Ssh – port forwarding with socks over proxy

socksssh

I am trying to browse a wiki that runs on a server inside one domain from another domain.
The wiki is accessible only on the LAN, but I need to browse it from another LAN to which I connect with an SSH tunnel …

Here is my setup and the steps I did so far:

~.ssh/confing on wikihost: 

Host gateway
  User kisteuser
  Port 443
  Hostname gateway.companydomain.com
  ProxyCommand /home/myuser/bin/ssh-https-tunnel %h %p
  # ssh-https-tunnel:
  # http://ttcplinux.sourceforge.net/tools/stunnel
  Protocol 2
  IdentityFile ~/.ssh/key_dsa
  LocalForward 11069 localhost:11069

Host server1
  User kisteuser
  Hostname localhost
  Port 11069
  LocalForward 8022 server1:22
  LocalForward 17001 server1:7100
  LocalForward 8080 www-proxy:3128
  RemoteForward 11069 localhost:22

from wikihost

myuser@wikihost: ssh -XC -t gateway.companydomain.com ssh -L11069:localhost:22 server1

on another terminal:

ssh gateway.companydomain.com

Now, on my companydomain I would like to start firefox and browse the wiki on wikihost.
I did:

kisteuser@kiste.companydomain.com ~ $ ssh gateway
Have a lot of fun...
kisteuser@gateway ~ $ ssh -D 8383 localhost
user@localhost's password: 
user@wikiserver:~>

My .ssh/config on that side looks like that:

host server1
    localforward 11069 localhost:11069

host localhost
    user myuser
    port 11069

host wikiserver
    forwardagent yes
    user myuser
    port 11069
    hostname localhost

Now, I started firefox on the server called gateway, and edited the proxy settings to use SOCKSv5, specifying that the proxy should be gateway and use the port 8383…

kisteuser@gateway ~ $ LANG=C firefox -P --no-remote

And, now I get the following error popping in the Terminal of wikiserver:

myuser@wikiserver:~> channel 3: open failed: connect failed: Connection refused
channel 3: open failed: connect failed: Connection refused
channel 3: open failed: connect failed: Connection refused

Confused? Me too …

Please help me understand how to properly build the tunnels and browse the wiki over SOCKS protocol.

update:

I managed to browse the wiki on wikiserver with the following changes:

host wikiserver
    forwardagent yes
    user myuser
    port 11069
    hostname localhost 
    localforward 8339 localhost:8443

Now when I ssh gateway I launch Firefox and go to localhost:8339 and I hit the start page of the wiki, which is served on Port 8443.

Now I ask myself is SOCKS really needed? Can someone elaborate on that ?

Best Answer

To set up SOCKS the way you want, you need to run the ssh -D 8383 command on the machine where you want to run your browser, and make it connect to a machine that has access to the wiki. You should also use localhost:8383 as the proxy address, because ssh -D by default listens only on localhost as the man page says:

By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address

So, if gateway has access to wikihost, but you want to run your browser on kiste, you should run firefox on kiste, configure it with "localhost:8383" as SOCKS proxy, and also run ssh -D 8383 gateway from kiste.

A few other notes to keep in mind:

Try running all the ssh commands with -v. This will show you all the forwards that are being requested and you'll be able to see which one exactly is failing.

I would also recommend taking out the tunnels that you do not really need, just to make the situation less confusing.

The error message that you are seeing is triggered when something tries to connect to one end of a static SSH tunnel (one you create with -L or -R) but SSH is unable to connect to the other end of the tunnel.

Related Topic