To log in to a server that is not exposed to the internet we can log in to one that is on the same network but is exposed to the internet and then ssh into the private one. We’d have to do that every single time however ssh supports logging in through bastion servers automatically.

In your ~/.ssh folder create a file called config with the following content:

  Host <name of server>
    HostName <private server host>
    User <private server username>
    IdentityFile ~/.ssh/id_rsa
    ProxyCommand ssh <public server> -W %h:%p

<name of server> can be just a friendly name similar to how you can specify arbitrary host names in /etc/hosts.

<private server host> is the host of the private server relative to the public server. So, it can be the internal network IP.

<private server username> the username that you’d like to log in to on the private server.

<public server> the server that is publicly accessibly – the bastion.