Multi-Hop Connection

Does Core Tunnel support multi-hop connections? My use case requires connecting through two jump boxes to a target:

local -> jump1 -> jump2 -> target

This post was really helpful, but I’m struggling figuring out how to make it work with a second jump box: Multi Tunnel SSH

These are the commands I’m running locally to get it to work:
(on local) ssh -L 1500:localhost:1500 jump1-user@jump1-ip
(on jump1) ssh -L 1500:target-ip:target-port jump2-user@jump2-ip

Is this possible?

Core Tunnel support multi-hop out of the box, set the value of ProxyJump to this:

jump1-user@jump1-ip,jump2-user@jump2-ip

image

Thanks Yang. One complication is I'm connecting to jump1 with user/pass, but to jump2 with a private key that lives on jump1. I'd need that key locally for it to work, right?


AFAIK, if you use ProxyJump option,, you have to keep all required private keys locally.

There is a way that you can keep private key on jump1, but at the cost of intuitive, you can't utilize ProxyJump option to simplify the workflow, I'd rather not recommend you do that.

Let me know if you have no choice but to keep private key on jump1.

As a policy I cannot bring the key down locally. Even if it’s less than perfect, can you share the non-intuitive approach?

There is a similar question on SO, but using ssh command line:

The principle behind the selected answer also applies to Core Tunnel, but in your case, we need do some more extra job:

local ------> jump1 ------> jump2 ------> target
         ^             ^
   using local's  using jump1's
     ssh key        ssh key

Firstly, we must enable an advanced feature in Core Tunnel:

Then edit your ~/.ssh/config file and add some lines like this:

Host jump2
    ProxyCommand ssh -A jump1 'ssh-add && nc %h %p'

Then edit settings of your tunnel for target, set Proxy Jump option to jump2:

image

Then every thing should work. If you run into any problem, please enable debug log and paste at here (don't forget eliminate sensitive information):

Good luck :slight_smile: