SSH on private IP to Digital Ocean Droplet

January 16, 2018 1.6k views
Applications Networking CentOS

Hello everyone,

Server:

  • a CentOS 7 Droplet with a public IP on eth0 & private IP on eth1

SSH Clients on my home computer which I use to connect using SSH keys

  • MobaXterm on Windows 7 or
  • VirtualBox CentOS 7 VM

Now the situation is as follows

  1. My home computer's public WAN IP address changes via DHCP automatically by my ISP every once a week or so.

  2. On server, I'm fire-walling (herewith referring it as Firewall-layer for simplicity) as below

DigitalOcean Cloud firewall --> server firewall IPTables --> TCPWrappers layer

  1. By observing a pattern of my public IP subnets over a period of time, I've used them to determine my ISP's AS number via this and, I have white-listed a few of them in my Firewall-layer (strangely, they repeat in a random order & are restricted to the same 3-4 subnets each with the CIDR /22, therefore the pattern)

  2. Now in the event when my public WAN IP changes, I momentarily lose access to my server since TCPWrappers prevent me from accessing it.

  3. The workaround I use is to take console access of my Droplet & un-comment out only that public IP subnet belonging to my current WAN IP address, leaving the others commented which I un-comment as soon as the above recurs.

  4. To fix this, I can either
    Leave all the entries in the TCPWrappers un-commented so as to avoid the hassle but as much I understand, I strongly it is wrong as a security best practice

therefore, the alternative OR

  1. I'm thinking of writing a bash script that would run on my VirtualBox VM which would detect my current outgoing WAN IP address using a simple cURL call & use it to modify the TCPWrappers & IPTables on my Droplet as explained in the workaround above

  2. But for it to work, I'd need to be able to SSH onto my Droplet via its private IP on eth1 which is what I've been tinkering with but unable to find an ideal way to do so, until now.

Could someone please guide me the ideal way to achieve this?

Do let me know if any additional information would be required if I may have missed out.

2 Answers

Your private IP is only reachable from other servers in the same datacenter (and soon, only from other servers in the same datacenter on the same account)

It sounds like you're trying to reach your private IP from the outside - that won't work.

  • Hi @unilynx I agree with you that my private IP won't be reachable from outside since those aren't routable addresses and also that the fact that private networking in DO isn't actually private since other IPs in that datacenter can access mine which will change with the advent of VPCs as far I know, right?

    What I meant in my question was, is there some kind of NAT / Portforwarding (via IPTables or Firewalld : this is what I've been trying to do but couldn't get the right configuration) that I could do so as to connect to my droplet via private IP?

    Or using something like openVPN?

DigitalOcean doesn't offer those services. You would have to build a second droplet which would host VPN or your portforwarding, but then your problem is securing that second droplet.

Have you considered using DO's firewall instead of setting it up on the droplet yourself? You can control that through the DO webinterface (and secure that using 2FA if you wish) or use 'doctl' to programmatically control it.

That way, you don't have to rely on the firewall on your droplet at all, and only need to trust DO to secure its own webinterface. But you have to trust that anyway.

  • @unilynx : Yes I'm using Digital Ocean firewall (secured with 2FA) as mentioned above.

    Please note: my problem isn't the firewall or breach in access via Public IP from the outside world but its more of having an alternate way (using private IP) to reach my droplet (except the Console) which would be handy in case my public IP is null routed or under DDoS protection or unreachable for some issue.

    Do let me know if that simplifies my query or something else is needed :)

    • You can't reach the private IP other than by starting a second droplet in the same datacenter.

      I think some datacenter providers offer a VPN service that allows you to connect to your private IPs, but as far as I know DO doesn't offer that.

Have another answer? Share your knowledge.