SSH Tunnel with Keys – Step-by-Step Guide

sshssh-tunnel

Port 9999 on a remote server needs to be accessed through an SSH tunnel at local port 9990 to avoid firewalls.

I am using this command to SSH tunnel:

ssh -N -i share.pem -L 9990:`ecshare`:9999 ubuntu@`ecshare`

where ecmy contains the ec2 instance's ip.
As a baseline, I can ssh and get a remote shell with this command:

ssh -i share.pem ubuntu@`ecshare`

But, when I try this on the local prompt:

curl -i -X GET http://localhost:9990

I get this on the shell where the tunnel was started:

channel 2: open failed: connect failed: Connection refused

When I try this command on the remote shell:

curl -i -X GET http://localhost:9999

… I get a response from the server.

Why is connection being refused?

Best Answer

Despite the authentication method used, SSH tunneling works the same way. The problem here is not about using public key authentication but understanding the basics of How to Use SSH Tunneling.

Your -L 9990:example.com:9999 connects to the public network interface on the remote side while you connect to localhost:9999 in your curl test. The firewall you mentioned you need to avoid is probably on the remote side, preventing you to use http://example.com:9999/ in the first place.

You should use -L 9990:localhost:9999 instead to make it use local loopback.

This diagram visualizes your situation. The -L [ bind_address:]port:host:hostport...

...works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine.

Related Solutions

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Ssh – Connection refused in ssh tunnel to apache forward proxy setup

I agree with CanOfSpam3 that using -D8080 is a better option then setting up a proxy with Apache. However, to answer your question, I would guess you have missed the Listen line in Apache to listen to port 8080 in addition to the usual ones. <VirtualHost> alone does not make Apache listen to the IP:Port mentioned, you also need to ask Apache to listen on that with Listen. Here's the reference from Apache

Best Answer

Related Solutions

Ssh – How to automate SSH login with password

Ssh – Connection refused in ssh tunnel to apache forward proxy setup

Related Topic