Secure Home Network Access

Secure Home Network Access via Bastion Server on GCP with Reverse SSH Tunnel

In today’s world, maintaining secure and reliable access to home networks while away has become crucial for professionals and remote workers. Traditional VPNs can pose security risks, especially if misconfigured or compromised. There’s an increasing need for a secure, scalable, and flexible method to access home servers and devices from anywhere in the world, while ensuring that unauthorized users cannot exploit this access.

This project leverages the power of Google Cloud Platform (GCP) and a bastion server combined with a reverse SSH tunnel to create a highly secure connection to home networks. What makes this solution unique is its integration with SMS-based authentication and the dynamic allocation of firewall rules and port numbers, ensuring that the connection remains highly protected and difficult to exploit. This setup offers a robust security layer to safeguard sensitive data on home devices, providing peace of mind to users accessing their home networks remotely.


Business Context

A secure home network connection solution using a GCP bastion server and reverse SSH tunnel, activated via SMS commands. The system dynamically configures firewall rules, assigns random ports, and ensures access with SSH keys and two-factor authentication (2FA) for enhanced security.


Objective

The objective of this project is to design and implement a secure connection mechanism that allows authorized users to access their home network from any location using the following components:

  1. Bastion server on GCP: Acts as an intermediary between the user and the home network, handling all external connection requests.
  2. Reverse SSH tunnel: Established from the home network to the bastion server, enabling secure access to home devices while protecting them from direct exposure to the internet.
  3. SMS-triggered access control: The ability to open the SSH tunnel by sending an SMS command that includes the specific IP address for which access needs to be granted. Integrated with Google Cloud Pub/Sub to handle these commands in real time.
  4. Cloud Functions: Upon receiving the SMS, Cloud Functions are triggered to configure the firewall, open a random port on the bastion server, and grant access to the specified IP address. The randomly generated port number is then sent back to the user via SMS, ensuring that the connection port is unpredictable.
  5. SSH key-based authentication: Enhanced with two-factor authentication (2FA) to secure access to the home server.
  6. Firewall dynamic rules: Temporarily open access to the bastion server on a random port, minimizing the attack surface and enhancing security.
  7. Automation & security: Once the tunnel is established, the user can securely access the home server, ensuring that data transmission remains encrypted and protected.

This system provides a dynamic, highly secure, and user-friendly solution for remote access to home networks, ensuring that only authorized users can connect via SMS commands while benefiting from the security of GCP and modern encryption methods.