SSH SOCKS Proxy, Poor Man's VPN

I recently found my self in a situation where my Kubernetes node needed to access Google Search from another network, where the IP address of the node was blocked.

I could have setup a VPN on the node, but I didn’t want to deal with the hassle of setting up and maintaining a VPN. I also didn’t want to setup a bastion host and open up another attack vector into my network.

I decided to setup a socks proxy using SSH.

VPS

I set up a VPS on MikroVPS located in Frankfurt, Germany. I also restricted the SSH access to the VPS to only the IP address of the node.

iptables -A INPUT -s <NODE_IP>/32 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP

Allocate a static IP address

I allocated a static IP address (10.1.0.1) on the Kubernetes node, bound to the lo interface.

I made it permanent by adding the following to the nodes netplan configuration:

network:
  ...
  ethernets:
    lo:
      addresses:
        - 127.0.0.1/8
        - 10.1.0.1/32

Setup SSH SOCKS Proxy Service on Kubernetes Node

I setup an SSH SOCKS proxy service on the Kubernetes node using the following systemd service file:

[Unit]
Description=SSH Tunnel for 10.1.0.1 SOCKS PROXY to Remote Host
After=network.target

[Service]
User=NONROOTUSER
ExecStart=/usr/bin/ssh -i /home/NONROOTUSER/key -N -D 10.1.0.1:1080 [email protected]
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

Ensure the service is enabled and started:

sudo systemctl enable ssh-socks-proxy.service --now

Test the SOCKS Proxy

I tested the SOCKS proxy by running the following command from the Kubernetes node:

curl -x socks5://10.1.0.1 https://www.google.com

Leave a Reply

Your email address will not be published. Required fields are marked *