Challenge, Medium,  on  NetworkingLinux

Reach a Whole VPC Through an SSH SOCKS Proxy

Ivan Velichko
by  Ivan Velichko

You're an SRE at Acme. A handful of internal microservices run inside a private VPC - among them the orders-api (172.16.0.40:80) and the inventory-api (172.16.0.50:80). None of them has a public address - they can be reached only from machines that are inside the VPC.

You're debugging a production incident and need to poke at several of these services from your workstation using your favorite local tools. But your workstation sits on the public network only and has no route into the VPC, so it cannot talk to them directly:

curl --connect-timeout 3 172.16.0.40:80  # orders-api.vpc

curl: (28) Connection timed out after 3001 milliseconds

There is a public-facing bastion (jump host) (bastion, 203.0.113.20) that you can SSH into, and it is connected to the VPC - so it can reach every internal service. You could open a separate ssh -L tunnel for each one, but that means one tunnel per service (and another for every endpoint you decide to inspect next).

Your task: instead, set up a single SSH dynamic local port forwarding session so that a SOCKS proxy on your workstation's localhost:1080 reaches every host inside the VPC through the bastion. Both internal services should be reachable through that one proxy:

Hint: How dynamic local port forwarding works

A regular local tunnel (ssh -L local_port:host:port bastion) pins the forwarding to a single destination. Dynamic local forwarding does not specify a destination: with ssh -D and only a single local port, OpenSSH turns your ssh client into a SOCKS proxy. Each connection made through that proxy is sent over your SSH link and connected to whatever address the SOCKS client asks for - resolved and reached from the bastion's side of the network.

SSH dynamic local port forwarding (SOCKS proxy) visualized.

Run man ssh and read the -D section, or walk through the example in the SSH Tunnels tutorial.

Hint: How a bastion (jump host) works

If you're not familiar with the bastion concept yet, solve this simpler challenge first: Reach a Private VPC Service Through an SSH Bastion.

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge ssh-socks-proxy

This will create a local copy of the challenge content in a directory named ssh-socks-proxy. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge ssh-socks-proxy

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge