SSH from public internet

[dijkstra]

Me and my colleague have been working on this for hours trying to see if its possible but we're giving up hope as we've tried everything on google. 

 I have a server running vagrant inside my data center with the following IP's

~# cat /etc/netplan/50-cloud-init.yaml 

# This file is generated from information provided by

# the datasource.  Changes to it will not persist across an instance.

# To disable cloud-init's network configuration capabilities, write a file

# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:

# network: {config: disabled}

network:

    ethernets:

        enp1s0f0:

            addresses: [192.184.16.92/24,192.184.16.242/32]

            gateway4: 192.184.14.1

            nameservers:

                addresses:

                - 1.1.1.1

Here is my VM config:

# cat Vagrantfile 

# -*- mode: ruby -*-

# vi: set ft=ruby :

Vagrant.configure("2") do |config|

    # /*=====================================

    # =            FREE VERSION!            =

    # =====================================*/

    # This is the free (still awesome) version of Scotch Box.

    # Please go Pro to support the project and get more features.

    # Check out https://box.scotch.io to learn more. Thanks

    config.vm.box = "scotch/box"

    config.vm.network "public_network", ip: "192.184.16.242"

    config.vm.hostname = "scotchbox"

    config.vm.synced_folder ".", "/var/www", :mount_options => ["dmode=777", "fmode=666"]

    # Optional NFS. Make sure to remove other synced_folder line too

    #config.vm.synced_folder ".", "/var/www", :nfs => { :mount_options => ["dmode=777","fmode=666"] }

end

####################

How in the world do I SSH to the 192.184.16.242 scotch box from the public internet? 

Is it even possible?  

[Alvaro Miranda Aguilera]

hello

few ideas first.

vagrant is for development work, and development work only should be the focus.

way vagrant have been develop, 

for non-development work, are other tools more suitable for the task, say terraform or any other tool that the goal is provision infrastructure to be run and share services from there.

back to vagrant.

To cover the use case to share/show dev work with outside world, vagrant have a command, vagrant share

https://www.vagrantup.com/docs/share/

however this is not to keep it running for ever, i would say use terraform and create a VM similar to what will be in production, just call that infrastructure test, or qa, etc

if you remove vagrant from the pic, and you create a VM, and give the ip 192.184.16.242

the sequence of steps that need to happen, are exactly the same you need to do for vagrant.

is probably nothing to be done in vagrant, other than:

- set an ip (this can be done by vagrant)

- set a gateway (best have an script)

- adjust gw/network orders, so traffic goes over the network you want to go (otherwise will go over nat)

up to this point, 3 of 4 are non vagrant task, and are more suitable to be ask to the internal network/firewall people of the company.

Once this is done, and the vm (managed by vagrant or no) is configred in the network, i would be very careful to start doing changes to make this VM exposed to the internet

- check with network and firewall ppl if this is a good idea or not

- check with network and firewall ppl if they use port forward, or load balancers

- check with network and firewall ppl if they are comfortable having this VM managed by Vagrant inside the datacenter

also, there is the security aspect

- how do you know this VM is safe?

- how do you know if new VM exposed to internet wont be hacked? is up to date?

- what will happen if this VM gets hacked? from this VM can they jump to <internet name of senstive system>

and a long etc

as you can see, most of the question are non vagrant topics

you may use vagrant, but is better do this top to bottom.

- what service you need to share

- whats the purpose of this new service

- whats the best tool to accomplish this

- whats the life cycle of this service

- who is responsible of this service

- who should be contacted if anything goes wrong with this service

- how we will know the service goes wrong? (monitoring/logging)

- how we will know our service has been compromised?

- whats the break glass procedure here?

- and finally, how we will know, we need to do break/glass procedure, say 2am on a weekend

Those are my personal impressions, based on my past experience.

Thanks

Alvaro.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/vagrant/issues
IRC: #vagrant on Freenode
---
You received this message because you are subscribed to the Google Groups "Vagrant" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vagrant-up+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/5eb85d1e-9df6-49d4-8853-f478a3f961f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Alvaro

[Dennis Chang]

The host netplan addresses:

            addresses: [192.184.16.92/24,192.184.16.242/32]

            gateway4: 192.184.14.1

is incorrect. It doesn't appear that these two addresses can reach the gateway. Hence why ingress SSH connection cannot be established.

            addresses: [192.184.16.92/16,192.184.16.242/16]

            gateway4: 192.184.14.1

change both addresses to /16 and you should now be able to establish the SSH connection.

But a second problem I see is that the vagrant machine (VM) has the same configured IP address as the host interface:

192.184.16.242/32

vs

config.vm.network "public_network", ip: "192.184.16.242"

So should the SSH connection be established with the host or with the VM?

I'm going to guess what you are trying to do and say,

1. remove   192.184.16.242/32

from the host netplan. It's a single interface, i.e. enp1s0f0. If you need two addresses for a single interface, then use an alias, e.g. enp1s0f0:0.

2. configure bridge-mode of the vagrant machine so that dhcp establishes an IP for your VM within the subnet of your hosts network, i.e. 192.184.16.X/24.

3. whatever addresses is granted to the vagrant machine, e.g. 192.184.16.123, is now accessible from outside the host. Try the SSH connection now.

Good luck,

Den

[dijkstra]

I feel like I'm close but heres what it actually looks like. 

Juniper router > Juniper switch >  Server w/ two physical interfaces

I'm a little lost right now as to how the switch is suppose to be configured on the bridge interface that im using to connect the vagrant VM.  

Should I be using switchport-mode access or trunk? 

[Dennis Chang]

I was going to make further suggestions but I think I was getting over my head.

When it comes to managed switch scenarios (Juniper) I shouldn't really comment.

My suggestion is to simplify.

If you ignore the 2nd interface and you replace the Juniper switch with a dumb switch,

and you set your vagrant VM in bridge-mode, can you reach your VM from a 2nd host?

If this setup works correctly can you post:

1. VM IP address

2. Host interface IP address

3. default gateway

4. 2nd host IP address

From there you can start to work on the 2nd interface (which gets tricky very fast).

The 2nd interface means a 2nd network which means your host is now a router (itself).

The complication occurs because of routes and packet forwarding that your host

is now required to perform (between interfaces).

So a question I would need to ask is: will the VM run on the 1st network or the 2nd network?