SSH Tunneling

If your application does not support socks proxies or you need a different access to the CERN network you need to tunnel via ssh. This solution exists only for Linux and macOS. There are currently no tested methods for Windows available.

ProxyJump

Setup your .ssh/config for using a jump host:

Host *.cern.ch !lxplus.cern.ch !aiadm.cern.ch !lxplus !aiadm !gitlab.cern.ch !lxtunnel.cern.ch !lxtunnel
  User YOURCERNUSER
  ProxyJump lxtunnel.cern.ch

Host lxplus.cern.ch aiadm.cern.ch lxtunnel.cern.ch lxtunnel lxplus aiadm
  User YOURCERNUSER
  # if your client is configured for Kerberos
  GSSAPIDelegateCredentials yes
  GSSAPIAuthentication yes
  GSSAPITrustDns yes

Note: macOS does not support GSSAPITrustDns. You need to remove this line on MacOS.

Jumping to a single host

If you want to access a single host (e.g. to connect with VNC to it you can run: $ ssh -L 5900:target-server.cern.ch:5900 <USER>@lxtunnel.cern.ch and then you can connect to the server (e.g. with xvncviewer): $ xvncviewer localhost

sshuttle

sshuttle is a “poor man’s VPN” solution which works on macOS and Linux. It uses SSH tunneling to transparently redirect certain parts of your traffic to the internal network.

For Linux and macOS you can use the following command:

sshuttle --dns -vr <USER>@lxtunnel.cern.ch 137.138.0.0/16 128.141.0.0/16 128.142.0.0/16 188.184.0.0/15 --python=python

This command routes the traffic to CERN IPs through a tunnel. On Linux this only works for IPv4 addresses.
For IPv6 you need to set --method=tproxy. This method requires root privileges and is not tested.
On macOS you can add 2001:1458::/32 2001:1459::/32 to also tunnel IPv6 through.

It is possible to let sshuttle run as a daemon. This script can help with this:

#!/bin/sh

case $1 in
  connect)
      sshuttle --dns -vr <USER>@lxtunnel.cern.ch 137.138.0.0/16 128.141.0.0/16 128.142.0.0/16 188.184.0.0/15 --daemon --pidfile /tmp/sshuttle.pid --python=python
      shift
  ;;
  disconnect)
      kill `cat /tmp/sshuttle.pid`
      shift
  ;;
  status)
      echo "IP address as seen by CERN servers:   " `wget -O - -q "https://security.web.cern.ch/ip.php"`
      echo "IP address as seen by external sites: " `wget -O - -q "https://api.my-ip.io/ip"`
      shift
  ;;    
  *)
      # unknown option
 ;;
esac