User transparent SSH multihop

Question

What I have is the same as this question SSH tunnel through two servers to access a web service on port 9091 (mainly because I asked that question).

But the difference now is that I'm accessing it from a Chromebook which cannot use ProxyCommand. All it got is the base NaCl shell running in a sandboxed Chrome tab.

• This is the "shell app" that runs it: https://chrome.google.com/webstore/detail/secure-shell/pnhechapfaindjhompbnflcldabbghjo?utm_source=chrome-app-launcher-info-dialog

• This is the FAQ with complete information about it. https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/faq.txt

So a review from my previous question:

I got 3 machines:

• remotePi (raspberry PI, somewhere in the world)
• localPi (another raspberry PI, in my local network, I have full access to it, including root, no monitor, no kb, running as headless server)
• Chromebook (my local machine, which is a Chromebook on the same local network as localPi, limited but does have the SSH as per links above).

remotePi have a constant SSH tunnel to localPi, it does it by calling the following command

ssh -N -R 16864:localhost:22 -p 2222 <user_on_lan>@<external_lan_ip>

I can access remotePi terminal by doing

Chromebook> ssh <user_on_localPi>@<localPI_ip>
localPi> ssh -l <user_on_remotePi> -p 16846 localhost

And in remotePi I have a daemon service (web interface) listening on 9091.

a "drawing" of everything:

                                   16864:tunnel:22   9091:service
Chromebook <--local_net--> localPi  <--internet-->  remotePi

So what I need is:

Access the daemon service web interface in remotePi by calling on my Chromebook browser 127.0.0.1:9091/web/

On my previous computer (shown on the linked question, ubuntu laptop) I was doing it by using ProxyCommand on my config and calling ssh -L9091:localhost:9091 user_on_remotePi@remotePi -N, but now I'm on a Chromebook that can't use it and I believe there must be a way to do it anyway.

So I was wondering about 2 possible solutions:

1. some very clever and long SSH command that will "replace" what the ProxyCommand was doing. I always see this on tutorials like that LINK but it always relies on host name, I only have the port 16864 to connect to.

2. (preferred) add some magic to the localPi SSH config which will make it listen on some non-standard port (say 2222) and auto-redirect that connection to user_on_remotePi:localhost:16864. So then, when I call from Chromebook ssh user_on_localPI -p 2222 localPi_ip, then the localPi will redirect this to the correct user directly on remotePi.

As you can noticed I'm a bit of a network newbie, my main expertise in app development, so any help here I'll be extremely grateful.

Any ideas?

Answer 1

we got there in the chat

LocalPi>ssh -L *:5678:127.0.0.1:9091  remoteuser@127.0.0.1 -p 16864

then on chromebook, http://localpi_IP:5678

So the remote pi had done an SSH -R creating port 16864 on the localpi.

He was already able to get a terminal to his raspberry pi, doing localpi>ssh remoteuser@127.0.0.1 -p 16864 We added a -L to open port 5678 on his localpi, so he can then connect from a device e.g. chromebook, to his localpi, which goes to his remotepi which forwards to a web server on itself/his remote pi.

So there are two ssh commands in total. The one from his remote pi to his localpi. And one from his localpi to his remotepi.

We just amended the second one, the one from his localpi to his remotepi. To tunnel to a web server on his remote pi.

It is actually tunneling through a tunnel.