Connecting to ARC from outside the University network

Connecting to ARC from outside the University network

Access to ARC systems is restricted to systems on the University of Oxford network.  This includes the Oxford VPN (Virtual Private Network), so for University members, use of the Oxford VPN is a recommended way to access ARC systems if you are outside the University network.

When using the Oxford VPN service is not an option, access to ARC systems from outside of the Univesity network is via our gateway machine, oscgate.arc.ox.ac.uk. If you wish to connect to this machine from outside the University network, please send a request to support@arc.ox.ac.uk providing details of the IP address(es) from which you wish to connect; the provided IP addresses will then be added to the firewall on oscgate. Having connected to oscgate, you can then SSH to the relevant ARC system you wish to use.

Logging in in a single step

As described above, logging into ARC systems via oscgate is a two-step process.  There are ways to connect in a single step.

Setting up 'automatic' tunnelling of your SSH connection through the SSH gateway involves adjusting local configuration settings on the system from which you want to connect.  There are a number of ways to set things up, but we recommend using netcat and OpenSSH's ProxyCommand option.  The example configuration below will work on most UNIX-like operating systems, including Macs, provided that OpenSSH is being used.  It will also work for Windows, but is quite tricky to get working unless you use Cygwin or similar to give you a UNIX-like environment.

A side-effect of this type of set up is that commands such as scp and rsync work as expected and the presence of oscgate can be effectively ignored.

To get things working, you will need to have generated an SSH key pair and the public key needs to be added to your ~/.ssh/authorized_keys file in your ARC home directory.

Linux and other UNIX-like operating systems

Once your SSH keys have been set up, you can modify your local SSH configuration similarly to the following.  This is normally done in the file ~/.ssh/config

## Example ~/.ssh/config
Host oscgate
    User myarcusername
    Hostname oscgate.arc.ox.ac.uk
    PreferredAuthentications publickey

Host arcus
    User myarcusername
    Hostname arcus.arc.ox.ac.uk
    PreferredAuthentications publickey
    ProxyCommand ssh oscgate nc %h %p

Replacing "myarcusername" with your own ARC username. The key thing here is the ProxyCommand setting at the very bottom. This means that when you

ssh arcus

your SSH client first opens an SSH connection to oscgate, where it runs netcat (nc), passing it the hostname and port that SSH were originally passed. This causes SSH to arcus to be tunneled via the SSH connection to oscgate, turning oscgate into an almost transparent SSH proxy.


To do the same on Windows without something like Cygwin, you will have to check whether or not your SSH client supports the ProxyCommand option. If you are using PuTTY, you should notice that it has a "proxy" tab, at the bottom of which is the "local command" box. This is where the same command as above can be placed. Transferring files is a little more involved, due to the tunnel set up. This requires extra software, such as PuTTY's plink.exe. Further details on using this with an SCP client can be found detailed on other sites around the web, such as this one.

Thanks to Southampton team of e-Infrastructure South Consortium for their excellent documentation on this method for connecting to the Iridis cluster.