SSH to different devices behind router using domain names without Nginx/Reverse Proxy?

Question

I'd like to access multiple different devices residing on my home network, from anywhere else in the world, using custom domain names.

I'm running a standard (commercial) router provided by my ISP, and don't have the option to change (they won't provide login info for the ADSL connection required by a third-party router).

I'm aware of how to access things like my Raspberry Pi running web services with Nginx/Apache/Reverse proxy, but would like similar functionality (access to individual devices via unique domain names) for things like SSH too. Reverse Proxy's typically only handle HTTP(S) traffic, so aren't applicable for this scenario.

One comment below mentions IPv6, but how would this actually be achieved through standard commercial routers?

Answer 1

I am using wrapsrv together with SRV records, socat and ProxyCommand ssh_config option to have different names for my internal hosts visible on the internet.

First of all you need appropriate DNAT rules on your router. Let's call it router.example.com with IP address 192.0.2.1 and the internal host will be host1.example.com with IP address 198.51.100.1 which is behind NAT.

The rule would be:

iptables -t nat -A PREROUTING -d 192.0.2.1 -p tcp --dport 2222 -j DNAT --to-destination 198.51.100.1:22

Now you need to put SRV record for this service in external DNS:

_ssh._tcp.host1.example.com. SRV 10 0 2222 router.example.com.

Let's configure ssh to use the above mentioned record:

Host *.example.com
    ProxyCommand wrapsrv _ssh._tcp.%h socat STDIO TCP:%%h:%%p

SOCAT can be also used to for example make a connection through some kind of proxy as well (and I also exercise this option in some setups behind firewall but with SOCKS proxy available). Also, you will not be able to use -p ssh option for this domain.

Now you may also want to add SRV record for your router, so you don't need specific section in ssh_config just to get to it:

_ssh._tcp.router.example.com. SRV 10 0 22 router.example.com.

As an added bonus it makes it pretty easy to move sshd port on the router to some other value to prevent anyone from brute forcing you too easily (yes, I know, it is advertised there but so far I haven't seen anyone trying the ports I am advertising this way).