How to Implement SSH Relay/Tunneling for Network Devices Using Native OpenSSH


2 views

OpenSSH's built-in tunneling functionality provides a robust way to access network devices (routers, switches, etc.) without requiring custom applications. The ssh command with proper configuration can establish secure relay connections through intermediate hosts.

The simplest method uses the -J flag for jump host connections:

ssh -J jumpserver.example.com admin@router.internal

This command first connects to jumpserver.example.com, then establishes a connection from there to router.internal.

For repeated access, configure ~/.ssh/config:

Host network-jump
    HostName jumpserver.example.com
    User myadmin
    Port 22

Host internal-router
    HostName 192.168.1.1
    User admin
    ProxyJump network-jump

Now simply run: ssh internal-router

When you need to access services behind network devices:

ssh -L 8080:router.internal:80 -J jumpserver.example.com myuser@router.internal

This forwards local port 8080 through the jump host to port 80 on the router.

For complex network topologies with multiple jumps:

ssh -J jump1.example.com,jump2.internal.net admin@core-router

Or in config:

Host core-router
    HostName 10.0.0.1
    ProxyJump jump1,jump2

To avoid storing credentials on jump hosts:

ssh -A -J jumpserver admin@router

Or in config:

Host *
    ForwardAgent yes

Common debugging techniques:

ssh -vvv -J jumpserver admin@router  # Verbose output
ssh -T -J jumpserver admin@router   # Test connection without shell

The OpenSSH suite provides built-in capabilities for creating secure relay connections through its ProxyJump feature (introduced in OpenSSH 7.3). This eliminates the need for custom applications when you need to access devices behind network boundaries.

For modern OpenSSH installations, the simplest method is using the -J flag:

ssh -J bastion.example.com admin@192.168.1.1

Where:

  • bastion.example.com is your jump host
  • 192.168.1.1 is the target network device

For regular access to network devices, add this to ~/.ssh/config:

Host cisco-switch
    HostName 192.168.1.1
    User admin
    ProxyJump bastion-user@bastion.example.com:22
    IdentityFile ~/.ssh/network-key

For complex network topologies with multiple hops:

ssh -J jump1,jump2,jump3 admin@core-router

Or in config:

Host core-router
    HostName 10.0.0.1
    ProxyJump %h@jump1,%h@jump2,%h@jump3

For systems running OpenSSH older than 7.3, use the ProxyCommand approach:

ssh -o ProxyCommand="ssh -W %h:%p bastion-host" device-ip

Here's a complete workflow for managing a Juniper switch:

# Single command access:
ssh -J ops@network-gateway.example.com admin@10.5.1.12

# Persistent configuration:
Host juniper-sw12
    HostName 10.5.1.12
    User admin 
    ProxyJump ops@network-gateway.example.com
    Port 22
    IdentitiesOnly yes
    IdentityFile ~/.ssh/juniper-key

Key authentication problems often occur when:

  • Jump host has different SSH keys than the target
  • Agent forwarding isn't properly configured
  • Network devices have strict crypto policies

Enable verbose output with -vvv to diagnose connection issues.

While convenient, SSH relays should implement:

  • Restrictive jump host permissions
  • Command restrictions on network devices
  • Session timeout controls
  • Connection logging