Sign in Subscribe
Concepts

Deploying Mosh in a VPC Private Subnet with a UDP Proxy

Andrios Robert

1 min read

The network was silent except for the steady hum of packets moving inside the private subnet. No open ports to the world. No direct SSH. Yet you need Mosh.

Deploying Mosh in a VPC private subnet requires a proxy that can bridge the gap without breaking security policies. Mosh uses UDP, so a standard TCP bastion host won’t cut it. The deployment design starts with a proxy server placed in a public subnet. This proxy accepts client connections and forwards UDP traffic to and from Mosh servers in the private subnet.

First, isolate your application instances in the private subnet. Assign only internal IP addresses. Next, configure a proxy in the public subnet with strict firewall rules. The proxy listens on a specific UDP port range that matches your Mosh configuration. Implement iptables or equivalent routing to map incoming packets to the correct instance inside the private network. For AWS, you can use a lightweight EC2 instance as the proxy target. Attach security groups that whitelist the client IP ranges and the exact UDP ports.

Mosh sessions require state tracking between client and server, so keep NAT and connection tracking enabled. Avoid load balancers that strip UDP state. For scaling, containerize your proxy service and use an orchestration layer to spin instances as needed. Bind the proxy to Elastic IPs to ensure stable entry points. Optionally, layer in authentication by wrapping the proxy endpoint behind WireGuard or SSH tunnels to provide additional guarantees before packets ever reach Mosh.

Monitoring is critical. Capture packet counts, session durations, and failed handshakes. Anomalies often indicate firewall misconfigurations or dropped UDP packets between the proxy and private subnet. Keep the proxy minimal — fewer moving parts means fewer places for latency or packet loss to creep in.

With a clean proxy-to-private-subnet setup, Mosh will deliver low-latency, persistent remote shells even over unstable networks, without exposing your private VPC resources to direct internet traffic.

Build this in minutes. See a working Mosh VPC private subnet proxy deployment live at hoop.dev.