Skip to content

SSH tunnel to browse CERN internal websites

In the following you find a few options to access web pages as from the CERN General Public Network while being outside CERN.

According to CERN recommendations is to be preferred over for tunneling, as this is its only purpose while lxplus provides a fully usable environment.

Using sshuttle

sshuttle allows forwarding of specific connections through the CERN network. It requires some configuration to forward the correct connections:

# From
case $1 in
        sshuttle --dns -v --remote 2001:1458::/32 2001:1459::/32 --daemon --pidfile /tmp/
        kill `cat /tmp/`
        # unknown option
        echo  "Unknown option\nUsage:"
        echo  "\t $0 connect : to start VPN-like connection to CERN"
        echo  "\t $0 disconnect : to stop it"

IP=`host | awk 'NR==2 {print $4}'`
echo $IP

sshuttle --dns  -x $IP --remote=$IP \
--pidfile /tmp/ --python=python \
--ssh-cmd 'ssh -o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes'  \      \   \   \   \    \  \  \  \   \ \  \  \  \  \ \ \ \ \ \ \ \ \ \ \ \ \ \ \

SSH tunnel through lxplus/lxtunnel


you can use the following can create an ssh tunnel through the lxplus service. This can be useful to access,,, ect.

You can used SSH to create the tunnel (in a terminal):

ssh -D 8888
ssh -D 8888

Then set as SOCKS proxy in your network configuration localhost:8888.

Other OS

On MacOS 10.15 this is done by (System Preferences) -> Network -> Advanced -> Proxies.

It should be easy also on other operative systems, please Google :-)

Hint: Browser Plugins

To only forward certain webpages through this tunnel, one can use browser plugins like SwitchyOmega (for Chrome, FireFox) which allow you manual filtering.

Often we need to access our pc at CERN from the internet via 'lxplus'. To avoid to make two ssh's you can configure a new host by adding these lines on '~/.ssh/config':

Hint: One Time Command

If you only want to connect once and not change your ssh-config, you can use

ssh -J
Host lxtunnel
  User my_nice_username

Host office_cern
  User my_local_username
  ProxyJump lxtunnel
Host lxtunnel
  User my_nice_username

Host office_cern
  ProxyCommand ssh -q lxtunnel nc 22

where you have to replace my_nice_username, my_local_username and my_office_pc.

And then simply type from the terminal

ssh office_cern

In that case first you need to enter you my_nice_username and my_office_pc passwords, unless you delegate your Kerberos Credentials (for more details see again CERN recommendations) and/or have a public key authentication for your office-pc set up.

ssh-config example

# Delegate Kerberos credentials to all things CERN
Host * lxplus lxplus? lxtunnel cs-ccr-dev? cs-ccr-optics? dev? optics?  
  User my_nice_username
  GSSAPITrustDns yes
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  ServerAliveInterval 60

# shorthands, e.g. `ssh lxplus` `ssh lxplus8`
Host lxplus? lxplus lxtunnel cs-ccr-dev? cs-ccr-optics?

# shorthands, e.g. `ssh dev3`
Host dev? optics?

# connect to office from inside GPN
Host *office_cern
  User my_local_username
  IdentityFile path_to_office_pc_private_key  # remove if not set up

# connect to office from home
Host extern_*

Then you can connect from the GPN via ssh office_cern and from home ssh extern_office_cern.


ssh extern_dev3 will not work with this setup, as this will try to resolve

See also more info on the ssh config file.