5G is Fast but There’s No Public IP

I’m super happy that I can finally have a broadband that does have a broad bandwidth. However like all other cellular services the 5G gateway has a private IP as its external IP, ie. everything I got is behind huge NAT servers of Optus and they will not open any port just for me.

The NBN wasn’t as fast but there was a public IP assigned to the router… Should I go back to use NBN because of this reason? I’ve done countless internet/cloud solutions, can I do one for myself? I remember when I worked on a private network behind NAT gateways I could do SSH tunneling and expose a port in the private network to outside for 3rd party partners. All I need is a virtual machine in the cloud that has a public IP. It will look like this:

       [SSH Tunnel]
[local server:192.168.1.x:80]

I need to create a SSH tunneling service between my home server and the cloud instance, then point CloudFlare DNS to the public IP of the cloud instance, that’s it! But hang on, I can’t bind to port 80 using a non-privileged user. So there’s a local port forwarding in the cloud instance to handle this:

        [SSH Tunnel]
[local server:192.168.1.x:80]

Ok let’s do it. First I created a cloud instance in Google Cloud, because it gave me $400 free credit last year and I haven’t used much yet. I opened port 80 for the instance, added my SSH public key and installed an nginx server forwarding traffic from port 80 to local port 8080. Here’s the simple nginx configuration:

# This file can be saved as /etc/nginx/site-enabled/proxy
# in the cloud instance
        listen 80;
        server_name raynix.info;
	client_max_body_size 100M;

        location / {
		proxy_pass http://localhost:8080;
		proxy_set_header Host              $host;
		proxy_set_header X-Real-IP         $remote_addr;
		proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto https;
		proxy_set_header X-Forwarded-Host  $host;
		proxy_set_header X-Forwarded-Port  $server_port;

Don’t forget to reload nginx. Done! The next step is to create an SSH tunneling service in my home server. My home server is running Ubuntu so the service is defined with systemd syntax:

# The file can be saved as /etc/systemd/system/mytunnel.service
# in my home server
# replace the id_rsa with yours of course
Description=Setup a secure tunnel to kite server

ExecStart=/usr/bin/ssh -NT -i /home/ray/.ssh/id_rsa -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -R 8080:localhost:80 [email protected]

# Restart every >2 seconds to avoid StartLimitInterval failure


Then use the following commands to start and check the service:

$ systemctl daemon-reload
$ systemctl start mytunnel
$ systemctl status -l mytunnel

The status of the tunnel can also be verified in the cloud instance by:

$ sudo netstat -tlnp
tcp        0      0*               LISTEN      1460/sshd: ray      

By now all the dots have been connected. I can test the round trip on my laptop with:

$ curl http://35.197.x.x -H 'Host: raynix.info'
# this should print out the HTML of my blog's homepage.

The last step is to update CloudFlare DNS to send traffic to the new cloud instance. Did it work? You’re looking at the result right now 🙂

Working with a Big Corporation

So it’s been a while since I started this job in a big corporation. I always enjoy new challenges, now my wish got granted. Not in a very good way.

The things work in a quite different manner here. There are big silos and layers between teams and departments, so the challenges here are not quite technical in nature. How unexpected this is.

Still there are lots of things can be improved with technology, here’s one example. When I was migrating an old web application stack from on-premises infrastructure to AWS, the AWS landing zone has already been provisioned with a duo-VPC setup. I really really miss the days that working with Kubernetes clusters and I can just run kubectl exec -ti ... and get a terminal session quickly.

Now things look like year 2000 and I need to use SSH proxy command again, without old school static IP addresses though. Ansible dynamic inventory is quite handy in most cases but it failed due to some unknown corporate firewall rules. I still have bash, aws-cli and jq, so this is my handy bash script to connect to 1 instance of an auto scaling group, via a bastion host(they both can be rebuilt and change IP).

function get_stack_ip(){
aws ec2 describe-instances \
--fileter "Name=tag-key,Values=aws:cloudformation:stack-name" "Name=tag-value,Values=$1" \
|jq '.Reservations[] |select(.Instance[0].PrivateIpAddress != null).Instance[0].PrivateIpAddress' \
|tr -d '"'

Then it’s easy to use this function to get IPs of the bastion stack and the target stack, such as:

IP_BASTION=$(get_stack_ip bastion_stack)
IP_TARGET=$(get_stack_ip target_stack)
ssh -o ProxyCommand="ssh [email protected]_BASTION nc %h %p" [email protected]_TARGET


Don’t Need Ngrok When I Have SSH

I was trying to create a Slack app. In order to let Slack send REST requests to my dev environment, eg. http://localhost:9000, I searched a bit and saw ngrok. Ngrok is very handy for this kind of setup:

Slack -> xyz.ngrok.io -> localhost

However I just don’t want to install anything so I turned to Google and to my surprise SSH can exactly do this(for who knows how many years). I know I can forward a local port to a remote host to connect to a service behind firewall such as databases, this is my first attempt to forward a remote port to local so Slack API can contact my localhost.

Here’s a better article which explained how to do port forwarding in both directions with SSH.

In short, to forward a remote port to my localhost, I need to

1, update the sshd_config on remote host and have GatewayPorts enabled and then restart SSH service

GatewayPorts yes

2, in a local terminal, run the following command replacing my.remote.host with your server’s domain or IP.

ssh -nNT -R 9800:localhost:9000 my.remote.host

Then test it with

curl -i http://my.remote.host:9800

The request should be forwarded to your localhost:9000.


用 ssh_config 为 CLI 提速

最常用的命令, 应该是最简短的. 就好比常用的词句, 例如, 你好, 再见, 都是简短的. 惭愧的是, 我才想起来优化我的 CLI, 看来以前的工作压力还不够大 ^_^

参考(man) ssh_config, 可以把常用的 ssh 命令的参数写在 ~/.ssh/config 文件内. 最简单的格式是:

Host h1

User raymond

存盘后, 下次连接到, 只需要输入

ssh h1


ssh [email protected]

一样了. 进一步的, 可以是:

Host h1

User raymond
Port 10022
ForwardAgent yes
ProxyCommand ssh [email protected] nc -w 1 %h 22

这样输入 ssh h1 就相当于

ssh -A -o "ProxyCommand ssh [email protected] nc -w 1 %h 22" -p 10022 [email protected]

感觉赚大发了. 另外可以输入如下命令来发现自己最常用的10条命令:

history | awk '{CMD[$2]++;count++;}END { for (a in CMD)print CMD[a] " " CMD[a]/count*100 "% " a;}' | grep -v "./" | column -c3 -s " " -t | sort -nr | nl | head -n10