DEV Community

Cover image for Using a Jump Server and SSH ProxyJump in Your Homelab
Richard Chamberlain
Richard Chamberlain

Posted on

Using a Jump Server and SSH ProxyJump in Your Homelab

If you're running multiple Linux servers in your homelab or a small network, having a centralized way to access them can save a lot of time and improve security. This is where a jump server—also called a bastion host—comes into play.

📚 Table of Contents

  1. Why Use a Jump Server?
  2. SSH ProxyJump: Secure Routing Through a Jump Host
  3. Setting Up the Bastion Host
  4. Connecting via SSH Jump
  5. Example SSH Configuration
  6. Security Advantages of This Setup
  7. Is This Bulletproof?
  8. Conclusion

A jump server acts as a secure gateway between your workstation and your internal systems. Instead of connecting to each server individually, you log into the jump server first, and then access other machines from there. This setup not only streamlines management but also adds a layer of security by exposing only one public-facing system instead of many.

Many homelab users also use their jump server as a lightweight repository to store scripts, configuration backups, or documentation. This keeps everything organized and accessible in one place.

While the terms are often used interchangeably, "bastion host" is more common in cloud environments like AWS or Azure, whereas "jump box" or "jump server" is often used in smaller, on-premises setups.


Why Use a Jump Server?

The main benefit is security. Rather than allowing direct SSH access to every server in your network, you only expose the jump server. All internal machines stay private and are only accessible through this single point. This limits the potential attack surface and makes it easier to monitor and control access.

It also improves operational efficiency by letting you manage all systems from one trusted point, while supporting things like key-based authentication and centralized logging.


SSH ProxyJump: Secure Routing Through a Jump Host

To connect to internal systems via the jump server, we'll use an SSH feature called ProxyJump, which routes traffic through an intermediate host.

To keep things clean and secure, we'll generate two SSH keys—one for the jump server and one for the internal VM:

# Key for internal VM
ssh-keygen -t ed25519 -f ~/.ssh/vm

# Key for bastion host
ssh-keygen -t ed25519 -f ~/.ssh/bastion
Enter fullscreen mode Exit fullscreen mode

Using separate keys makes it easier to manage access and rotate keys if needed.


Setting Up the Bastion Host

Start with a minimal Linux install and harden it by:

  • Disabling root login via SSH.
  • Disabling password-based logins.
  • Creating a non-root user with sudo access.
  • Installing your SSH public key into ~/.ssh/authorized_keys.
  • Adding basic security tools like fail2ban or ufw.

Your bastion should sit in a DMZ or a network zone that can reach internal systems but is locked down from the public internet.


Connecting via SSH Jump

You can quickly connect to an internal system using the -J option:

ssh -J bastion_user@bastion_ip vm_user@vm_ip
Enter fullscreen mode Exit fullscreen mode

But for frequent use, configuring SSH access in ~/.ssh/config is cleaner.

Example Config Setup

File: ~/.ssh/include.d/bastion

Host bastion
    HostName 203.0.113.10
    User gateway
    IdentityFile ~/.ssh/bastion
Enter fullscreen mode Exit fullscreen mode

File: ~/.ssh/include.d/vm

Include ~/.ssh/include.d/bastion
Host internal-vm
    HostName 10.0.0.20
    User admin
    ProxyJump bastion
    IdentityFile ~/.ssh/vm
Enter fullscreen mode Exit fullscreen mode

Main Config: ~/.ssh/config

Include ~/.ssh/include.d/bastion
Include ~/.ssh/include.d/vm
Enter fullscreen mode Exit fullscreen mode

Now, connecting is as easy as:

ssh internal-vm
Enter fullscreen mode Exit fullscreen mode

Pro Tip: Organizing SSH configs with Include files makes it easier to manage multiple environments—perfect for homelabs or consulting work.


Security Advantages of This Setup

Using ProxyJump with a jump server improves security by:

  • Preventing direct access to internal systems.
  • Using different keys for different roles.
  • Allowing you to monitor and control all access from a single point.
  • Making attackers go through multiple secured layers to reach your VMs.

Is This Bulletproof?

No system is hack-proof. But this setup raises the bar significantly. An attacker would need to:

  • Access a trusted network or VPN.
  • Compromise the jump server.
  • Possess both SSH keys and know usernames and IPs.

That’s a lot harder than attacking a single exposed VM.


In short, a jump server is a smart, simple way to improve your homelab’s security and organization—especially as you scale to multiple servers or VMs.


Need Linux expertise? I help businesses streamline servers, secure infrastructure, and automate workflows. Whether you're troubleshooting, optimizing, or building from scratch—I've got you covered.

📬 Drop a comment or email me to collaborate. For more tutorials, tools, and insights, visit sebostechnology.com.

Runner H image

Check out the Runner H "AI Agent Prompting" Challenge Winners! 👀

From culinary assistants to sports analysis tools to hackathon discovery agents, our submissions were full of diverse use cases!

Read more →

Top comments (0)

Feature flag article image

Create a feature flag in your IDE in 5 minutes with LaunchDarkly’s MCP server 🏁

How to create, evaluate, and modify flags from within your IDE or AI client using natural language with LaunchDarkly's new MCP server. Follow along with this tutorial for step by step instructions.

Read full post

👋 Kindness is contagious

Explore this practical breakdown on DEV’s open platform, where developers from every background come together to push boundaries. No matter your experience, your viewpoint enriches the conversation.

Dropping a simple “thank you” or question in the comments goes a long way in supporting authors—your feedback helps ideas evolve.

At DEV, shared discovery drives progress and builds lasting bonds. If this post resonated, a quick nod of appreciation can make all the difference.

Okay