I need to SSH into a client server that has an IP whitelist as part of access control. I don't have a static IP - sometimes I work from home, sometimes the library, sometimes a coffee shop, etc. How can I get a static IP? If I am on vacation, and a remote coworker has to connect to the whitelisted server, how would they get in (assuming they have credentials)?
Does this involve setting up and connecting through a VPN? Or a proxy server?
I am looking for both a solution and an explanation of how it works.
A bit more detail: There seem to be a few options here, and maybe that's where I get confused.
- Set up and connect to a VPN, and then my ssh requests will be routed through there. The server will see my IP as that of the VPN gateway (is this proper terminology?)
- Set up a server, and ssh into that server and then ssh from there into the end server. This is not ideal, since I will have to move files to the intermediate server, and then to the main server.
- Set up a server, and use port-forwarding as a pass through.
What is not clear to me is the pros/cons of these approaches. Web searching didn't explain that, so I am asking here. Not just for a solution, but for an explanation as well.
If I read your question correctly, you want a static IP address that will follow you around wherever you go. If that's correct then the answer is you can't do that directly.
One thing you could do is to have your remote server also act as a VPN server. You can then create VPN between it and your workstation and connect over the whitelisted VPN IP address.
How to set up a VPN is (somewhat) dependent on the OS involved (which you don't mention) and too large for the scope of this Q&A site. There are though plenty of good tutorials on the subject.
Amazon EC2 gives you 5 elastic IP addresses. You could also connect from a virtual private server (VPS), you can get one from Digital Ocean for just a few dollars a month and it will have a static IP address. You can SSH into those servers from anywhere, and then connect to your client server.
You could do SSH Port Tunneling.
For this to work you need to have one machine that is constantly connected to the internet. Hopefully this machine will always have the same IP address (since it will be renewing its IP lease all the time), but if sometimes this machine fails to respond to your requests, you can ask your ISP for a static IP (at extra cost). This machine will practically act as your proxy. This could be your home computer. You could repurpose any Pentium machine you have laying around for this use.
On this "proxy" machine you would set up SSH port tunneling with PuTTY by forwarding all requests to port, say 50505 to port 22 on the "client server". Take a look: . Checkboxes are important and need to be checked.
Accept any firewall changes that need to be done:
Then, when you are not at your "always on" computer, say in a library, you would fire up its SSH client and connect to your "always on" computer but to port 50505. Then you would use credentials of the "client server" computer and you would be represented as if you are actually that computer.
Since I'm quite novice in these matters I hope that I have not made any mistakes here, but I think you could get away with this solution.
I had the same problem a year or so ago, and got around it by buying a PureVPN package. It runs me $15 a month ($10 for the VPN, $5 extra for making the IP static) and works like a charm.
Seems they've reduced the price by $3 at the moment too.
At first I had it just for accessing the IP-whitelist server, but it's also useful for getting around my ISP's p2p throttling.
It lets you do split-tunnelling as well, so if you want you can set only certain apps to launch "through" the VPN (e.g. putty) and let everything else bypass it.
Static IPs are assigned to a specific internet connection by an organization that owns that IP range (in this case, your ISP). You could add a static IP to your home internet connection, remote into a computer there (SSH, RDP, or whatever you prefer), and then SSH into the client server.
You ask your ISP for one, and if they don't provide them, you use dynamic DNS. Dynamic DNS may not work for a whitelist system if it's truly limited to just IPs.