Tunnel : Proxy Jump Host : VPN-Over-SSH

[isontheline]

Describe the feature
Ability to use a "wildcard" jump host from the tunnel feature.

Why?
Yet the Local Port Forwarding and Dynamic Port Forwarding are using the VPN in order to work.
But if we use a VPN (like Cisco, OpenVPN) then we can't use the LPF / DPF features.

So if we can use a Jump Host without using the VPN it would be great :)

What to do?

• Keep LPF / DPF through VPN
• Add a new tunnel feature : Proxy Jump Host (will not use VPN)

[isontheline]

Competitors

MobaXterm

[isontheline]

#263 (comment)

Will this feature allow you to do proxy jumps, such as connecting directly to an ssh client via another ssh client?

The following .ssh/config example illustrates what I mean:

Host myproxypi
 HostName myurl.com
 Port 8700
 User pi

Host pisrv 
 ProxyJump myproxypi
 HostName 192.168.1.100
 User pi
 Port 22

Thanks.

[admdly]

It would be great if there was some support for the ProxyJump directive / SSH jump hosts as they are a common method to provide access to LAN servers from the Internet.

What are the chances of this feature being implemented, and is there anything anyone can do to assist with this? Thanks! 🙏

[isontheline]

Chance to have this feature implemented is near 100% because I need it too 😇
The only question is when it will be implemented 😢

It's not a hard task for the backend part but a little harder for the frontend part (connection errors, connection progress bar, etc.)

I would like also to implement a more generic way to customize connections by the use of #327 an SSH config file

[isontheline]

Manque juste une fonction et ce serait top

Je l’utilise occasionnellement, c’est très bien. Mais dans mon cas il me manque le proxycommand pour accéder à des hosts derrière un bastion. J’espère que ce commentaire suscitera une réflexion en ce sens. Merci pour le travail..

By volfoni69 on the App Store

[jcaude]

Thx for considering this issue. I was just wondering if using ProxyJump, which is a recent feature of ssh, would also work with a gateway/bastion using an older (aka pre 7.3) version of ssh .. in any case we assume that at least the gateway/bastion is running nectat. Still, I'm not an ssh expert and didn't even know about ProxyJump. For my personal usage I will give it a try using my laptop to check if it works as expected with the bastion, and wait for an update on your side 👍

[isontheline]

Bonjour Jean-Christophe @jcaude 👋

You're right ProxyJump is a newer way to establish bastion connections.

In fact ProxyCommand - used for bastion connection - could be used right now inside WebSSH :

1. Add a Tunnel connection (it will be your bastion host)
2. Inside "Port Forwarding" field just put a wildcard to setup a Dynamic Port Forwarding : *
3. Save and launch the tunnel
4. Launch any SSH or SFTP connection

Documentation about DPF is available here : https://webssh.net/documentation/help/networking/port-forwarding/#dynamic-port-forwarding

Could you test these steps?

Belle journée à vous

[isontheline]

@admdly @jarrah31

Have you tried Dynamic Port Forwarding inside WebSSH' Tunnels?

[jcaude]

Yes, just give it a try now and it works perfectly (I work differently right now..). The only issue I have now is local DNS entry within the bastion that are not available through the tunnel.. it's not a big deal because these are static @ip. But then everything is working fine (at least ssh). Thx for all ..
btw/ I have enroll to the webssh beta program ..

[jarrah31]

Interesting! Thanks for notifying me to try this ProxyJump workaround.

Unfortunately something isn't quite working for me using this method. I can only test this on my Intel Mac version of WebSSH at the moment, so I'll try it on my iPhone/iPad later today.

What I've done so far is create a new Tunnel connection with the following settings:

Host: my.domain.com
Port: 3456
User: Pi
Private Key: id_rsa.txt
Port forwarding: *
Name: Proxy

After saving the changes, I click on this connection within Tunnel tab, and the status icon goes green.
Within the SSH tab, I have the following connection:

Host: 192.168.0.10
Port: 21
User: Pi
Private Key: id_rsa.txt
Name: Docker

When I click on this connection, the Connecting... popup window appears, but no connection is established.

My laptop is on a remote connection to home, so the Docker profile can't normally connect. Based on the instructions provided above, and given that the guide says "Dynamic Port Forwarding will forward all connections INSIDE WebSSH (SSH, SFTP) to a dynamic remote IP and port through your SSH server (aka bastion)", am I correctly assuming that Docker should be able to connect to 192.168.0.10 via the established "Proxy" connection? If so then this doesn't seem to work for me.

I'll be happy to try any testing or troubleshooting to help work out the problem.

[isontheline]

@jcaude

Yes, just give it a try now and it works perfectly (I work differently right now..).

Thank you a lot for your feedback!

The only issue I have now is local DNS entry within the bastion that are not available through the tunnel.. it's not a big deal because these are static @ip.

Your need is to have connection' hostname (child) resolved by your local DNS server?

But then everything is working fine (at least ssh). Thx for all ..

You're Welcome

btw/ I have enroll to the webssh beta program ..

Thank you again 🙏

[isontheline]

@jarrah31

am I correctly assuming that Docker should be able to connect to 192.168.0.10 via the established "Proxy" connection? If so then this doesn't seem to work for me.

Yes the configuration you have shown seems good to me

Could you enable verbose logging in order to check further?

In order to enable verbose logging you can follow the steps :

1. iOS Settings
2. WebSSH
3. Settings
4. Log Level > Verbose
5. Restart WebSSH
6. Reproduce your action
7. Find the log files inside iOS > Files > WebSSH

[jarrah31]

Thanks @isontheline - is there an equivalent "Log Level -> Verbose" setting within the Intel Mac version of WebSSH? I can't test this on my phone at the moment.

I see within the app Settings there's "SSH Settings" and WebSSH Settings", but I can't find any verbose option within there.

[isontheline]

@jarrah31 Yes you will find it here : Menu bar macOS > WebSSH > Settings

[jarrah31]

Ah there it is - WebSSH Menubar -> Preferences. Thanks.

Sorry @isontheline, where are the log files kept? Tried looking within my home folder, hidden files, Library, Application Support. Searched my Mac for WebSSH too but it only found the .app file.

[isontheline]

@jarrah31 You can locate the directory by launching WebSSH > mashREPL > pwd

Then use this folder location and access it through the Finder

[jarrah31]

hah, I'd have never have found it there - thanks!
So, next problem, can't seem to find any logs... :)
The base directory is: /Users/me/Library/Containers/com.itimeteo.webssh/Data. Within here we have:

CloudKit
Desktop -> ../../../../Desktop
Documents
Downloads -> ../../../../Downloads
Library
Movies -> ../../../../Movies
Music -> ../../../../Music
Pictures -> ../../../../Pictures
SystemData
tmp

Library folder appears to be the best bet because it actually has a Logs folder:

Application Scripts
Application Support
Audio -> ../../../../Audio
Caches
Calendars -> ../../../../Calendars
ColorPickers -> ../../../../ColorPickers
ColorSync -> ../../../../ColorSync
Colors -> ../../../../Colors
Components -> ../../../../Components
Compositions -> ../../../../Compositions
Cookies
Dictionaries -> ../../../../Dictionaries
Favorites -> ../../../../Favorites
Filters -> ../../../../Filters
FontCollections -> ../../../../FontCollections
Fonts -> ../../../../Fonts
Images
Input Methods -> ../../../../Input Methods
KeyBindings -> ../../../../KeyBindings
Keyboard Layouts -> ../../../../Keyboard Layouts
Keychains -> ../../../../Keychains
Logs
Mail -> ../../../../Mail
PDF Services -> ../../../../PDF Services
Preferences
QuickLook -> ../../../../QuickLook
Saved Application State
Sounds -> ../../../../Sounds
Spelling -> ../../../../Spelling
WebKit

Logs is empty though:

➜  Logs ls -al
total 0
drwx------   2 me  staff    64 13 Sep  2021 .
drwx------  32 me  staff  1024 13 Sep  2021 ..
➜  Logs pwd
/Users/me/Library/Containers/com.itimeteo.webssh/Data/Library/Logs
➜  Logs

Confirmed that Verbose logging is enabled:

I've checked the other folder but had no luck finding the logs.

On another note, I tried this on my phone and it did indeed work ok. However I noticed that it worked by setting up a VPN profile on the phone. Does the Intel Mac version try to do the same? I didn't see any messages asking me to add WebSSH to VPN Configuration on the Mac like it does here on the phone:

[isontheline]

@jarrah31

1. Have you restarted (killed) WebSSH after choosing verbose logging?
   Log file should be here :

2. VPN-Over-SSH is only available on iOS. On macOS there is no need to add VPN profile in order to work properly.

Please come back to me at any time

Have a nice day ☀️

[jarrah31]

A restart of WebSSH is what I was missing! Logs now appear within Documents as you described. :)

Tested this at home today and found the connection to 192.168.0.10 only works when on my local network (with or without the tunnel). When I connect externally (via my phones data connection), the tunnel link works but the subsequent connection to 192.168.0.10 doesn't.

2022/03/26 13:40:47:987 [VERBOSE] not launched
2022/03/26 13:40:48:099 [VERBOSE] Want to connect with a Private Key
2022/03/26 13:40:48:099 [VERBOSE] Private Key is encrypted : 1
2022/03/26 13:40:48:099 [VERBOSE] Load Private Key in OpenSSH Format
2022/03/26 13:40:48:223 [VERBOSE] Launching connection...
2022/03/26 13:40:48:223 [VERBOSE] Connecting to TUNNEL...
2022/03/26 13:40:57:117 [DEBUG] Fetching from iCloud with a change token
2022/03/26 13:41:00:479 [VERBOSE] Is now connected to TUNNEL
2022/03/26 13:41:00:479 [VERBOSE] Fresh requested for connection list...
2022/03/26 13:41:00:671 [DEBUG] iCloud data fetched with success.
2022/03/26 13:41:07:984 [VERBOSE] Want to connect with a Private Key
2022/03/26 13:41:07:984 [VERBOSE] Private Key is encrypted : 1
2022/03/26 13:41:07:984 [VERBOSE] Load Private Key in OpenSSH Format
2022/03/26 13:41:08:111 [VERBOSE] Launching connection...
2022/03/26 13:41:08:111 [VERBOSE] Connecting to SSH...
2022/03/26 13:41:08:111 [VERBOSE] Launching connection with block...
2022/03/26 13:41:08:112 [VERBOSE] Won't dismiss prompt because no one is displayed.
2022/03/26 13:41:12:119 [DEBUG] Fetching from iCloud with a change token
2022/03/26 13:41:14:843 [DEBUG] iCloud data fetched with success.
2022/03/26 13:41:27:119 [DEBUG] Fetching from iCloud with a change token
2022/03/26 13:41:28:195 [DEBUG] iCloud data fetched with success.
2022/03/26 13:41:42:119 [DEBUG] Fetching from iCloud with a change token
2022/03/26 13:41:42:486 [DEBUG] iCloud data fetched with success.
2022/03/26 13:41:57:119 [DEBUG] Fetching from iCloud with a change token
2022/03/26 13:41:59:419 [DEBUG] iCloud data fetched with success.
2022/03/26 13:42:10:838 [VERBOSE] <SSHLog>
  <Connect_Ssh>
    <SSHVersion>9.5.0.88</SSHVersion>
    <connectInner>
      <hostname>192.168.0.10</hostname>
      <port>22</port>
      <sshConnect>
        <connectSocket>
          <connect_ipv6_or_ipv4>
            <error>timeout waiting for connect to complete;</error>
            <timeoutMs>60000</timeoutMs>
            <failedWaitToConnect>Socket operation timeout.</failedWaitToConnect>
          </connect_ipv6_or_ipv4>
        </connectSocket>
        <error>Failed to establish initial TCP/IP connection</error>
        <hostname>192.168.0.10</hostname>
        <port>22</port>
      </sshConnect>
    </connectInner>
    <error>Failed.</error>
  </Connect_Ssh>
</SSHLog>
2022/03/26 13:42:10:947 [VERBOSE] Dismissing prompt...
2022/03/26 13:42:12:120 [DEBUG] Fetching from iCloud with a change token
2022/03/26 13:42:12:548 [DEBUG] iCloud data fetched with success.
2022/03/26 13:42:12:861 [VERBOSE] Error : Can not establish connection to 192.168.0.10
2022/03/26 13:42:27:120 [DEBUG] Fetching from iCloud with a change token
2022/03/26 13:42:27:500 [DEBUG] iCloud data fetched with success.

[isontheline]

@jarrah31

Some relevant log lines should be there in your report but I don't find them, perhaps an older release (or a bug on my side).

Could you give me your WebSSH build number?

[jarrah31]

Really sorry, I should know that the first rule of thumb is to always upgrade to the latest version before saying something doesn't work!

I was on v17.0, so upgraded to 17.3 and now it all works. :)

Thank you for being patient, and for producing such an excellent SSH app! Finally - a proper Putty for macOS alternative!

[isontheline]

@jarrah31 Don't worry, you're Welcome!

Thank you again for your feedback about WebSSH usage 👍

Finally - a proper Putty for macOS alternative!

🙏 You have made my day

[jarrah31]

Just a little suggestion for future new WebSSH users, could you make a note on your "Dynamic Port Forwarding" help pages that says this is a ProxyJump alternative please? (perhaps it could say (aka Bastian or ProxyJump))

[isontheline]

@jarrah31 This could be an alternative but I've juste created an issue for the "true" jump feature : Jump and multi-jumps

May I ping you when this new jump feature will be ready?

[jarrah31]

Yes please, that would be great! Thanks!