Set up SSH tunneling for a VPS
This guide explains how to set up a secure, single-step SSH connection to a Virtual Private Server (VPS) at TU Delft using SSH tunneling. By default, connecting to a VPS requires first accessing a Bastion Host (an intermediary server controlling access), making it a two-step process. However, by using SSH tunneling and SSH keys, you can connect to your VPS and other remote hosts in a single step.
With the method described below, you will be able to connect directly from your local machine to your VPS, bypassing the need to log in to the bastion host separately. This setup also simplifies secure file transfers between your local machine and the VPS.
Prerequisites
Before starting, you need:
- A TU Delft NetID.
- Access to a VPS provided by TU Delft ICT, including a username and password.
- An SSH client installed on your local machine (usually included with most Linux and macOS distributions; for Windows, you can use a third-party SSH client like PuTTY).
- A Linux or macOS terminal
Steps for Linux and macOS
Set up SSH tunneling for a host (Linux Terminal)
- If you do not have an SSH key-pair, create one on the local machine. Go to the terminal and enter the following command. Replace
<my-keyname>with a name of your choice for the SSH key, e.g.,id_rsaorid_ed25519.
$ ssh-keygen -t ed25519 -f ~/.ssh/<my-keyname>You will be promted to crate a passphrase. We recommend you to add one to make the connection more secure. The passphrase will be asked every time you connect to the VPS. To skip the passphrase, press Enter when prompted. You should see something like this:
Generating public/private ed25519 key pair.
Enter passphrase for "ed25519" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ~/.ssh/<my-keyname>
Your public key has been saved in ~/.ssh/<my-keyname>.pub
The key fingerprint is:
SHA256:6j06srvun06gJ5UCmD+MVq6RsPuytCO5mF4hTELnWTg root@local-machine
The key's randomart image is:
+--[ED25519 256]--+
| . ... |
|o.oEo |
|*. +. |
|=*+ . |
|o*=o+ S |
|..+=.. . |
|.+o.. o |
|*+oo.o.o. |
|B*oo*B*o.. |
+----[SHA256]-----+A private and public key will be added to ~/.ssh.
The public key is the file with the .pub extension, e.g., <my-keyname>.pub
Log in to your VPS and, copy the content of your public key into the VPS
~/.ssh/authorized_keysfile. You can achieve this by copying the content of the public key file to the clipboard and pasting it into theauthorized_keysfile on the VPS. Be mindful and not remove anything from this file, or other SSH connections might stop working. Finally, save the file.Create a new host for SSH connection. On your local machine, edit the
~/.ssh/configfile and add the following configuration. If the file does not exist, create it.
Host <host-nickname>
HostName <target-host>
User <target-username>
ProxyJump <bastion-username>@linux-bastion-ex.tudelft.nl
IdentityFile ~/.ssh/<my-keyname>Replace:
<host-nickname>: a name of your choice for the target host, e.g.,my-server.<target-host>: the actual name of the target host (FQDM), e.g,server.tudelft.nl.<target-username>: the username used to log in to the target host, usually your NetID.<bastion-username>: the username used to log in to the bastion server (often same as NetID, but keep separate in case it differs).<my-keyname>: the name of the SSH private key you created, e.g.,id_rsa. If your private key is stored in a different location, replace the path accordingly.
- Test the SSH tunneling connection. Connect to the VPS using SSH tunneling by typing the command below. Use your bastion-password when asked. This is usually the password associated with your NetID.
$ ssh <host-nickname>If you encounter problems with the connection, use the debug mode ssh -vvv <host-nickname> to find out what might have gone wrong. This command will provide detailed information about the connection process and can help you troubleshoot any issues.