Ssh – ssh tunnel and reverse ssh tunnel in one connection

sshssh-tunnel

I am currently using .ssh/config to store my office's network:

Host office
    Hostname office.company.com
    Port 22222
    User hobbes3

To connect to a remote office Postgres database, I need to SSH to the office server then jump to the office database, so I use ssh tunneling like this

ssh -L 5433:db:5432 office

(I use port 5433 since I already have a local Postgres database installed on my machine)

(And db is the resolved hostname of the database server on the office network)

I also use Xdebug for PHP debugging so my local machine is listening on port 9000. Therefore I use a reverse ssh tunneling like this

ssh -R 9000:localhost:9000 office

But that means I need to have 2 terminals open and I tried to combine the two commands into one like this

ssh -L 5433:db:5432 -R 9000:localhost:9000 office

(I know I can use xdebug.remote_host to connect directly to my local machine's public IP, but I wanted to use tunneling so I can work at the office or at home under two different IPs)

but that only half worked (the -L tunnel worked, but the -R didn't).

Can I have both regular and reverse SSH tunneling in one command? And if so, what did I do wrong? Thanks in advance!

Best Answer

It's perfectly legal to use both straight and reverse port forwarding in the same tunnel. You can even multiply each option to setup multiple ports forwarding.

I'm sure your problem there is a bit different: you want to forward port 9000 that is for X connections and your approach most likely clashes with two more related security mechanisms: X-server's own authorization and SSH own X-forwarding control. If you only aim to run X apps through SSH client, then you don't need to tunnel X ports manually. Instead, configure both your SSH server and client to establish X-forwarding by this configuration:

1) On SSH server set line "X11Forwarding yes" in /etc/ssh/sshd_config (don't forget to restart sshd)

2) On client side either use explicit -X option for ssh or alternatively, add line "ForwardX11" in your .ssh/config for the connected host. The command would be just like that:

ssh -X -L 5433:db:5432 office

which must setup X forwarding by agreement between all the X control mechanisms.

Related Solutions

Ssh – port forward to an established reverse ssh tunnel

See the "Remote port forwarding for anyone at work !" section of this webpage. The article suggests that you should add the

GatewayPorts yes

option to your sshd_config on your HostB. That should cause the remote port forwarding on your HostB to listen on all of its network interfaces.

SSH – How to Send Port Number to Server via Reverse SSH Tunnel

Wouldn't a VPN be more appropriate? OpenVPN is super simple to configure. Here is a sample config and some links to guide your through the certificate creation process:

apt-get install openvpn
mkdir /etc/openvpn/easy-rsa
mkdir -p /etc/openvpn/ccd/client_server
touch /etc/openvpn/ipp.txt
cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca 
./build-dh
./build-key-server server
cd /etc/openvpn/easy-rsa/keys
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile ca.crt

Then create a new file /etc/openvpn/client_server.conf and put the following in it, changing the SERVER_IP_ADDRESS as appropriate

local SERVER_IP_ADDRESS
port 8443
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
pkcs12 /etc/openvpn/easy-rsa/keys/server.p12
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
server 192.168.100.0 255.255.255.0
client-config-dir /etc/openvpn/ccd/client_server
ccd-exclusive
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
reneg-sec 0

Then build a key per user who is going to connect, and create the config file in the ccd dir

./build-key-pkcs12 user1@domain.com
echo "ifconfig-push 192.168.100.2 255.255.255.0" > /etc/openvpn/ccd/client_server/user1@domain.com

The IP address MUST be suitable for a /30 subnet (see http://www.subnet-calculator.com/cidr.php), as there is only 2 addresses available (server and client) per connection. So your next available client IP would be 192.168.100.6 and so on.

Then you now have static IPs per connecting user.

Then supply the user1@domain.com.p12 file to the end-user and use the following config file

client
dev tun
proto udp
remote SERVER_IP_ADDRESS 8443
pkcs12 user1@domain.com.p12
resolv-retry infinite
nobind
ns-cert-type server
comp-lzo
verb 3
reneg-sec 0

Best Answer

Related Solutions

Ssh – port forward to an established reverse ssh tunnel

SSH – How to Send Port Number to Server via Reverse SSH Tunnel

Related Topic