Establishing a Tunnel to the Brandeis Network
The following information is retained for historical and informational purposes, only.
Effective August 2022, ITS blocks all inbound ssh at the campus border, breaking the ProxyJump
and SOCKS
methods described below.
ITS’s only supported method to access ssh servers from off-campus is via their VPN.
The ITS VPN is available to all current students, faculty, and staff. It is supported by the ITS Help Desk.
If you cannot use the ITS VPN for any reason, please contact guru@cs.brandeis.edu, and we will be happy to assist!
Original page content:
Some CS department services are only made available from within the campus network.
There are a few different ways to access these services if you aren’t on campus.
Methods of Accessing Campus-Only Hosts & Services
ProxyJump | SOCKS Proxy | Pulse VPN | |
---|---|---|---|
Explanation | ssh -only: For a given ssh connection, tunnel (proxy) through an intermediate ssh server. Doesn’t impact any other traffic. |
Using a SOCKS proxy will redirect all Proxy-aware traffic from your machine through the proxy host. | When used in the default (split-tunnel) mode, Pulse VPN selectively redirects your network traffic through the VPN. This means that only connections to hosts ITS has designated as campus-related will be handled by Pulse. |
Interface | Command line | Command line | GUI |
Authentication Method | Jump/Bastion host and target host user login credentials | Proxy host user login credentials | Unet login and 2FA (w/ Duo) |
Example Use Cases | Ex: You want to ssh to a machine that isn’t available from the internet, but which can be reached from one of the public workstations.Can be combined with a SOCKS proxy, if desired. |
Ex1: You want all your web browsing to appear to come from Brandeis. Ex2: You want to access a web page that is only available from a few Brandeis computers. |
Ex1: You want to access a service that is only accessible from campus (eg: file servers, certain web applications, some ssh servers, etc…) Ex2: You’re watching Netflix but want to access a campus-only service at the same time without sending your streaming traffic through Brandeis |
Pulse Secure VPN
One way to gain remote access to the campus network is to use the Pulse Secure VPN client provided by Information Technology Services. To get started, see ITS’s VPN (Virtual Private Network) page.
*Note: In its default configuration, Brandeis Pulse Secure only provides a connection to Brandeis campus resources (ie: it is a “Split Tunnel” VPN). If you would like to use Pulse Secure to route all your internet traffic via Brandeis, contact the ITS Help Desk and ask them to turn on “full-tunnel mode” for your Brandeis account.*
*In full-tunnel mode, all your internet traffic is routed through Brandeis. This means that the sites you visit are not visible to your local internet provider, but are visible to Brandeis. Full-tunnel mode is a good option if you are worried about network eavesdroppers on public WiFi, or if your internet connection is subject to censorship. For more information see the ITS VPN Full-tunnel FAQ*
*Note: The Pulse Secure VPN in full-tunnel mode will not speed up your internet connection. Instead, it will likely slow it down a little bit. This is because the VPN software works by first adding an extra layer of encryption to your internet traffic and then sending it Brandeis, where it is decrypted and sent to its final destination. As such, any site you browse while Pulse is turned on in full-tunnel mode will only be as fast as your connection to Brandeis and Brandeis’s connection to that site, instead of being a direct connection from you to the site. This a necessary trade-off to gain the privacy and security protections that Pulse (or any VPN) provides.*
ProxyJump
Many ssh
servers are campus-only, meaning they don’t accept ssh
connections directly
from the internet. ssh
’s ProxyJump
feature lets you access these servers from the
internet, by instructing ssh
to proxy its connection via a “Jump” or “Bastion” Host that
is available from the internet (such as the Public Workstations).
Using ProxyJump
to connect to a campus-only ssh
server by way of a “Jump Host” serves
as a more secure & convenient alternative to first connecting to an internet-available
server and then opening a new ssh
connection from there to a campus-only server. ProxyJump
handles this extra hop for you, allowing you to interact with the campus-only ssh
server as
though you were doing so directly.
This option is most useful when you’ve set up SSH Public Keys, so that you won’t have to type a password for each host in the Jump chain.
ProxyJump in OpenSSH (macOS, Linux, UNIX, Windows Subsystem for Linux (“WSL”), Git for Windows (aka “Git Bash”), etc)
OpenSSH ProxyJump
is configured either on the command line with the -J
flag:
ssh -J <jumphost> <target>
Ex:
ssh -J MY_CS_LOGIN@diadem.cs.brandeis.edu MY_PRIVATE_LOGIN@my-private-server
Or by specifying the ProxyJump
directive in your ~/.ssh/config
file:
Host diadem
User MY_CS_LOGIN
HostName diadem.cs.brandeis.edu
Host priv-serv
User MY_PRIVATE_LOGIN
HostName my-private-server
ProxyJump diadem
After which you can use the host alias defined in your config file:
ssh priv-serv
ProxyJump in PuTTY
PuTTY added ssh-proxy
(ie: JumpHost) support in version 0.77.
For documentation of this feature, see PuTTY Documentation Chapter 4: Configuring PuTTY, section 4.16 The Proxy panel, subsection 4.16.1 Setting the proxy type, which states:
The Proxy panel allows you to configure PuTTY to use various types of proxy in order to make its network connections.
The ‘Proxy type’ radio buttons allow you to configure what type of proxy you want PuTTY to use for its network connections.
Selecting ‘SSH’ causes PuTTY to make a secondary SSH connection to the proxy host (sometimes called a ‘jump host’ in this context), and then open a port-forwarding channel to the final destination host.
The ‘Proxy hostname’ field will be interpreted as the name of a PuTTY saved session if one exists, or a hostname if not. This allows multi-hop jump paths, if the referenced saved session is itself configured to use an SSH proxy; and it allows combining SSH and non-SSH proxying.
SOCKS Proxy
By using a SOCKS proxy, you can forward your whole system’s connection through a jumphost on campus
by using your local ssh
client as a SOCKS server. With the -D
flag, you can specify a port on your
own machine so that when a connection is made to this port, it is automatically forwarded to the jumophost
and then from there to the target destination.
macOS
Go to Apple Menu > System Preferences > Network > Advanced… > Proxies, tick the box next to SOCKS Proxy, and then
click on SOCKS Proxy itself. Under Socks Proxy Server, type localhost
on the left side of the colon and 1080
on
the right. This tells your system to use the proxy located on localhost port 1080 (the standard port for SOCKS
proxies). Cick Okay and then Apply.
Next, go open up a new Terminal window and run the command
ssh -D 1080 <proxyhost>
where <proxyhost>
is a public-facing server on the campus network. As with ProxyJump, diadem.cs.brandeis.edu
and tiara.cs.brandeis.edu
both make for good proxyhosts. Now all traffic that defaults to the system
proxy will be tunneled through the proxyhost of your choice.
Note that in some cases, applications (such as browsers) will ignore the system proxy. In these instances, you may have to specify your proxy in the application settings instead of your System Preferences.
Windows
OpenSSH does not come installed with Windows, but the PuTTY client allows you to set up a SOCKS proxy with ssh. For more information, read “Using PuTTY to set up a SOCKS Proxy Connection”.