SSH – Remote Port Forward Works on TCP/1194 but Not on TCP/443


I am having a weird issue.

I brought up a new Linode to act as a tunnelling endpoint.

I was able to successfully remote forward port 1194 so now connections to linode-server@1194 successfully to my machine's port 1194 and I am able to connect to my VPN by connecting to port 1194 on my linode-server.

The below command is what I used (the one that works):

ssh -N -R 1194:localhost:1194 [email protected]

Now I want to port forward 443 as well. I tried this:

ssh -N -R 443: [email protected]

My local server is listening on on purpose (not localhost).

However, the above command fails to open port 443 on the server. I get the below error:

Warning: remote port forwarding failed for listen port 443

So I checked on my linode-server whether anything is running on port 443. Nothing is:

user@linode-server:~$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0  *               LISTEN      7438/sshd: user       
tcp        0      0 *               LISTEN      411/systemd-resolve 
tcp        0      0    *               LISTEN      2377/sshd: /usr/sbi 
tcp        0      0    *               LISTEN      1513/master         
tcp6       0      0 :::1194                 :::*                    LISTEN      7438/sshd: user       
tcp6       0      0 :::22                   :::*                    LISTEN      2377/sshd: /usr/sbi 
tcp6       0      0 :::25                   :::*                    LISTEN      1513/master         
udp        0      0 *                           411/systemd-resolve 

There is no soft-firewall on the server. And the Linode cloud firewall have been switched off, I still can't do it.

I have absolutely no idea why forwarding 443 is not working.

P.S. – user authentication is working just fine while creating the tunnel.

I am not sure whether this will help, but my sshd_config looks like this:

user@linode-server:~$ cat /etc/ssh/sshd_config | grep -v "^#" | grep -v "^$"
Include /etc/ssh/sshd_config.d/*.conf
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
GatewayPorts yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem   sftp    /usr/lib/openssh/sftp-server

And to clarify, there is nothing in /etc/ssh/sshd_config.d/

Verbose logging form sshd on linode-server:

Aug 14 09:00:32 connect sshd[9499]: Postponed publickey for pi from *HIDDEN: My home public IP* port 49180 ssh2 [preauth]
Aug 14 09:00:32 connect sshd[9499]: Accepted key RSA *HIDDEN* found at /home/pi/.ssh/authorized_keys:1
Aug 14 09:00:32 connect sshd[9499]: Accepted publickey for pi from *HIDDEN: My home public IP* port 49180 ssh2: RSA *HIDDEN* 
Aug 14 09:00:32 connect sshd[9499]: pam_unix(sshd:session): session opened for user pi by (uid=0)
Aug 14 09:00:32 connect systemd-logind[578]: New session 157 of user pi.
Aug 14 09:00:32 connect sshd[9499]: User child is on pid 9579
Aug 14 09:00:32 connect sshd[9579]: bind []:443: Permission denied
Aug 14 09:00:32 connect sshd[9579]: error: bind [::]:443: Permission denied
Aug 14 09:00:32 connect sshd[9579]: error: channel_setup_fwd_listener_tcpip: cannot listen to port: 443

Why is permission denied? The remote forwarding command I used above uses the same user (for both the successful and failed tunnel).

Just found here that it might be because 443 is a privileged port. Now I do not want to use root user to enable remote forwarding on 443. I have locked down the linode-server and can't be logged in as root (and I don't want to allow root login). As per the above link, I can use setcap, on the linode-server, but how do I do it since the tunnel open command is actually run from my local. What are my alternatives? I know maybe using a higher port on the linode-server will work, but I don't want to do that. I would really like it to be port 443 so I don't need to remember the port.

Best Answer

On local server, initiated remote port forward from port 8080 instead (non-privileged port)

ssh -N -R 8080: [email protected]

On linode-server, installed a tool called socat and used the below command to locally forward from 8080 to 443 on linode server and it works now :)

sudo socat TCP-LISTEN:443,fork TCP: