A VPN-less Teleworking Setup

November 16, 2020 - 2 min read
linux teleworking kubernetes

Working from home became frequent enough since March this year to justify an improved home work setup (both hardware and software).

Setting up a VPN would be an easy and obvious choice but this is currently not an option at work. Alternatively and after suggestions from multiple people a combination of ssh / proxy setup and a handy browser extension and the result is close enough.

Ignore all the GSSAPI* below if you don't require Kerberos or similar access.

SSH

Like most people most of my work requires access to the internal network. Without a VPN a configuration like the one below is a good option.

CanonicalDomains cern.ch
CanonicalizeHostname yes

Host *.cern.ch !IGNORE*.cern.ch !IGNOREOTHER*.cern.ch
    User MYUSER
    GSSAPIDelegateCredentials yes
    ProxyJump PROXYHOST.cern.ch

The important bit here is ProxyJump where we pass the host that serves as a sort of bastion host - we'll need a similar machine available and open externally.

As all connections get forwarded via this host, this next bit of config is very useful.

Host PROXYHOST PROXYHOST.cern.ch
    HostName PROXYHOST.cern.ch
    User MYUSER
    ControlPath ~/.ssh/controlmasters/%r@%h:%p
    ControlMaster auto
    ControlPersist 10m
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
    GSSAPITrustDNS yes
    DynamicForward 8011
    ExitOnForwardFailure no

The relevant bit is in the ControlMaster which will multiplex outgoing connections over a single connection - in this case our bastion host. Start a session to this host and keep it going and new sessions will speed up significantly, and will drop the need to do 2FA on every session (if 2FA is enabled in your bastion host).

We can check the control session status.

ssh -O check PROXYHOST
Master running (pid=3007)

and manually stop it - every now and then it might hang and need to be manually stopped, sometimes we might need to cleanup some defunct ssh processes as well.

ssh -O stop PROXYHOST

SOCKS Proxy

The second relevant directive above is DynamicForward which is setting up 8011 as a local port for a SOCKS Proxy. We can rely on it for the command line or browser - SwitchyOmega is a handy chrome extension.

Kubernetes

Last but not least a lot of my day is spent accessing internal Kubernetes clusters. Since Kubernetes 1.19 the kubectl client supports a proxy-url option taking a SOCKS proxy.

$ cat config
- cluster:
    certificate-authority-data: ...
    server: https://IPOFCLUSTER:6443
    proxy-url: socks5://localhost:8011

$ kubectl get pod

Alternatively we could:

export https_proxy=socks5://localhost:8011

which will do the job but is not ideal if we have a mix of internal and external (public cloud) clusters we need to deal with.