I use SSH with port forwarding for secure remote access. For me it’s better than using a VPN. Here are my reasons why:
- Clear visibility on what’s happening on the network. You control what happens.
- Easy configuration of IP ports and addresses. Single config file for OpenSSH client.
- Asymmetric, i.e. client-server model. Better suited for remote access.
- Public/Private key based security setup. No PKI needed.
- User space client.
- No encapsulation, only encryption overhead on the payload.
The biggest downside is that you cannot forward UDP ports. There’s no such thing as a free lunch. There are workarounds for this limitation, such as using netcat for bridging an UDP stream to TCP. But if UDP is really needed for your remote application, I would go with a VPN.
One setup is using a Raspi oder Beaglebone as small always on unix node, a jump host. Only the OpenSSH package is needed, and best to hook up the jump host via ethernet. Then configure port forwarding on you router. Don’t use port 22 but some random 5 digit number that’s not used by provider services like VoIP or remote config/update. Next you should secure SSH access by disabling password authentication, leaving key based authentication as only authentication method. Then generate a key pair, (for example rsa with 2048 key length) with a password on the private key, using the openssl tool. The private key stays with you, the public key goes into the file authorised_keys on the jump host. This file is stored in the .ssh folder of the user account that you use to login into the jump host. Don’t use the root account, and if you are paranoid on security, create a random user account like “jkshTYRMBNPOyeyajkSB67767” (max. 32 characters).
On the client side, you can use PuTTY on windows and of course ssh on unixes. Unfortunately, PuTTY does not understand RSA keys generated with openssl. Use the tool puttygen that comes with PuTTY to convert your private key to PuTTY’s PPK format.
In the PuTTY GUI, you can define all your port forwarding rules. For example, I can access my Fritz box by local port forwarding 127.0.0.1:10080 to 192.168.1.1:80. With default OpenSSH settings, you can define all your forwarding rules on the client.
Sounds complicated? Maybe. But it will only cost you the jump host hardware and setup is a one time action. And you learn a lot too. Connecting involves starting PuTTY, and pressing open. All forwarding rules will then become active. Then start your client application using the port numbers configured in PuTTY. You have to do some port number administration though..