I have an RPi(debian v11 running a small web app) on a LAN on which is Double NAT’d/proxied and over which I have no control - and would like to be able to SSH/VNC to it (nothing malicious - I rent a space there and want to access the RPi to put .html/.mp3 files onto it from home. My alternative is to create a small WiFi LAN of my own on site and then do the SSH-out as “normal”, but if I don’t have to, that’ll be better).
I wanted to create a reverse ssh tunnel to my VPS which I can control, but they seem to have locked up all non-web/mail ports too. Since I can’t see what traffic goes where, I don’t know what is blocked or how, but I’m guessing that they use a proxy system and some blocks too. APT works fine, but SSH in/out fails.
On my VPS I have HAproxy listening for web requests on 80/443 which get routed via SNI.
My question is…
- could I use SSH via 80/443 (or perhaps 25/110/143/587/993/995)… then direct traffic according to the incoming SNI…to a separate port (eg. 12322), so that I can SSH to that vpsIP:12322 to gain “local” access?
- vpsIP=1.2.3.4 and SSH listens on say 22123 (although I am not sure if this is needed since I’m not actually doing any ssh on the VPS, and/or whether a user@VPS is needed?)
- vpsHAproxy would need a backend which is sending the 443 traffic to 1.2.3.4 port 12322 ??
- can the SNI be found from the ssh request (I can add a DNS pointer for a subdomain if required/recommended)?
on RPi,
ssh -R 1.2.3.4:443:localhost:22 -NT [userOnVPS@1.2.3.4 -p 22123]
on myPC I would then run
ssh userOnVPS@1.2.3.4 -p 12322
#or
vncviewer 1.2.3.4:12322
So in effect…
- RPi(443) → (ssh>)1.2.3.4:443 → HAproxy[443 → 12322(<sshREVlistener)]
and then
- myPC → ssh 1.2.3.4:12322
or am I just being overly optimistic?
Any sample config that’s similar would be appreciated