Back to Private Connectors

Install a Private Network Connector

Use a Private Network Connector when you want ServerSpot to manage a server that is not reachable from the public internet. This is common for servers inside a VPN, VPC, office LAN, or private subnet.

The connector runs from inside your private network and opens an outbound connection to ServerSpot. Your private servers keep their private IPs, and you do not need to expose SSH publicly.

How It Works

  1. You choose a Linux host inside the private network.
  2. ServerSpot generates a connector service for that host.
  3. The service opens an outbound encrypted tunnel to ServerSpot.
  4. ServerSpot uses that tunnel when it needs to test, connect to, or manage private servers assigned to the connector.

A laptop VPN session is not enough. If your laptop joins the VPN, only your laptop can reach that network. ServerSpot can reach the private servers only while the connector service is running on a host inside the same VPN, VPC, LAN, or subnet.

What SOCKS Means

SOCKS is a proxy protocol. In plain terms, it lets ServerSpot send a connection request through the connector host instead of trying to reach your private server directly from the internet.

You do not need to configure SOCKS yourself. ServerSpot creates and manages the private SOCKS route for each connector. You only need to keep the connector service running on a machine that can reach your private servers.

Before You Start

You need:

  • A Linux host or VM inside the private network you want ServerSpot to reach.
  • sudo access on that host.
  • Outbound internet access from that host to ServerSpot.
  • The ability to install openssh-client and curl.
  • Network access from the connector host to the private servers you want to manage.

Choose a stable host that stays online. If the connector host is turned off or disconnected from the VPN, ServerSpot will not be able to reach servers behind it.

Create the Connector in ServerSpot

  1. In ServerSpot, open Servers -> Private Connectors.
  2. Click New Connector.
  3. Give the connector a name your team will recognize, such as Production VPC, Office VPN, or Staging Subnet.
  4. Save the connector.
  5. Keep the generated install instructions open. The token is shown once.

ServerSpot automatically assigns the private tunnel details. You do not need to choose ports or configure proxy addresses.

Install the Connector Service

On the Linux host inside your private network, install the required tools:

sudo apt-get update
sudo apt-get install -y openssh-client curl

Then copy the generated systemd service from ServerSpot and install it on the connector host:

# Paste the generated service from ServerSpot, then press Ctrl-D.
sudo tee /etc/systemd/system/serverspot-connector.service >/dev/null
sudo systemctl daemon-reload
sudo systemctl enable --now serverspot-connector
sudo systemctl status serverspot-connector

The generated service already includes the connector token and tunnel command. Copy it exactly as shown unless ServerSpot support tells you to change it.

Verify the Connector

  1. In ServerSpot, return to Servers -> Private Connectors.
  2. Click the health check action for the connector.
  3. Confirm the status changes to Online.
  4. If it stays offline, check the service status on the connector host:
sudo systemctl status serverspot-connector
sudo journalctl -u serverspot-connector -n 100 --no-pager

Add a Private Server

  1. In ServerSpot, create or edit a server.
  2. Choose Private Connector as the connection method.
  3. Select the connector you installed.
  4. Enter the private IP address or DNS name reachable from the connector host, for example 10.20.1.15.
  5. Add the server's SSH username, port, and authentication details.
  6. Run a connection test or open the server console.

The server address should be the address that works from the connector host, not necessarily from your laptop.

When opening the server console, normal SSH is used by default. Turn on Use private connector in the console sidebar when you want that shell session to route through the connector.

Day-to-Day Operation

  • Run one connector for each private network boundary, such as each VPC, VPN, office LAN, or subnet.
  • Keep the connector host online and connected to the private network.
  • Rotate the connector token if the generated service file or token is exposed.
  • Reinstall the service after rotating the token.
  • Monitor the connector service with systemctl or your normal host monitoring tools.
  • Firewall private servers so SSH is reachable only from trusted internal ranges, including the connector host.

Troubleshooting

  • Connector tunnel is offline: the service is not running, outbound SSH is blocked, or the connector token/service needs to be reinstalled.
  • connection refused: the private server IP or SSH port is wrong, SSH is down, or the connector host cannot reach that server.
  • host unreachable or network unreachable: the connector host is not inside the right VPN, VPC, LAN, or subnet.
  • The connector never reports activity: the connector host may not be able to reach ServerSpot over HTTPS.
  • Console works from your laptop but not through ServerSpot: test from the connector host itself, because that is the network path ServerSpot uses.