How to connect to the ssh server with private IP using ssh's ProxyJump feature

The Ratioweb team offers a range of services, which often means we need to access our customers' servers. Organizations have different strategies to protect their servers. Some servers are publicly accessible, while others require a VPN setup. Occasionally, access is granted through a specialized server, known as a bastion host, that provides a gateway to the DMZ (Demilitarized Zone).

In this text, I'll share simple trick that simplifies daily workflow when working with bastion host protected DMZ.

Traditional Access Method

Typically, access to these machines is granted using the popular SSH service. Here's the usual process:

Connect to the Bastion Host:

ssh user-login@1.2.3.4 -A
(We use SSH agent forwarding to ensure authentication works on the bastion host.)
From the Bastion Host, Connect to the Internal Server:

ssh user-login2@10.0.0.5

While this setup works, it's a bit tedious. As web developers or administrators, saving a few keystrokes can make our workflow more efficient. Plus, copying files requires transferring them twice—first to the bastion host and then to the final machine. Not exactly a fun task!

Typical ssh workflow — The typical ssh workflow for bastion host and DMZ

Enter the SSH ProxyJump

Luckily, there's a solution: the often-overlooked "ProxyJump" feature of the SSH client. By specifying a "ProxyJump" directive in your .ssh/config file, you can directly connect to a server behind a public-facing one. This reduces the need for multiple commands and simplifies your workflow.

Setting Up ProxyJump

Here's a basic example of how to set it up:

Host public.customer.org
  HostName 1.2.3.4
  User user-login
  Port 22
  PreferredAuthentications publickey
  
Host private.customer.org
  HostName 10.0.0.5
  User user-login2
  Port 22
  PreferredAuthentications publickey
  ProxyJump public.customer.org

Now, you can access the internal server by using ssh private.customer.org directly from your workstation.
This approach not only saves time but also reduces the strain on your typing fingers, extending the life of your keyboard strokes. It's a simple adjustment with a significant impact on efficiency, especially valuable for those managing complex networks.

Now, instead of using two commands to connect to the final server, you use just one! Even better, commands like scp or rsync also benefit from the .ssh/config settings, allowing you to copy files directly to where you want them.

For detailed steps and more information on utilizing ProxyJump, consulting the official documentation or relevant tech forums is highly recommended.

Key Takeaway: By using SSH's ProxyJump feature, you can streamline server access, save time, and simplify file transfers. It's a small change with big benefits for your workflow!

Jan 20 2025

Written by Jarek Sobiecki

Toolkit

We love working alongside
ambitious projects and people

Let's get in touch