and collaborate effectively.
Conclusion
Here is a summary of the main methods discussed:
- Port forwarding opens designated ports through the firewall for services like SSH.
- Site-to-site VPNs implement encrypted tunnels between entire networks.
- Remote access VPNs provide individual encrypted connections using credentials.
- SSH tunneling forwards traffic to internal IPs through intermediate servers.
- Proxy servers hide private resources behind authenticated intermediary access.
Practicing defense in depth by combining multiple methods prevents unauthorized remote entry while facilitating legitimate administrative access. As remote work and distributed server management grow, properly configuring access controls as outlined here is crucial for every Linux administrator.