Forward SSH from Reverse Proxy Server through VPN to Home Server

I’m trying to set up GitLab on my home server. HTTPS is working and I can get to GitLab’s interface, but SSH is not and thus I can’t push code to the server.

Here is the setup:

Cloudflare <--> Reverse Proxy (nginx, hosted on Digital Ocean) <--- VPN ---> Untangle Firewall <--> GitLab Server (on ESXi)

If I try to SSH directly from the Reverse Proxy to the GitLab server (over VPN connection), it works perfect.

If I try to SSH from my laptop using the domain name, I get:

kex_exchange_identification: Connection closed by remote host
Connection closed by 104.31.73.156 port 2095

If I try to SSH from my laptop using the Reverse Proxy’s IP (thus cutting out Cloudflare), I get:

Bad packet length 1231976033.
ssh_dispatch_run_fatal: Connection to {{ IP }} port 2095: message authentication code incorrect

I’m currently trying to use the nginx stream module to do so, and this is the stream setup:

stream {
        upstream git-ssh {
                server {{INTERNAL GITLAB IP}}:22;
        }
        server {
                listen 2095;
                proxy_pass {{INTERNAL GITLAB IP}}:22;
                proxy_protocol on;
        }
}

The reason I have upstream git-ssh and then don’t use it was because I was wondering if that was the problem, but it makes no difference if I use it or not.

I’m not familiar with iptables, but I tried the following commands:

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2095 -j DNAT --to-destination {{GITLAB IP}}:22
sudo iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 2095 -j SNAT --to-source {{PROXY IP}}

But it didn’t seem to work. ssh just sits there returning nothing and eventually times out.

I am lost now, and was hoping someone could give me pointers?

Go to Source
Author: Cody Dostal