Using a Jump server
I logged into my home’s VPN from my mobile device and I needed to access my Pi but then I realised I could not because my Pi allowed incoming SSH traffic only from machines on a specific /24 subnet. At times like this, a jump server/host can act as a bridge.
The solution described here is by no means Enterprise grade. I wrote this to share the basic concept of Jump server with people who are unfamiliar with it.
That you know how to configure firewall.
What is a Jump server?
Imagine having 3 machines: A, B and C where the connectivity is as follows:
A --- B --- C
‘A’ cannot connect to ‘C’ directly; it needs to connect to ‘C’ through ‘B’.
‘B’ is the jump server in this case.
Is it necessary?
In a typical home network setup (without Jump server), the router on IPv4 is providing implicit firewall via NAT. If there is a flaw in it allowing machines behind the NAT firewall to be exposed directly to the outside world, you have no second line of defence.
How to implement Jump server?
Using the same scenario of A, B and C above:
- Configure firewall of ‘C’ to allow incoming connections on SSH port only from ‘B’.
- If ‘A’ were to do a port scan now, it cannot see the presence of SSH server running on ‘C’. Only ‘B’ can see it.
- From ‘A’, you now need to remote into ‘B’ and subsequently remote into ‘C’.