In order to investigate a bug I was running into, I recently had to give my colleague ssh access to my laptop behind a firewall. The easiest way I found to do this was to create an account for him on my laptop, and setup a pagekite frontend on my personal server and a pagekite backend on my laptop.

Frontend setup

Setting up my server in order to make the ssh service accessible and proxy the traffic to my laptop was fairly straightforward.

First, I had to install the pagekite package (already in Debian and Ubuntu) and open up a port on my firewall by adding the following to both /etc/network/iptables.up.rules and /etc/network/ip6tables.up.rules :

-A INPUT -p tcp --dport 10022 -j ACCEPT

Then I created a new CNAME for my server in DNS:

pagekite.fmarier.org. 3600 IN CNAME fmarier.org.

With that in place, I started the pagekite frontend using this command:

pagekite --clean --isfrontend --rawports=virtual --ports=10022 --domain=raw:pagekite.fmarier.org:Password1

Backend setup

After installing the pagekite and openssh-server packages on my laptop and creating a new user account:

adduser roc

I used this command to connect my laptop to the pagekite frontend:

pagekite --clean --frontend=pagekite.fmarier.org:10022 --service_on=raw/22:pagekite.fmarier.org:localhost:22:Password1

Client setup

Finally, my colleague needed to add the folowing entry to ~/.ssh/config :

Host pagekite.fmarier.org CheckHostIP no ProxyCommand /bin/nc -X connect -x %h:10022 %h %p

and install the netcat-openbsd package since other versions of netcat don't work.

On Fedora, we used netcat-openbsd-1.89 successfully, but this newer package may also work.

He was then able to ssh into my laptop via ssh roc@pagekite.fmarier.org .

Making settings permanent

I was initially quite happy settings things up temporarily on the command-line, but it's also possible to persist these settings and to make both the pagekite frontend and backend start up automatically) at boot.

I ended up putting the following in /etc/pagekite.d/20_frontends.rc on my server:

#defaults isfrontend rawports=virtual ports=10022 domain=raw:pagekite.fmarier.org:Password1

as well as removing the following lines from /etc/pagekite.d/10_account.rc :

# Delete this line! abort_not_configured

before restarting the pagekite daemon using:

systemctl restart pagekite

Using mosh and pagekite

Mosh is a nice way to interface with ssh over high-latency netowrks. However, it's not possible to tunnel mosh directly through pagekited since pagekite only supports TCP.

I ended up with a hybrid setup where I don't have to expose the ssh service to the local network (and therefore remember to disable it when I'm done) but I do have to open a UDP port on my firewall for mosh.

First, I assigned a stable IP to my laptop on my router, based on its MAC address. I also had to disable MAC address spoofing in Network Manager (setting it to permanent).

This is what my /etc/NetworkManager/system-connections/Ethernet automatique config looks like:

[ethernet] cloned-mac-address=preserve [ipv4] method=auto [ipv6] addr-gen-mode=stable-privacy ip6-privacy=2 method=auto

Then I forwarded port 9000 (UDP) traffic to the static IP address above.