Chaining Warpgates§
Sometimes exposing a host on the network to the outside is not an option. In this case you can opt to forward connections from one Warpgate to another.
NOTE: This is fully transparent to the client (except for the double "warpgate connected" message in interactive sessions) - there are no SSH "jump hosts" involved in this setup.
Copy outer Warpgate's public key§
- Run
warpgate client-keysand copy the Ed25519 public key:
➜ ~ warpgate client-keys
16:55:10 INFO Using config: "/etc/warpgate.yaml" (users: 1, targets: 6, roles: 1)
Warpgate SSH client keys:
(add these to your target's authorized_hosts file)
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAxxxx+3RBsT5 # <-- this line
rsa-sha2-256 AAAADHJzYS1zaGEyLTI1Ngxxxx
Set up inner Warpgate§
- Add your targets as usual (in this example:
inner-server). - Add a "jump user" (here we'll be using
wg-jumpas a username) and add the outer Warpgate's public key as a credential. - Check connection to the target with
warpgate test-target inner-server
Set up outer Warpgate§
- Add the targets on the inner network again, using the inner Warpgate's address and port, as well as the Warpgate-style username:
- Host:
<inner Warpgate's IP> - Port:
<inner Warpgate's SSH port> - Username:
wg-jump:inner-server
- Host:
- Check your config with
warpgate check. - Check connection to the target through the inner Warpgate on the outer Warpgate with
warpgate test-target inner-server
Connect§
You can now grab the connection command from the landing page (or the admin UI) as usual and test it on a client:
ssh <username>:inner-server@<outer-warpgate> -p <outer-wg-port>