IPM Network Access Setup

Step-by-step guide to connect via SSH or VPN.

IPM network access
How would you like to connect?
Select the type of access you have been granted to get started with the appropriate setup guide.
Not sure what SSH, SOCKS proxy, VPN mean or you have privacy concerns? It explains every concept in plain language before you start.
ClusterIPM machine OS
What OS is your IPM machine running?
This is the workstation inside the IPM network that you will be connecting to.
VPNIPM machine OS
What OS is your IPM machine running?
This is the workstation inside the IPM network that you will be connecting to.
ClusterWindows (IPM)Enable SSH server
Enable the SSH server on the IPM Windows machine
Run the following commands in PowerShell as Administrator on the IPM machine.
  1. 1
    Open PowerShell as Administrator — right-click the Start menu and choose Windows PowerShell (Admin).
    Opening PowerShell as Administrator
  2. 2
    Install the OpenSSH Server feature. This may take a few minutes:
    Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
  3. 3
    Start the SSH service and configure it to launch automatically on boot:
    Start-Service sshd Set-Service -Name sshd -StartupType Automatic
  4. 4
    Allow incoming SSH connections through the Windows Firewall:
    New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
  5. 5
    Find the machine's IP address — you will need it in the next steps:
    ipconfig
    Look for the IPv4 Address listed under your active network adapter and write it down.
  6. 6
    Find the machine's username — you will also need this later:
    whoami
Next, set up your personal device.
ClusterLinux (IPM)Enable SSH server
Enable the SSH server on the IPM Linux machine
Most Linux distributions include OpenSSH by default. Follow the steps below to install and enable it.
  1. 1
    Install OpenSSH:
    sudo apt update && sudo apt install ssh
  2. 2
    Start the SSH service and enable it on boot:
    sudo systemctl enable --now sshd
  3. 3
    Find the machine's IP address:
    hostname -I
  4. 4
    Find the machine's username:
    whoami
Next, set up your personal device.
VPNWindows (IPM)Enable SSH server
Enable the SSH server on the IPM Windows machine
Run the following commands in PowerShell as Administrator on the IPM machine.
  1. 1
    Open PowerShell as Administrator — right-click the Start menu and choose Windows PowerShell (Admin).
    Opening PowerShell as Administrator
  2. 2
    Install the OpenSSH Server feature:
    Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
  3. 3
    Start the SSH service and configure it to launch automatically on boot:
    Start-Service sshd Set-Service -Name sshd -StartupType Automatic
  4. 4
    Allow incoming SSH connections through the Windows Firewall:
    New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
  5. 5
    Find the machine's IP address:
    ipconfig
    Look for the IPv4 Address listed under your active network adapter and write it down.
  6. 6
    Find the machine's username:
    whoami
Next, set up your personal device.
VPNLinux (IPM)Enable SSH server
Enable the SSH server on the IPM Linux machine
Most Linux distributions include OpenSSH by default.
  1. 1
    Install OpenSSH:
    sudo apt update && sudo apt install ssh
  2. 2
    Start the SSH service and enable it on boot:
    sudo systemctl enable --now sshd
  3. 3
    Find the machine's IP address:
    hostname -I
  4. 4
    Find the machine's username:
    whoami
Next, set up your personal device.
Reference
How it works

Every concept used in the setup guide is explained here — starting from the basics. Tap any topic to expand it.

The basics
IP addresses and ports — what they are basics

Every device connected to a network has an IP address — a number that uniquely identifies it on that network, like a postal address for computers. A typical IP address looks like 192.168.1.45.

A port is a numbered door on a device. A single computer can run many programs at once, each listening on a different port number. When you connect to something, you connect to an IP address and a port. For example, websites are usually on port 80 (plain) or 443 (secure), and SSH is on port 22 by default.

Analogy: The IP address is the building's street address. The port is the apartment number inside. You need both to reach the right place.

When you see localhost:1337 in the guide, it means "this device" (localhost) at port 1337 — a door that SSH opens on your own computer for the tunnel.

SSH — what it is and why we use it basics

SSH (Secure Shell) is a way to control a remote computer over a network, as if you were sitting in front of it. Everything traveling between your device and the remote machine is encrypted — nobody intercepting the connection can read what's being sent.

Analogy: SSH is like a secure phone call to another computer. You type commands and the computer responds, but the line is scrambled so anyone listening hears nothing useful.

In this setup SSH does two things at once: it logs you into the IPM machine, and it also creates an encrypted tunnel through which all your other apps' traffic can travel.

Privacy: All traffic inside the SSH tunnel is encrypted end-to-end. The network between you and the IPM machine sees only that an SSH connection exists — not what is inside it.
SOCKS proxy — routing your apps through the tunnel basics

A proxy is a middleman. Instead of your app connecting directly to a website, it sends the request to the proxy, which forwards it on your behalf. A SOCKS proxy is a general-purpose proxy that works with any kind of traffic — web, messaging, email, anything.

When SSH starts with -D 1337, it opens a SOCKS proxy on your device at port 1337. Any app you point at localhost:1337 will have its traffic carried through the SSH tunnel to the IPM network, and appear to come from there.

Analogy: A SOCKS proxy is like handing your letter to a colleague who is already inside a secure building. They post it from inside, so the envelope shows the building's address — not yours.
Privacy: Websites you visit see the IPM machine's IP address, not your home or office IP. Your ISP only sees an encrypted SSH connection — not the sites you visit.
Dynamic forwarding — what -D 1337 does basics

The -D 1337 flag tells SSH to open a dynamic port forward on your local machine at port 1337. "Dynamic" means it can forward to any destination — not just one fixed address.

This is different from a static forward like -L 8080:someserver:80, which only reaches one specific server. The dynamic forward acts as a full SOCKS proxy that routes wherever the app wants to go, but sends all traffic through the SSH tunnel.

The number 1337 is just an arbitrary choice — any unused port above 1024 would work. It must match whatever you enter in Proxifier, your browser, or your system proxy settings.

Cluster-specific
Jump host — the -J flag cluster

The IPM workstation sits on a private network and has no direct internet address. The cluster gateway is a publicly reachable server that acts as a stepping stone into that private network.

The -J flag (ProxyJump) tells SSH to first connect to the gateway, then use that encrypted connection to hop to the IPM machine. This all happens in one command — SSH handles both hops automatically.

Your device→ SSH →Cluster gateway (public)→ SSH hop →IPM machine (private)

VPN users skip this because the VPN already places them inside the private network, so the IPM machine is directly reachable.

VPN
VPN — what it does and why we still need SSH vpn

A VPN (Virtual Private Network) creates an encrypted tunnel between your device and a remote network. Once connected, your device behaves as if it is physically inside the IPM office — it gets an internal IP address and can reach machines that aren't accessible from the internet.

Analogy: The VPN is like a very long ethernet cable stretched from your home to the IPM office. While it's plugged in, your laptop is logically on the office network.

The VPN gets you into the network. But to route all your apps' traffic through the IPM machine's internet connection (so websites see IPM's IP), you still open an SSH tunnel with -D 1337 to create the SOCKS proxy — without the -J jump, since you're already inside.

Privacy: The VPN encrypts all traffic between your device and the IPM gateway. Your ISP sees only that you're connected to a VPN server. However, the VPN operator (IPM) can see your traffic once it exits their network — just as any network administrator can.
L2TP / SSTP — VPN protocol types vpn

These are two different methods for building the VPN tunnel. They differ in how they wrap and encrypt your traffic:

L2TP over IPSec — built into Windows and macOS natively. Uses a shared secret (the word vpn in this setup) as a machine-level password alongside your username and password.

SSTP — sends VPN traffic wrapped inside HTTPS (port 443), which makes it look like normal web traffic. Very firewall-friendly and Windows-native.

You don't need to understand the internals — use whichever one you were given credentials for. Both result in being inside the IPM network.

CA certificate — why you install it on Android vpn

A CA (Certificate Authority) is a trusted body that vouches for the identity of servers. The IPM VPN server proves its identity with a certificate signed by IPM's own internal CA — an authority your phone has never heard of.

Installing the CA certificate teaches your phone to trust that authority. Without it, the phone refuses the connection because it cannot verify the server is genuine.

Analogy: It's like adding a new country to the list of nations whose passports your border control accepts.
Privacy note: Only install CA certificates from sources you fully trust. In this case it comes from IPM for use with their VPN only.
Tools
Proxifier — routing all Windows apps at once tool

Most apps don't know how to speak to a SOCKS proxy — they just open connections directly. Proxifier intercepts all outgoing connections from every app on your system and quietly reroutes them through the SOCKS proxy that SSH opened on port 1337.

This means you don't have to configure Chrome, Telegram, Outlook, or any other app individually — Proxifier handles all of them at once.

Analogy: Proxifier is like a traffic officer at the exit of your building who stops every vehicle and redirects it through a specific tunnel before it reaches the main road.

Important: Proxifier must be fully closed before you run the SSH command, and only launched after the tunnel is established. If Proxifier is open first, it tries to send the SSH connection itself through the (not yet running) proxy, causing a loop.

Privacy: Proxifier routes your traffic through the IPM network. IPM's network administrators can see your activity in the same way they would if you were on their office network.
ConnectBot — SSH client for Android tool

Android has no built-in SSH client, so ConnectBot fills that role. It connects to remote machines over SSH and can also create port forwards — including the dynamic SOCKS forward that replaces -D 1337 in a terminal command.

In the cluster path, you set up two hosts in ConnectBot (the gateway and the IPM machine) and create port forwards on each. In the VPN path, ConnectBot connects directly to the IPM machine after OpenSSTP Client establishes the VPN.

SocksTun — routing selected Android apps tool

SocksTun is the Android equivalent of Proxifier — it routes apps through the SOCKS proxy that ConnectBot creates. Android does not allow a single app to intercept all system traffic, so SocksTun lets you choose which specific apps to route through the tunnel.

Privacy: Only the apps you explicitly select in SocksTun are routed through the IPM network. Other apps remain on your regular connection.
OpenSSTP Client — VPN app for Android tool

Android's built-in VPN support doesn't include SSTP. OpenSSTP Client adds SSTP support, allowing your Android phone to connect to the IPM VPN server the same way a Windows PC would.

Once connected, you are inside the IPM network, and ConnectBot can then SSH directly to the IPM machine without a jump host.

Privacy overview
Who can see what — the full picture privacy

Your ISP: Sees an encrypted SSH or VPN connection. Cannot see what's inside, which sites you visit, or what data you send.

Public Wi-Fi: Sees the same — an encrypted connection to a known server.

IPM network administrators: Can see your traffic after it exits the IPM machine, the same way as any office network admin.

Websites you visit: See the IPM machine's IP address, not your personal IP.

This setup is designed for accessing the IPM network — not for general anonymization. It is not a substitute for a privacy-focused VPN service.
Third-party apps — what they can access privacy

None of these tools are "cloud" services — they are local software that you configure to connect to IPM's servers directly. No third-party company sits in the middle of your connection.

  • ConnectBot — open source, stores only connection settings. Does not transmit data to its developers.
  • SocksTun — routes selected apps through the proxy. Does not log or transmit your traffic.
  • OpenSSTP Client — connects you to the VPN. The connection is between your device and IPM's server only.
  • Proxifier — a commercial Windows tool. Routes traffic locally. Does not send your traffic to Proxifier's servers.
Putting it all together
Full flow — cluster path summary
1. Your device→ SSH →Cluster gateway→ hop →IPM workstation
2. Proxifierintercepts all apps →port 1337 (SOCKS)
3. SSH tunnelcarries that traffic →IPM network
4. IPM machinesends it to →the internet

Websites see the IPM machine's IP. Your ISP sees only an encrypted SSH connection to the cluster gateway.

Full flow — VPN path summary
1. Connect VPN→ you're inside →IPM network
2. SSH directto IPM machine →no jump host needed
3. -D 1337opens SOCKS →Proxifier routes apps

The VPN replaces the jump host. Everything else works exactly the same way.