Just Enough Developed Infrastructure

SSH access to your Vmware machines behind NAT

In our virtual test lab, we have only one official internal IP and we use NAT for our virtual Machines. As described in "using apache as a reverse proxy to access tomcat in virtual-machines" , it is easy to setup an http proxy to have access to the web services on the virtual machines as well. But developers need more then http access, they want to ssh into their virtual machine.
Vmware standard solution is to map the ssh ports behind the NAT to ports on the Vmware Server machine using the NAT.conf in /etc/vmware/vmnet8/nat/nat.conf . While this works, for each machine you need to remap this nat file and also have to restart vmware to reread this file. Here we propose another solution using apache as proxy for SSH access.
Our setup look like this: developers have putty, winscp and want to connect to the Virtual Machine1 and 2

Developers         ---->   Vmware Server ----> Virtual Machine 1
 Putty, Winsp                Apache                  SSHD (ip-vm1)
                              with       ----> Virtual Machine 2
                            Mod_Proxy                SSHD (ip-vm2)
                           (ip-server)
To setup apache as reverse proxy you need to have mod_ssl installed.

# yum install mod_ssl
Create a file ssh-proxy.conf in /etc/httpd/conf.d/

<virtualhost *:443>
        ServerAdmin webmaster@localhost

ProxyRequests On ProxyVia On

    #Add ports you want to be able to connect to through your proxy here
    AllowCONNECT 22


DocumentRoot /var/www/html <Directory /> Options FollowSymLinks AllowOverride None </Directory> ErrorLog /var/log/httpd/proxy-error.log TransferLog /var/log/httpd/proxy-transfer.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel notice

</virtualhost>

Activate the proxy_module and proxy_connect module in your /etc/httpd/httpd.conf

LoadModule proxy_balancer_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
Now you can restart your apache and it should be running now

# apachectl restart
To use it with putty: (as described in http://the.earth.li/~sgtatham/putty/0.60/htmldoc/Chapter4.html#config-proxy

  • Create a connection as usual to connect to ip-vm1
  • Set the proxy for this connection to , type = HTTP, proxy = ip-server, port = 443
To use it for winscp: (as described in http://winscp.net/eng/docs/ui_login_proxy
  • Create a connection as usual to connect to ip-vm1
  • Set the proxy for this connection to , type = HTTP, proxy = ip-server, port = 443
To use it with commandline (on MacOSX) ssh: http://blog.strotos.com/?p=15
  • compile it with : ./configure -host=apple; make ; make install
  • adapt your .ssh file:
    • Hostname namefor-ip-vm1
    • Host ip-vm1
    • ProxyCommand /usr/local/bin/corkscrew ip-server 443 %h %p